Governance Policies Azure Compute Virtual Machines - Azure/az-prototype GitHub Wiki
Governance policies for Virtual Machines
Domain: azure-compute
| Name | Description |
|---|---|
| Production VM with full security baseline | Linux VM with Trusted Launch, CMK encryption, managed identity, and monitoring |
| Description | Instead |
|---|---|
| Do not use password authentication for Linux VMs | Use SSH key authentication with disablePasswordAuthentication: true |
| Do not assign public IPs directly to VMs | Use Azure Bastion for management and internal load balancers for application access |
| Do not deploy VMs without encryption at host | Enable encryptionAtHost: true in the security profile |
| Check | Severity | Description |
|---|---|---|
| AZ-VM-001 | Required | Deploy VMs with managed identity, SSH key auth (Linux), and no public IP |
| AZ-VM-002 | Required | Enable Trusted Launch with Secure Boot and vTPM |
| AZ-VM-003 | Required | Enable encryption at host and use Disk Encryption Sets for CMK |
| AZ-VM-004 | Recommended | Install Azure Monitor Agent and configure data collection rules |
| AZ-VM-005 | Recommended | Enable automatic OS patching with AutomaticByPlatform mode |
Deploy VMs with managed identity, SSH key auth (Linux), and no public IP
Severity: Required
Rationale: Managed identity eliminates credential management; SSH keys prevent brute-force attacks; no public IP reduces attack surface
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/virtualMachines
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/networkInterfaces | nic-vm | Network interface with NSG association and no public IP |
| Microsoft.Compute/diskEncryptionSets | des-cmk | Disk Encryption Set with customer-managed key for OS and data disks |
| Microsoft.Network/bastionHosts | bas-mgmt | Bastion host for secure remote VM access without public IPs |
| Microsoft.Insights/diagnosticSettings | diag-vm | Diagnostic settings for VM guest OS metrics and boot diagnostics |
| Microsoft.Compute/virtualMachines/extensions | AzureMonitorLinuxAgent | Azure Monitor Agent extension for centralized log and metric collection |
Enable Trusted Launch with Secure Boot and vTPM
Severity: Required
Rationale: Trusted Launch protects against boot-level attacks with measured boot, secure boot, and vTPM
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Compute/virtualMachines
Enable encryption at host and use Disk Encryption Sets for CMK
Severity: Required
Rationale: Encryption at host ensures temp disks and caches are encrypted; CMK provides key control
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Compute/virtualMachines
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Compute/diskEncryptionSets | des-cmk | Disk Encryption Set with customer-managed key for VM disk encryption |
| Microsoft.KeyVault/vaults | kv-cmk | Key Vault storing encryption keys for Disk Encryption Set |
Install Azure Monitor Agent and configure data collection rules
Severity: Recommended
Rationale: Azure Monitor Agent replaces the legacy Log Analytics agent and enables centralized log collection
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Compute/virtualMachines
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Insights/dataCollectionRules | dcr-vm-logs | Data collection rule defining which logs and metrics to collect from VMs |
| Microsoft.Insights/dataCollectionRuleAssociations | dcra-vm | Association linking the data collection rule to the VM |
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace as the destination for VM telemetry |
Enable automatic OS patching with AutomaticByPlatform mode
Severity: Recommended
Rationale: Automatic patching ensures VMs receive security updates without manual intervention
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Compute/virtualMachines