Azure Policy.md - omarhaq7/azwiki GitHub Wiki

Azure Policy

Azure Policy helps to enforce organizational standards and to assess compliance at scale.

Overview and Best Practices

Security policies in Defender for Cloud

Security standards in Defender for Cloud come from these sources:

  • Microsoft cloud security benchmark (MCSB): The MCSB standard is applied by default when you onboard Defender for Cloud to a management group or subscription. Your secure score is based on assessment against some MCSB recommendations.

  • Regulatory compliance standards: When you enable one or more Defender for Cloud plans, you can add standards from a wide range of predefined regulatory compliance programs.

  • Custom standards: You can create custom security standards in Defender for Cloud, and then add built-in and custom recommendations to those custom standards as needed.

References

Tools & Resources

Policy Examples

Workshops

https://github.com/marckean/AzurePolicyWorkshop

Remediation and Exemption

Policy Aliases

  • Azure Policy definition structure aliases
  • Get-AzPolicyAlias -ListAvailable
  • (Get-AzPolicyAlias -NamespaceMatch 'compute').Aliases
  • To find aliases that can be used with the modify effect:Get-AzPolicyAlias | Select-Object -ExpandProperty 'Aliases' | Where-Object { $_.DefaultMetadata.Attributes -eq 'Modifiable' }

Policy-as-Code / Terraform

Azure Policy for AKS

Enterprise-Scale Policies

Regulatory Compliance Controls

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/security-controls-policy

Automation

Scripts

https://github.com/guidemetothemoon/tech-utils/blob/main/scripts/azure-policy/Get-Policy-Assignments-In-Category.ps1

Examples and Tools