Azure Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
Hello, Siberians. Welcome to this lesson on major policy.
This lesson is part of the farm model. Off the is that 500 Microsoft Azure security technologist costs
quick information on what will be covering. In this lesson,
we'll start out with a discussion off fundamental concept off azure policy.
Well, then, look at our as your policy works.
Will review some common use cases off as your policy
and finally would look at the components that makes up as your policy. Let's get right into this.
So, first of all, what is that? Your policy?
A job policy is a configuration assessment on enforcement to in ha jher.
It can be used to assess on and first configuration for both existing resources on new results deployments before they actually deployed.
We can apply as your policy as difference copes off the azure resource Iraqi.
We can apply it at the management group level, at a subscription level or at the resource group level.
The ability to do this allows us to enforce organization standards and to assess compliance at scale.
Let me look at azure policy walks because this will help us to get a clearer understanding off this solution.
The control plane off Azure is something called ham A How am which stands for Azure resource manager.
What we mean by control plane is that every create read update on the late Operation Ghost to Azure resource management. Regardless off which management So we're using
it could be the agile Pato it could be. I just see a lie. It could be as a partial or even client libraries off programming languages.
As you can see on the screen.
The azure policy engine the applies our policy templates is embedded right into this control plane.
And this is great as it means that regardless off which management so that we're using to interact with azure, the same policy would be applied.
So, for example, we could create a policy to specify allowed veteran missions cues. And maybe we specify the standard detail as victory as the Onley allowed skew off veteran machine.
Once we creates that policy, it's going to do an assessment off what we currently have existing in Hajer on. It's gonna flag out Stowe House. What is not compliant with the policy that was configured. So in this case, we have to off our existing virtual machines. They're not compliant with that policy.
Also, if we
also if we use any managements to to create a new request, let it would apply in your virtual machine that she is in the stand that a one size
once we attempts to deploy that we're going to get a denying that's not going to go true because that violates a policy that we currently have in place on this does. No matter which management tool we're using again, we have that consistency.
Let's have a quick look at some of the common use cases for your policy.
For example, we can use it to define resource types that can be deployed for our organization may be due to compliance requirements. We can blocks that investors types while allowing other resource types.
We can use it to specify the size of virtual machines that we allow for deployment,
maybe for cost optimization. Reeses want to prevent people from spinning up very costless size off virtual machine without authorization.
We can use our job policy to specify allowed locations
so locations that resources can be deployed to for organization, maybe deal to data sovereignty requirement
we can use as our policy to require Tagen for resources that have been the plight, maybe as part of our operational processes.
We can also use it's to insure the business continuity processes are followed by additive. Backup is enabled for virtual machines.
Let's Hamid deeper. Look at your policy
there. Three men aspect stow as your policy.
The first aspect is policy definition. We have to define our policy that's going to be applied
after that. Then we have policy assignment. We have to assign that policy at a resource Iraqi scope
on. Finally, we have the policy evaluation, which is where that definition will be assessed or in first based on the effects that we've configured. Let's look at the ST Aspect in Ma details.
Let's start with policy. Definition
on a job policy definition is a template that defines the configuration assessment on the effects that should apply If there is a match,
the structure off a policy definition template is in a classic. If this, then that format. In other words, if this condition exists,
then applied his effects,
the girlfriend about other policy definition is we do not need to start by writing our own police. It definitions from scratch.
There are hundreds off butin policy definitions that we can start with.
However, we can also create our own custom policy definitions. If the butin wants, do not meet our requirement.
Here's a sample off an azure policy definition template. So the policy definition itself is represented as a Jason Foul on their two men sections.
The condition section, which is the if section on the effects section, which is the dense section.
So in this case, were forced out by defining our conditions
and we can specify one or more conditions to match.
He has a condition that matches the veteran mission with sauce type,
and we can tie that with a second condition to examine the configuration off the skew that does not match a list I would find. We can also use operators to tie the conditions together. So in this case, we're using the all off operator to ensure that both conditions much
we don't have our effects section, and in this case we're specifying it denying effect. In other words, if our conditions were to match, then apply it deny effect.
So this policy definition would deny the deployment off any veteran mission resource type where the skill is not on ah ha allowed list. After we have a policy definition, we have to assign it,
and that's where we go to policy assignment.
We can assign our policies at any off the scopes. We can apply our policy definitions at the management group scope that could be at the root management group level or child management group level.
This is useful. If you want to apply consistent governors controls to multiple subscriptions in the group.
We can apply our policy definitions at the subscription level. We can apply it also at the resource group level.
Let's stop very quickly about this concept called policy initiative. Why we can apply our policy definitions individually. That's no actually best practice
the best way to apply policy definitions. It's to group them together as a policy initiative. So policy initiative. It's a collection off policy definitions that I groups together usually toe what a specific goal or propose in mind on what policy initiated does
is it simplifies the management off policy assignments because we can assign
a lot of definitions at once rather than assigning them individually. Like what we see on the right hand side. We could take all the different policy definitions that has to do with security on group them to get us a security initiative, and we can apply that at once.
Another good example is we could group together all the policy definitions that has to do with PC ideas as compliance on Then we can apply those at once
and similar to policy definitions. Initiatives can also be applied at different scopes off the azure resource Iraqi. So let's look at the thought aspect of azure policy, which is the policy evaluation
on a job policy. Evaluation is when the assigned policy is assessed or in first, depending on the effect that we've configured on their different events. That could trigger the assessment or enforcement off a policy or initiative assignment. For example, after we are signed
a new policy or initiative telescope,
it's gonna be applied on evaluated after 30 minutes
after a policy or initiative is updated, that's going to be applied or evaluated after 30 minutes
if we have a new results that was just deployed to a scope
which, as an existing assignment evaluation happens around 15 minutes later on, this will not affect existing resources in that scope. So maybe I deploy new retro mission into every cell school.
The veteran mission be assessed against the existing policies for that results group. After 15 minutes,
the standard policy or initiative reevaluation cycle is once every 24 hours, so half that we've assigned a policy or initiative on its done. The initial assessment after 30 minutes after that is gonna be at once every 24 hours.
We also have an option to trigger on on the man's can. Vietti FBI.
He has some supplemental links for further studies on the topics covered in this lesson.
Here's a summary of what we covered.
We started out by discussing fundamental concept off as your policy,
but then this cost ours. Your policy walks.
We'll look at some common as your policy use cases
on finally went into details, covering the different components off as your policy specifically around as your policy definition policy assignment on policy evaluation.
There's Vicks me to the hand off this video. Thanks very much for watching, and I'll see you in the next lesson
Up Next