Policy Compliance and Exemptions

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour 5 minutes
Difficulty
Beginner
CEU/CPE
1
Video Transcription
00:00
In the last couple of videos, we saw how we can create policy assignments in Azure.
00:05
We can use azure portal. We can use azure CLI. We can assign policies or policy initiatives.
00:12
Now let's take a look at how we can track our compliance and how we can exclude certain resource is from the policy.
00:21
Once again, I am in Azure Portal and I can click on the policy service there.
00:27
I'll get my dashboard
00:29
here. I can see all the policies that are applied or assigned to my subscription.
00:36
I have the preview CS initiative that we applied in one of the previous videos.
00:42
I have the audit resource location matching the resource group location which we applied using the CLI.
00:51
I also have the require owner attack
00:53
for the resource is that we created using azure portal
00:58
on the dashboard.
01:00
You can see what the level of compliance is against these policies. For all the resource is within the scope.
01:07
Let's take, for example, the require owner tag.
01:10
We see that this is 100% compliance
01:14
and all resource is in this resource group are compliant.
01:19
We only have a single resource there, which is the storage account.
01:25
This storage account has the proper owner attack.
01:29
That's why everything is compliant.
01:32
However, let's go back and take a look at the audit resource location.
01:37
As you remember,
01:38
in our video, we created a storage account which has a different location than the resource group.
01:44
That's why there's policy is reported as non compliant, and there's one resource that is not compliant.
01:52
Let's click on this policy, and when you go inside,
01:56
you can see every resource that is not compliant.
02:00
In this particular case, our storage account is not compliant because it was created in East us too.
02:07
And the policy requires that this resource is created where the resource group is created.
02:14
In our particular case,
02:15
that was West. Us too. Yeah,
02:19
let's look at the C s initiative.
02:22
We have 167 out of 181 policies
02:27
that we are compliant with,
02:30
but 14 are not.
02:31
If I click on the initiative, I will see all the policies that my re sources are not compliant with.
02:38
I can go and check each one of those.
02:44
As you can see, there are quite a few that we need to go through.
02:52
One thing I can do is I can go and edit the assignment.
02:58
I have a resource group where I put a virtual machine that I will use in the next videos.
03:04
I would like to exclude this resource group from this initiative.
03:09
I could go in the exclusion section, click on the browser,
03:15
and I can optionally exclude my resource group.
03:23
That will be Custom Policy Demo Resource Group from the policy
03:30
or the initiative.
03:38
I can click next
03:38
and next and nothing else changes
03:42
and I can save this initiative.
03:44
Once this initiative is stayed,
03:47
it'll take a while until this policy or initiative gets evaluate.
03:53
I'll see the updated compliance report
04:00
while we're waiting for the initiative to be reevaluated. Let's take a look at the re sources that are not compliant and specifically the resource is in the resource group that we excluded.
04:12
This is the policy demo VM.
04:15
This is just the resource group that has just a single VM.
04:19
If you click on it, you will see that we have nine noncompliant policies for that VM.
04:27
We have things like system updates should be installed.
04:30
Vulnerabilities and security configurations should be remediated and so on and so on.
04:35
Once the initiative gets re evaluated because we excluded this resource group from the initiative,
04:41
we will see that we will have nine less noncompliant policies in our report.
04:46
Let's wait for that to happen.
04:49
After some time,
04:53
the initiative got reevaluated. And as you can see now, we don't have the policy. VM that is part of the excluded resource group anymore. Available in the non compliant resource is
05:05
once we exclude some resource is or scope from the evaluation. We don't see this in the reports anymore.
05:16
In this video, we saw how we can check the policy compliance and how we can exempt Resource is from the policy evaluation.
Up Next
Azure Policies

This course goes into details about Azure Policy and how it can be used for IT governance of Azure resources.

Instructed By