In the ever-changing tech world, Azure policies are now a big deal. These policies aren’t just technical jargon, but essential components that ensure the smooth and secure operation of our systems. The challenge lies not only in implementing these policies but also in keeping track of the changes that occur.
So, what kind of changes are we talking about? Essentially, there are two main areas of focus. Firstly, we need to ensure that our Azure policies are functioning as they should. Regular checks are necessary to ensure they still meet all the required standards. Sometimes, an Azure policy might no longer be in effect, or new resources that don’t fit the policy might have been added. This usually happens when we use the Audit Policy.
However, merely ensuring everything is in compliant is not enough. We also need to monitor any changes made to the Azure policies themselves. It’s easy to fall into the trap of thinking that once our policies are in place, everything is under control. But, in reality, things can change.
These changes primarily occur in four forms: deletion of a policy assignment, creation of an “exemption,” setting up an “override,” or a change in policy. Each of these changes demands our attention to maintain system security.
So, how can we monitor all these changes? The answer lies in Alerts. Alerts serve as an early warning system, notifying us about any changes, keeping us in the loop at all times.
Creating Alerts when a policy isn’t compliant.
In the first case, we can use alerts to keep an eye on Azure Policy Compliance states. This idea is shown in Tao Yang’s work, “Natively Monitoring Azure Policy Compliance States in Azure Monitor – 2023 Edition“.
This approach essentially involves utilizing alerts to actively track the compliance of your policies. It works by setting up a system that triggers an alert when a policy is no longer compliant. The key to this strategy is the Azure Resource Graph (ARG).
Monitoring changes to a Policy
In the second situation, monitoring alterations to the policy configuration, multiple alerts can be established to track these changes. One of the main changes that should raise a red flag is the removal of a policy assignment. Policies are there to guarantee the system’s security and smooth running, so the deletion of a policy assignment could potentially lead to issues or disruptions. This action is critical and requires immediate attention.
Policy Removal Alert
To keep an eye on this behavior, we can set up an alert. This alert will actively monitor any activities related to the removal of policy assignments within the Azure governance system. It is designed to spring into action when it spots the ‘MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE‘ operation, signaling that a policy assignment has been taken away.
Here’s how you create such an alert with code:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/DELETE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
Exemption Created
Likewise, it’s crucial to keep tabs on the initiation of policy exemptions. Policy exemptions occur when a certain resource or scope is excused from adhering to the Azure policy. This could potentially create risks or result in non-compliance with the overarching system governance, making it a vital action to supervise.
We can set up an alert to keep track of this. This alert will spring into action when it identifies the ‘MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE‘ operation, indicating that a policy exemption has been created.
Here’s how you create such an alert with code:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYEXEMPTIONS/WRITE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
Policy assignment Creation/Modification Alert
Keeping an eye on changes made to an existing policy assignment or when new ones are set up is equally important, and setting up an alert for it would be helpful. This could involve changes in policy scope, adjustments to parameters, or the establishment of an override or creating a new assignment
This alert springs into action when it detects a ‘MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE‘ operation. This signals that a policy assignment has been tweaked. This will also monitor aditional policy assigmentemtns
Here’s how you create such an alert with code:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
Policy Definition Modification Alert
Keeping track of changes to policy definitions is a critical part of Azure governance. Such alterations can influence the system’s governance and security, possibly changing rules or leading to compliance problems.
For policy definition modifications, the alert should be configured to activate when it identifies a ‘MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE’ operation. This operation indicates that a policy definition, which could govern anything from resource creation to user access, has been modified.
Here’s how you create such an alert with code:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/WRITE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
Policy or Policy Set Deletion Alert
Monitoring the deletion of policy definitions and policy set definitions is an element of Azure governance. These actions can notably influence the system’s governance and security, potentially creating vulnerabilities or resulting in compliance violations. Therefore, setting up alerts for these events is of great importance. Additionally, it’s important to note that in Azure, it’s not possible to remove a policy that is currently assigned. All assignments must be removed first before a policy can be deleted. This serves as a protective measure to avoid unintended deletion of active policies that could potentially lead to security threats or compliance issues.
In the case of policy definitions removals, the alert should be configured to activate when it identifies a ‘MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/DELETE‘ operation. This operation signifies that a policy definition, which could govern anything from resource creation to user access, has been deleted. Here’s the code to create such an alert:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYDEFINITIONS/DELETE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
Similarly, policy set definitions removals are also significant events that need monitoring. To monitor these removals, the alert should be set to trigger when it detects a ‘MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/DELETE‘ operation.
Here’s how you create such an alert with code:
AzureActivity | where CategoryValue =='Administrative' | where OperationNameValue == 'MICROSOFT.AUTHORIZATION/POLICYSETDEFINITIONS/DELETE' | where ActivityStatusValue == 'Success' | project TimeGenerated, CategoryValue, OperationNameValue, CorrelationId, Level, _ResourceId, Caller, Properties
With these alerts in operation, you will receive notifications every time a policy or policy set definition is removed. This enables you to respond promptly to such changes, thus ensuring the system’s integrity is preserved and potential compliance issues are addressed without delay. As with the previous examples, this code serves as a general guideline, and the actual code might vary based on your specific Azure environment requirements.
Conclusion
Wrapping it up, handling Azure policies isn’t a set-and-forget deal. It’s all about staying on top of things. We can’t just set up policies and hope for the best. Regular check-ups are a must to make sure our policies are doing what they’re supposed to. And that’s not all. We also have to keep a close eye on any changes or exceptions. That’s where alerts come into play. They’re our early warning system that lets us know when something’s up so we can jump in and fix it. Plus, using Azure Resource Graph (ARG) can give us a real-time look at how our policies are doing. All in all, if we keep an eye on things and act fast when needed, we can keep our Azure policies in check and our systems running smoothly.