Azure Sentinel: Enterprise Governance (Part 3 of 3)

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here



Resource Locks

There is always a need to lock a subscription, resource group or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. The lock level can be easily set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.

  • ReadOnly means authorized users can read a resource, but they can't delete or update the resource. This lock restricts all authorized users to the permissions granted by the Reader role.

Not every Azure user should have permission to create or remove locks. This requires access to the RBAC permissions like Microsoft.Authorization/, Microsoft.Authorization/locks/ action. However these actions can be added to custom roles as and when required.

Azure Blueprint

Azure Blueprints enables cloud architects and central information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization's standards, patterns, and requirements. Azure Blueprints allows development teams to rapidly build and stand up new environments with trust they are building within organizational compliance with a set of built-in components such as networking to speed up development and delivery.

Blueprints are a declarative way to orchestrate a deployment of various resource templates and other artifacts such as Role assignments, Policy Assignments, Azure Resource Manager templates, and Resource Groups. Blueprints objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Blueprints deploys your resources to.

How is it different from Resource Manager templates?

Environment set up often consists of a set of resource groups, policies, role assignments, and Resource Manager template deployments. A blueprint brings each of these artifact types together and allows you to compose and version that package including through a CI/CD pipeline.Ultimately, they are assigned to a subscription in a single operation that can be audited and tracked.

With blueprints the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing deployments. 

 There is no need to choose between Resource Manager template and a blueprint. Each blueprint can consist of zero or more Resource Manager template artifacts which means that previous efforts to develop and maintain a library of resource Manager templates are reusable in Blueprints.

How it's different from Azure policy?

A blueprint is a package or container for composing focus-specific sets of standards, patterns, and requirements related to the implementation of Azure cloud services, security, and design that can be reused to maintain consistency and compliance. 

Including a policy in a blueprint enables the creation of right pattern or design during assignment of  the blueprint. This makes sure that only approved or expected changes can be made to the environment to protect ongoing compliance to the intent of the blueprint.

A policy can be included as one of the many artifacts in a blueprint definition. Blueprints also support using parameters with policies and initiatives. the following example illustrates the power of Azure Blueprints to deploy a complex solution and secure it.

Azure Security and Compliance Blueprint: PaaS Web Application for PCI DSS

  • This provides guidance for the deployment of a Payment Card Industry Data Security Standards (PCI DSS 3.2) compliant PaaS environment suitable for collection, storage, and retrieval of cardholder data.
  • It automatically deploys a PaaS web application reference architecture with pre-configured security controls to help customers achieve compliance with PCI DSS 3.2 requirements.
  • This blueprint uses Azure Resource Manager, Bastion Host, App Service Environment, Azure Web App,Network Security Groups, etc.
  • It is comprised of JSON configuration files and PowerShell scripts that are handled by Azure Resource Manager's API service to deploy resources within Azure.   

  Azure Subscription Management

An azure Active Directory (AD) tenant is created for you when you sign up for Azure. The tenent represents your account. You can use the tenant to manage access to your subscriptions and resources. If you want to create Azure subscriptions under your organization's Enterprise Agreement (EA), you need to have the Account Owner Role for your organization.

An Azure AD tenant is created for you when you sign up for Azure. The tenant represents your account and you can use the tenant to manage access to your subscriptions and resources.

Manage API access to Azure subscriptions and resources

Client applications that consume the published APIs need to include a valid subscription key in HTTP requests when they make calls to those APIs. A subscription is essentially a named container for a pair of subscription keys. API publishers cab also directly create subscriptions for API consumers.

API Management supports additional mechanisms for gaining access to APIs, including OAuth 2.0, Client Certificates, IP allow lists, etc. Azure policies consists of common API management functions, like those for access control, protection, transformation, and caching. You can apply these policies to various scopes, trigger them on an error, and set them in the inbound and outbound directions.

Who can transfer a subscription?

A billing administrator or the account administrator is a person who has the permission to manage billing for an account If you are an Enterprise Agreement customer, your enterprise administrator can transfer billing ownership of your subscriptions between accounts.

To identify your billing administrator accounts, use following steps:
  • Visit the Cost Management + Billing page in Azure portal.
  • Select all billing scopes from the left-hand pane.
  • The subscriptions page lists all subscriptions where you are a billing administrator. 

 


To read part 1 of 3 please click here
To read part 2 of 3 please click here






Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)