azure governance Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/tag/azure-governance/ Production Grade Technical Solutions | Data Encryption and Public Cloud Expert Tue, 20 Jul 2021 14:21:00 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://www.anujvarma.com/wp-content/uploads/anujtech.png azure governance Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist https://www.anujvarma.com/tag/azure-governance/ 32 32 Azure Management Groups are tied to Governance https://www.anujvarma.com/azure-management-groups-are-tied-to-governance/ https://www.anujvarma.com/azure-management-groups-are-tied-to-governance/#respond Wed, 17 Jun 2020 15:17:05 +0000 https://googlearchitect.com/?p=215 Also read this post on the core elements of Governance on any public cloud Why do we need Azure Management Groups? Most people think of management groups as a convenient […]

The post Azure Management Groups are tied to Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> Also read this post on the core elements of Governance on any public cloud

Why do we need Azure Management Groups?

Most people think of management groups as a convenient way to organize multiple subscriptions (e.g. based on departments in an organization).

However, management groups are tied to governance in that policies and RBAC can both be applied at a higher level – and propagate to all child subscriptions underneath.

Per Department Management Groups

You can have a high level Management group per department.

What lives below a Management Group? (subscriptions and resource groups)

Firstly, you get a root management group whether you ask for it or not (with each new subscription). So – it is best to group new subscriptions under existing roots so you have a clean hierarchy.

Example Policy at Management Group Level – Tags of resources and Resource Groups

Every resource in Azure including the resource groups will mandatorily have tags assigned to it. The tags will include details about the department, environment, creation data, and project name at minimum.

Another Example Policy at the management group level  – Diagnostic logs and Application Insights for all resources

Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.

How many Subscriptions should you have?

At the very least, 2 (one for production and one for non production workloads). Beyond PROD and NON PROD, you can consider departmental based subscriptions (if Billing is to be separated).. Read Azure’s Article on Subscription Groups

Summary

Azure Management Groups are more than a convenience for organizing subscriptions. Used correctly, they allow policies to be applied in a reusable manner. For example, they can be used to enforce tagging of resources, a key part of cost governance.

Also see Auditing AWS Account Security.

Set up a 1 on 1 appointment with Anuj to assist with your cloud journey

The post Azure Management Groups are tied to Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> https://www.anujvarma.com/azure-management-groups-are-tied-to-governance/feed/ 0 Azure Governance https://www.anujvarma.com/azure-governance/ https://www.anujvarma.com/azure-governance/#respond Tue, 22 Jan 2019 04:12:00 +0000 http://www.anujvarma.com/?p=5574 Azure’s Governance Toolkit is very different from AWS’s – although they try to accomplish a lot of the same things. At a high level, this is Azure’s breakdown of services/techniques […]

The post Azure Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> Azure’s Governance Toolkit is very different from AWS’s – although they try to accomplish a lot of the same things. At a high level, this is Azure’s breakdown of services/techniques for better cost and resource governance.

— Management Groups –  grouping and organizing your subscriptions in a logical hierarchy

— Resource Graphs – These help query complex aspects of azure resources (how many VMs have managed disks attached…?)

— Policies – Similar to AWS policies.

— Blueprints (resource groups, policies, role assignments, Resource Manager templates ) – Close to AWS CloudFormation Templates

Sample Governance Probing Questions and Answers (for Azure)

Do you need to manage multiple accounts and subscriptions?

  • Use Azure Management Groups to create an organizational hierarchy so that access control policies can be inherited.

Are you using RBAC? Are you leveraging Azure Policy?

  •   On RBAC,  use Azure Policy and possibly define programmatic ways (using Azure Powershell or CLI) to apply control policies.

Are you using Tagging Effectively? How about Centralized Logging?

  • Create a tagging policy that accounts for cost centers, development environments as well as departmental units.
  • Collect and store logs for all Azure Subscriptions, accounts, resource groups, resources and Azure REST API actions

How are you currently enforcing Security Compliance?

  • Try scheduling continuous monitoring tasks (for example, vulnerability scans within and across subscriptions)

How are you enforcing Cost and Budget compliance?

  • Set rules to define enforcement actions (including notification and block creation of new cloud resources) when compliance thresholds are exceeded. Cloudcheckr and related tools may help define such rules, but it cloud be done cloud native as well.

What access is needed on an existing subscription?

The Azure Global Admin needs to create a Service Principal within the subscription, with Reader rights

(Optional) CloudCheckr Deployment  within the Azure Tenant(s)

The post Azure Governance appeared first on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

]]> https://www.anujvarma.com/azure-governance/feed/ 0