Azure Governance

Azure’s Governance Toolkit is very different from AWS’s – although they try to accomplish a lot of the same things. At a high level, this is Azure’s breakdown of services/techniques for better cost and resource governance.

— Management Groups –  grouping and organizing your subscriptions in a logical hierarchy

— Resource Graphs – These help query complex aspects of azure resources (how many VMs have managed disks attached…?)

— Policies – Similar to AWS policies.

— Blueprints (resource groups, policies, role assignments, Resource Manager templates ) – Close to AWS CloudFormation Templates

Sample Governance Probing Questions and Answers (for Azure)

Do you need to manage multiple accounts and subscriptions?

• Use Azure Management Groups to create an organizational hierarchy so that access control policies can be inherited.

Are you using RBAC? Are you leveraging Azure Policy?

•   On RBAC,  use Azure Policy and possibly define programmatic ways (using Azure Powershell or CLI) to apply control policies.

Are you using Tagging Effectively? How about Centralized Logging?

• Create a tagging policy that accounts for cost centers, development environments as well as departmental units.
• Collect and store logs for all Azure Subscriptions, accounts, resource groups, resources and Azure REST API actions

How are you currently enforcing Security Compliance?

• Try scheduling continuous monitoring tasks (for example, vulnerability scans within and across subscriptions)

How are you enforcing Cost and Budget compliance?

• Set rules to define enforcement actions (including notification and block creation of new cloud resources) when compliance thresholds are exceeded. Cloudcheckr and related tools may help define such rules, but it cloud be done cloud native as well.

What access is needed on an existing subscription?

The Azure Global Admin needs to create a Service Principal within the subscription, with Reader rights

(Optional) CloudCheckr Deployment  within the Azure Tenant(s)