Azure Governance using Policies

Automate Azure VM Management Using Action

Actions give you the ability to rapidly respond to changes in your environment. For example, you can configure an action that stops and deallocates Azure VMs that accrue spends of over $200 a month. Here, a policy tracks your VMs, looking for an increase in spend over $200 a month. The action attached to that policy takes corrective measures, such as, stopping and deallocating the VMs that the policy identifies.

Advantages of Enabling Actions

Actions can help you in these ways:

  • Automate labor-intensive and error-prone tasks without compromising on authorization and security.
  • Reduce the time and effort it takes to manage and operate your cloud.
  • Establish policy-based governance across your environment.
  • Create and execute Actions without human intervention after setting up approvers for them.

Support for Azure Actions in Tanzu CloudHealth Platform

Actions can work on their own or in tandem with policies. In the latter case, policies locate deviations from operational norms and actions help you take corrective measures in response to those deviations. You can enable actions to govern your Azure infrastructure from these parts of the Tanzu CloudHealth platform:

  • Virtual Machine Rightsizing Report
  • Virtual Machine Asset Report
  • In tandem with a Standard Policy

Actions Supported for Azure Infrastructure

Configure one or more of these actions for governing your Azure Virtual Machines (VMs):

  • Start VM
  • Stop and Deallocate VM
    • If you are using Classic VMs, this action only stops the VM without deallocating it. Therefore, the VM will continue to incur charges until you deallocate it through the Azure Portal.
  • Restart VM
  • Resize VM

How to Enable Azure Actions

In order to use Azure Actions in the Tanzu CloudHealth platform, associate a custom role with each Azure Service Principal. Tanzu CloudHealth assumes this role when performing Actions on your behalf.

Tanzu CloudHealth enables Actions at the service principal level. Actions are executed through a custom role that is associated with each service principal. Use Azure PowerShell to associate a custom role for each service principal.

Ensure that you have administration privileges for each service principal with which you want to associate the custom role.

  1. Login to the Tanzu CloudHealth platform. From the left menu, select Setup > Governance > Actions.
  2. The first section on this page is titled Set Up Azure Service Principal. It lists each service principal that you have configured in the Tanzu CloudHealth platform.

  3. Click the Enable button next to the service principal for which you want to enable Azure Actions. A PowerShell script customized for that service principal appears. By default, Tanzu CloudHealth assigns the built-in Azure Contributor role in the PowerShell script. For more information on what actions this role can perform, click here.

    If you prefer to assign Tanzu CloudHealth a more restrictive role than the default Contributor one, create your own role. Here is an example.

    $role = Get-AzureRmRoleDefinition "Contributor"
$role.Id = $null
$role.Name = "CHTActions"
$role.Description = "Grants access to Actions"
$role.AssignableScopes.Clear()
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Compute/*/write")
$role.Actions.Add("Microsoft.Compute/*/action")
$role.Actions.Add("Microsoft.ClassicCompute/*/write")
$role.Actions.Add("Microsoft.ClassicCompute/*/action")
$role.Actions.Add("Microsoft.Sql/*/write")
$role.Actions.Add("Microsoft.Sql/*/action")
$role.Actions.Add("Microsoft.Storage/*/write")
$role.Actions.Add("Microsoft.Storage/*/action")
$role.Actions.Add("Microsoft.ClassicStorage/*/write")
$role.Actions.Add("Microsoft.ClassicStorage/*/action")
$role.NotActions.Add("*/Delete")
New-AzureRmRoleDefinition -Role $role

    For more examples, see Manage Role-Based Access Control with Azure PowerShell.

  4. Run the script that Tanzu CloudHealth created for the service principal. If you created your own role, replace Contributor in the script with the name of the role you created.

Associate Azure Actions with Policies

Associate an action with a policy so that when a policy condition evaluates to true, the action is executed.

For all asset types, the following Actions are available:

  • Create JIRA Issue
  • Email

You can stagger Actions based on the Wait function. For example, you can stop a Virtual Machine, create a JIRA issue, and inform someone of these actions through an email. You can create a sequence of events that make up the action as follows: 1. Stop and Deallocate Azure Virtual Machines. 2. Create JIRA Issue. 3. Email DevOps.

To ensure that the sequence of events runs correctly, click the Test Rule button for the rule.

For more information about associating actions with a policy, see Configure Rules.

Associate Approvers with Actions

In order to add traceability and accountability, you can run Azure actions through an approval process. When an action is triggered, the Approver receives an email notification. If the Action is acceptable to the Approver, they can approve it through the email. If other Approvers are part of the process, a notification is then sent to the next Approver in the sequence. When all Approvers have signed off, Tanzu CloudHealth runs the Action.

Standard Azure Actions available in the Tanzu CloudHealth platform do not require an approval process by default. Create a custom Action that combines one or more standard Actions and associate Approvers with that Action.

  1. Login to the Tanzu CloudHealth platform. From the left menu, select Setup > Governance > Actions. Then, click Create Action.
  2. In the form that appears, name the action, describe it, and select Azure Virtual Machine as the Resource Type.
  3. In the Actions section of the form, create a sequence of one or more actions associated with the Custom Action.
  4. Add one or more Approvers for the Action. Move the Approval sub-Action to the top of the sequence.
  5. Click Save. This Action is now available for association with Policies.

Execute Actions Manually

In addition to associating Azure Actions with Policies, you can manually execute Azure Actions in the Tanzu CloudHealth platform.

In the Virtual Machine Rightsizing report (Recommendations > Virtual Machine Rightsizing), each row has an associated Actions dropdown.

Because this is the Rightsizing report, one possible Action to take here would be Resize Azure Virtual Machine. Click this option from the Actions dropdown and select the VM size to which you want to resize.

Click Execute Action. Tanzu CloudHealth resizes the VM using the privileges in the custom role associated with the service principal to which the VM belongs.

Implement CIS Azure Foundations Policy

What is the CIS Azure Foundations Policy

The CIS Azure Foundations policy performs checks for Center for Internet Security (CIS) security benchmarks CIS Microsoft Azure Foundations Benchmark v1.3.0. The policy can monitor your Azure accounts, services, and resources. It identifies issues based on the CIS benchmarks and makes recommendations for how you can improve your security.

Tanzu CloudHealth manages this policy and will update it periodically to meet additional CIS benchmarks. You can customize the rules in this policy within certain constraints. You can also enable and disable rules within the default policy.

Prerequisites for CIS Azure Foundations Policy

To run the CIS Azure Foundations policy, Tanzu CloudHealth must collect asset metadata for a number of services:

  • Key Vaults (keys and secrets)
  • Azure Active Directory (users and role definitions)
  • SQL Server/Database (threat detection and transparent data encryption)
  • Azure subscription security policies

To report on these services, Tanzu CloudHealth requires additional access to your Azure cloud.

Tanzu CloudHealth accesses only metadata. No sensitive data is accessed or collected.

Assign Reader Role for Active Directory Users

To allow Tanzu CloudHealth to collect required metadata for the CIS Azure Foundations policy, assign a reader role to your Tanzu CloudHealth service principal’s active directory users.

  1. Log in to the Azure Portal.
  2. Go to All Services and select Azure Active Directory under Identity.
  3. Select App Registrations from the left menu.
  4. Select the application registration corresponding to your Tanzu CloudHealth service principal. To verify your Tanzu CloudHealth service principal, go to Setup > Admin > Azure Service Principal in the Tanzu CloudHealth Platform.
  5. Select API permissions from the left menu. Select Add a permission.
  6. In Select an API, select Microsoft Graph from the list.
  7. Select Application permissions as your permission type.
  8. Select the User.Read.All permission from the list and click Add permissions.

Grant Access to Key Vault Keys and Secret Metadata

Tanzu CloudHealth requires access to your Azure key vault keys and secret metadata to check whether your Azure cloud is compliant with CIS benchmarks.

  1. Open PowerShell and enter the following command line: 
    $subs = Get-AzureRmSubscription
$client_id = 'client id of service principal'
foreach ($sub in $subs) {Set-AzureRmContext -SubscriptionId $sub.SubscriptionId
$key_vaults = Get-AzureRmKeyVault
foreach ($key_vault in $key_vaults) {Set-AzureRmKeyVaultAccessPolicy -VaultName $key_vault.VaultName -ServicePrincipalName $client_id -PermissionsToKeys get,list -PermissionsToSecrets get,list } }
  2. Replace client id of service principal with your Azure service principal client ID. You can locate your client ID in the Tanzu CloudHealth Platform by going to Setup > Accounts > Azure Service Principal.
  3. Run the PowerShell command line. Repeat steps 1-3 each time you add a new key to ensure the CIS Azure Foundations Policy functions correctly.

Enable CIS Azure Foundations Policy

A policy contains one or more policy blocks, each containing a specific rule that checks for compliance against an Azure CIS benchmark.

  1. In Setup > Governance > Policies, edit the policy CIS Azure Foundations.

  2. Switch the Status to Enabled and click Save Policy.

    When you enable the CIS Azure Foundations policy, all rules within it are enabled and assigned a default severity. Recommendations from monitoring based on the CIS Azure Foundations policy are available within an hour. Recommendations appear daily.

Review CIS Azure Foundations Policy Recommendations

Recommendations from the CIS Azure Foundations policy help you understand what the particular security issue is and what action you can take to address it. These recommendations are also visible in the Health Check Pulse Report.

  1. Go to Recommendations > Security. For each rule, the table shows the severity of the violation and the number of resources that violate that rule.
  2. Click a row in the table for more information on the rule.
    • Rule documentation is divided into the following sections: Description, Recommendation, and Additional Help. You can customize the content in these sections.
    • The Affected Resources table lists all resources that are violating the policy.
    • If you know why a resource is violating a policy rule and want to exclude it from future checks, click View All above the table, locate the resource in the dialog box that appears, and click Exclude.

Customize Azure CIS Foundations Policy

If you want to customize the Azure CIS Foundations policy, you can edit the policy within certain constraints. Alternatively, you can modify a copy of the policy. In that case, however, the copy you create will not be updated when Tanzu CloudHealth adds CIS benchmarks to the default policy.

  1. In Setup > Governance > Policies, edit the policy Azure CIS Foundations.
  2. Change one or more of these characteristics.
    • Enable or disable the policy. The policy is turned off by default.
    • Enable or disable a rule.
    • Change the severity of a rule.
    • Edit rule conditions. You can configure a policy rule so that it better reflects your requirements. For example, the original policy contains a rule that ensures that all SQL servers retain auditing for more than 90 days. You can edit this rule to modify that duration.
    • Trigger an action that is performed on resources that violate the conditions of a rule.

Apply Azure CIS Foundations Policy to Sub-Organizations

When you enable the Azure CIS Foundations policy, it only checks for security vulnerabilities in the top-level organization. In order to apply the policy to sub-organizations, duplicate the policy and specify the sub-organization to which it should apply.

  1. In Setup > Governance > Policies, duplicate the policy Azure CIS Foundations.

  2. In the dialog box that appears, name the duplicate policy and select the sub-organization to which it should apply.

    Actions that you added to the original policy are not copied into the sub-organization.

check-circle-line exclamation-circle-line close-line
Scroll to top icon