Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Ensure "Not Allowed Resource Types" Policy Assignment in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Subscriptions-003

Ensure that a "Not Allowed Resource Types" policy is assigned to your Azure subscriptions in order to deny deploying restricted resources within your Azure cloud account for security and compliance purposes. Microsoft Azure Policy service allows you to enforce organizational standards and assess cloud compliance at-scale. With Azure Policy you can define, assign, and manage policies. These policies enforce different rules and effects over your cloud resources in order to stay compliant with corporate standards and service level agreements (SLAs). An assignment is a policy definition or initiative that has been assigned to a specific scope (e.g. a subscription or a resource group). For compliance, the "Not Allowed Resource Types" policy assignment must use the "Not Allowed Resource Types" built-in policy definition. This policy definition enables you to specify the cloud resource types that your organization cannot deploy.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Cost
optimisation

With "Not Allowed Resource Types" policy assignment in use, you can manage your Azure cloud resources, control costs, and enforce security and compliance requirements for your Microsoft Azure subscriptions.


Audit

To determine if "Not Allowed Resource Types" policy is assigned to your Azure cloud subscriptions, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Policy blade at https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade.

03 In the navigation panel, choose Assignments to access the list with all the initiative and policy assignments available within your cloud account.

04 On the Assignments page, perform the following:

  1. Choose the Azure cloud subscription that you want to examine from the Scope field.
  2. Select Policy from the Definition type dropdown list to display only the policy assignments created for the selected subscription.

05 Click on the name of the policy assignment that you want to examine.

06 On the Edit Policy Assignment page, select the Basics tab and check the policy definition name configured for the selected assignment, listed under Policy definition. If the policy definition name is different than Not allowed resource types, the selected policy assignment does not let you specify the resource types that your organization cannot deploy within the selected Azure subscription.

07 Repeat step no. 5 and 6 to check other policy assignments created within the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

03 Run policy assignment list command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to examine as identifier parameter and custom query filters to list the name and the policy definition ID of each Azure policy assignment, available in the selected subscription:

az policy assignment list
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{"name": displayName,"policyDefinitionId": policyDefinitionId}'

04 The command output should return the requested policy information:

Name                                  PolicyDefinitionId
------------------------------------  ----------------------------------------
cc-audit-vm-without-dr-configuration  .../1234abcd-1234-abcd-1234-abcd1234abcd
cc-audit-vm-backups-configuration     .../abcdabcd-1234-abcd-1234-abcd1234abcd
cc-audit-cosmosdb-locations           .../abcd1234-abcd-1234-abcd-1234abcd1234

05 Run policy definition show command (Windows/macOS/Linux) using the ID of the policy definition that you want to examine as value for the --name identifier parameter and custom output filters to describe the name of the built-in policy definition associated with the selected policy assignment:

az policy definition show
	--name 1234abcd-1234-abcd-1234-abcd1234abcd
	--query 'displayName'

06 The command output should return the name of the requested policy definition:

"Audit virtual machines without disaster recovery configured"

If the name of the policy definition returned by the policy definition show command output is different than "Not allowed resource types", the selected policy assignment does not let you specify the cloud resource types that your organization cannot deploy within the selected Azure subscription.

07 Repeat step no. 5 and 6 to check other policy assignments available in the selected cloud subscription.

08 Repeat steps no. 3 – 7 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To prevent certain cloud resource types from being deployed within your Azure subscription, create and configure a "Not Allowed Resource Types" policy assignment by performing the following actions:

Note: As example, the cloud resource type that the user cannot deploy within the specified Azure subscription (i.e. policy scope) is Azure Key Vault.

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to Azure Policy blade at https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade.

03 In the navigation panel, choose Assignments to access the list with all the initiative and policy assignments available within your cloud account.

04 On the Assignments page, click on the Assign policy button to initiate the "Not Allowed Resource Types" policy assignment setup.

05 On the Assign policy page, perform the following:

  1. Select the Basics tab to configure the assignment basic settings.
  2. For Scope, choose the Azure cloud subscription that you want to use as policy assignment scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.
  3. (Optional) For Exclusions, choose the resource group or the cloud resources that can be excluded based on the selected scope. Exclusions start at one level lower than the level of the selected scope (in this case, the selected subscription). For example, at the subscription scope, you can assign a definition that prevents the creation of Azure Key Vaults. You can exclude a resource group from the selected subscription that is intended for administration only.
  4. Click on the Policy definition ellipsis to open the list of available definitions. On the Available Definitions panel, select the built-in policy definition named Not allowed resource types. This built-in policy definition enables you to specify the cloud resource types that your organization cannot deploy for security and compliance purposes.
  5. Provide a unique name for your new policy assignment in the Assignment name box.
  6. Provide a short description for the new assignment in the Description text box.
  7. Make sure that Policy enforcement is set to Enabled.
  8. Once the assignment basics are configured, select the Parameters tab to specify the required parameters for the policy assignment.
  9. Click inside Not allowed resource types dropdown list, and choose the type of the resource that your organization cannot deploy in the selected scope (subscription). As example, select vaults from the Microsoft.KeyVault category to ensure that Azure Key Vaults can't be created within the selected scope.
  10. Click Review + create to review and validate the assignment.
  11. Click Create to create the "Not Allowed Resource Types" policy assignment.

06 Repeat step no. 4 and 5 for other subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run policy assignment create command (Windows/macOS/Linux) using the ID of the Not allowed resource types policy definition as value for the --policy parameter (i.e. 6c112d4e-5bc7-47ae-a041-ea2d9dccd749), to create a "Not Allowed Resource Types" policy assignment for the selected Azure cloud subscription (scope). In the following command example, the cloud resource type that your organization cannot deploy within the specified scope, defined as value of the -p parameter, is Azure Key Vault:

az policy assignment create
	--display-name cc-not-allowed-resource-types
	--policy 6c112d4e-5bc7-47ae-a041-ea2d9dccd749
	-p "{ \"listOfResourceTypesNotAllowed\": { \"value\": [ \"microsoft.keyvault/vaults\" ] } }"
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the new Azure policy assignment metadata:

{
  "description": null,
  "displayName": "cc-not-allowed-resource-types",
  "enforcementMode": "Default",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/abcdabcdabcdabcdabcdab",
  "identity": null,
  "location": null,
  "metadata": {
    "createdBy": "abcd1234-abcd-1234-abcd-1234abcd1234",
    "createdOn": "2020-06-19T19:30:35.0545765Z",
    "updatedBy": null,
    "updatedOn": null
  },
  "name": "abcdabcdabcdabcdabcdab",
  "notScopes": null,
  "parameters": {
    "listOfResourceTypesNotAllowed": {
      "value": [
        "microsoft.keyvault/vaults"
      ]
    }
  },
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "type": "Microsoft.Authorization/policyAssignments"
}

03 Repeat step no. 1 and 2 for other cloud subscription available in your Microsoft Azure account.

References

Publication date Oct 26, 2020