Writing Azure Policies for Compliance

Follow

Writing Azure Policies for Compliance

Azure policy definitions (or Azure policies) in Kion can be used in different ways. Our Azure Policies Guide covers the creation and use of policies to enforce rules for your Azure resources, but Azure policies can also be used to check for compliance.

Used in this way, the Azure policy serves as an alternative to Kion's built-in compliance engine (Cloud Custodian). It allows you to use an Azure-specific language to create customizable compliance checks for Azure resources. You can also leverage JSON code you may already have in your Azure portal for auditing, and you can easily import Azure's built-in policies. Once you start tracking compliance with Kion, you'll get clear visibility into finding-related info, including the region, resource group, policy information, and more. It also allows you to view your Azure policy compliance findings alongside your Cloud Custodian findings in the Compliance Overview, so you can easily view compliance across policy types and cloud providers.

Please note: if you are building new policies from scratch, Cloud Custodian supports both AWS and Azure, so this may be a better option for your team. Cloud Custodian policies work with multiple cloud providers and include support for automatic remediation, which Azure policies do not. We also offer comprehensive info on Writing Cloud Custodian Compliance Policies should you choose to use them.

How To Use Azure Policies For Compliance

You'll need to add any Azure policy definitions to Kion to start using them. Here are the steps to use an Azure policy for compliance:

  1. Add an Azure policy definition to Kion. You can learn how to do that in our Azure Policies Guide. See the "How To Write Azure Policy JSON" section below for more guidance on writing the JSON for Azure compliance policies. There's no need to add the policy in the Azure portal; the policies you add to Kion will sync with the portal automatically. You can also import Azure's built-in policies (Built-In Azure Policy Definitions) or import Kion-managed resources (Kion Managed Resources) that contain Azure policy checks.
    • If you import Kion-managed resources with Azure policy checks, you can skip step 2 below and proceed to step 3.
  2. Add the Azure policy to the compliance check. See the Add a Compliance Check article for info on how to do this.
  3. Use the compliance check to scan your project. To do this, you'll add the compliance check to a compliance standard (Add a Compliance Standard) and add the compliance standard to a cloud rule (Add a Cloud Rule).
  4. Attach the cloud rule to a project. This multi-step process allows you to build a scalable framework you can customize and build upon in the future. For more information, see Managing Cloud Rules.
  5. Wait 3 to 10 minutes for the policy to sync with Azure. Azure will check the compliance state for the project where the cloud rule was attached. Kion will then continuously sync with Azure to check the compliance at the frequency you set when you added the compliance check. Findings will show in the Kion Compliance Overview.

How To Write Azure Policy JSON

Microsoft provides sample Azure policies, but you can use the policy below, which monitors for the creation of non-HIPAA-compliant services, as a guideline to write your Azure policies for compliance. You can update the example below to meet your needs by changing the policy parameters and rules/conditions. The "field" properties must be a value on the list of policy fields supported by Microsoft.

{
    "displayName": "HIPAA Compliant Services",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy audits resource creation requests from non-compliant HIPAA services",
    "policyRule": {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "notLike": "Microsoft.AAD/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.AzureActiveDirectory/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.ApiManagement/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Automation/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Batch/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.DocumentDB/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.EventHub/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.ClassicNetwork/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.ClassicStorage/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.HDInsight/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.KeyVault/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Network/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.MachineLearning/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.MachineLearningServices/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Management/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Media/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.NotificationHubs/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.OperationalInsights/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Cache/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Scheduler/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.ServiceBus/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.RecoveryServices/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Sql/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Storage/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.StorSimple/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.StreamAnalytics/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.ClassicCompute/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Compute/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Support/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Authorization/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Web/*"
                },
                {
                    "field": "type",
                    "notLike": "Microsoft.Insights/*"
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
}

 

Was this article helpful?
0 out of 0 found this helpful