WEBVTT 0:00:02.840000 --> 0:00:08.960000 In this video, we're going to deal with resource policies and initiatives. 0:00:08.960000 --> 0:00:12.260000 And there are a number of topics related to this. 0:00:12.260000 --> 0:00:16.620000 They're not really particularly difficult, but I do find they come kind 0:00:16.620000 --> 0:00:18.640000 of a few old sideways at a lot of people. 0:00:18.640000 --> 0:00:20.700000 They're not necessarily familiar with this. 0:00:20.700000 --> 0:00:23.960000 So I'm going to take my time, make sure that I am as clear as possible, 0:00:23.960000 --> 0:00:27.820000 which I'm doing all the time, but we'll make sure that right now. 0:00:27.820000 --> 0:00:29.900000 All right. So we're going to cover the following topics. 0:00:29.900000 --> 0:00:33.540000 We're going to look at what our back policies are. 0:00:33.540000 --> 0:00:35.740000 And then we'll go through the process. 0:00:35.740000 --> 0:00:39.260000 We'll look at how to define a policy. 0:00:39.260000 --> 0:00:41.880000 Then we'll look at how to assign a policy. 0:00:41.880000 --> 0:00:45.320000 And then we'll look at how to create an initiative, which is really a 0:00:45.320000 --> 0:00:47.480000 group of policies. 0:00:47.480000 --> 0:00:51.580000 And finally, we'll take a look at really the relationship between policies 0:00:51.580000 --> 0:00:54.440000 and roles and what people think of as our back. 0:00:54.440000 --> 0:00:57.320000 And I know that can be a little bit confusing because these are referred 0:00:57.320000 --> 0:01:02.320000 often as our back policies, but I think of the concept of policy as being 0:01:02.320000 --> 0:01:07.560000 a little bit separate from the concept of roles and really complementary. 0:01:07.560000 --> 0:01:10.840000 So let's just go ahead and let's dive into this. 0:01:10.840000 --> 0:01:14.580000 I want to start out by talking about what policies do. 0:01:14.580000 --> 0:01:17.960000 Policies have specific use cases. 0:01:17.960000 --> 0:01:20.600000 And the most common first use case you'll find is deny. 0:01:20.600000 --> 0:01:26.740000 And what that means is I can define a policy that will deny actions that 0:01:26.740000 --> 0:01:28.800000 meet certain criteria. 0:01:28.800000 --> 0:01:30.380000 Right, which almost sounds a little bit backwards. 0:01:30.380000 --> 0:01:34.860000 But let's say, for example, that you are provisioning storage accounts. 0:01:34.860000 --> 0:01:41.920000 And I want to ensure that you only provision storage accounts that require 0:01:41.920000 --> 0:01:44.100000 or enforce HTTPS. 0:01:44.100000 --> 0:01:50.220000 I could create a policy that would deny the ability to provision a storage 0:01:50.220000 --> 0:01:55.100000 account. If that storage account does not have the appropriate settings 0:01:55.100000 --> 0:01:58.700000 in the case of the example enforcing HTTPS security. 0:01:58.700000 --> 0:02:02.280000 There are other things that you can do as well. 0:02:02.280000 --> 0:02:06.680000 You can set up policies to monitor. 0:02:06.680000 --> 0:02:11.560000 And monitor and audit are very similar monitors, just really looking at 0:02:11.560000 --> 0:02:16.340000 what value is. Audit is setting thresholds or conditions that are going 0:02:16.340000 --> 0:02:20.260000 to give you some kind of notification if they do not pass. 0:02:20.260000 --> 0:02:22.160000 And then we also have the ability. 0:02:22.160000 --> 0:02:24.960000 This was actually pretty cool to correct. 0:02:24.960000 --> 0:02:29.200000 So let's say, for example, that take the first example rather than a deny. 0:02:29.200000 --> 0:02:35.160000 Maybe I set a correct policy so that if you are creating storage accounts 0:02:35.160000 --> 0:02:41.540000 that don't have HTTPS and force, I could create a policy that would correct 0:02:41.540000 --> 0:02:44.280000 that. That would be run periodically and it would update that. 0:02:44.280000 --> 0:02:46.380000 There's a lot of complexity to the correct. 0:02:46.380000 --> 0:02:50.340000 Other than the fact that it exists, I'm not going to go into that in this 0:02:50.340000 --> 0:02:55.020000 course. Really going to stick pretty much to deny as the example. 0:02:55.020000 --> 0:03:01.220000 Now components. What are the parts of a policy? 0:03:01.220000 --> 0:03:03.320000 The parts of the policy are pretty simple. 0:03:03.320000 --> 0:03:06.320000 And we'll take a look at these in some detail in just a moment. 0:03:06.320000 --> 0:03:08.540000 But we've got the filter. 0:03:08.540000 --> 0:03:13.120000 And the filter is going to define what conditions this policy applies 0:03:13.120000 --> 0:03:17.700000 to. And you typically think of policies as being in the negative. 0:03:17.700000 --> 0:03:22.940000 And so what set of conditions would negatively trigger this? 0:03:22.940000 --> 0:03:26.420000 So in other words, I'm looking to take that earlier example. 0:03:26.420000 --> 0:03:31.600000 I'm looking for the storage accounts that don't have HTTPS and force, 0:03:31.600000 --> 0:03:33.180000 just as an example. 0:03:33.180000 --> 0:03:34.820000 Then there's the action. 0:03:34.820000 --> 0:03:38.360000 And the action simply really kind of goes up there. 0:03:38.360000 --> 0:03:41.060000 What do I want to do with this particular policy? 0:03:41.060000 --> 0:03:42.220000 Is this going to be a deny? 0:03:42.220000 --> 0:03:43.820000 Is it just going to be an audit? 0:03:43.820000 --> 0:03:46.200000 Possibly as I said, even a correct. 0:03:46.200000 --> 0:03:47.580000 And then finally parameters. 0:03:47.580000 --> 0:03:50.580000 Now parameters are really interesting because what they allow you to do 0:03:50.580000 --> 0:03:58.140000 is they allow you to define very flexible, very general policies, which 0:03:58.140000 --> 0:04:02.500000 then when they are applied can be made more specific. 0:04:02.500000 --> 0:04:07.960000 These are used frequently with built -in policies as opposed to the ones 0:04:07.960000 --> 0:04:09.420000 that you might create. 0:04:09.420000 --> 0:04:12.900000 Typically I find when I create my own policies, I don't usually use a 0:04:12.900000 --> 0:04:17.080000 lot of parameters only because I'm defining a very specific policy. 0:04:17.080000 --> 0:04:21.400000 But there are limits to the number of policies that you can provision. 0:04:21.400000 --> 0:04:28.060000 So you might want to, if you have the need to create a more generic policy 0:04:28.060000 --> 0:04:31.240000 that can then be applied specifically, you might want to do that. 0:04:31.240000 --> 0:04:35.100000 Let's say for example, you have a cost center policy. 0:04:35.100000 --> 0:04:38.080000 You want to make sure that cost center is always applied to your resources. 0:04:38.080000 --> 0:04:42.500000 In fact, you want to automatically apply the appropriate cost center. 0:04:42.500000 --> 0:04:46.020000 Well, the cost center may change let's say by resource group. 0:04:46.020000 --> 0:04:51.700000 So I could create a generic cost center policy that has a parameter for 0:04:51.700000 --> 0:04:53.200000 the actual cost center value. 0:04:53.200000 --> 0:04:57.140000 And then every time I apply that policy to let's say a resource group, 0:04:57.140000 --> 0:05:02.140000 I would then specify at the time it's assigned what that value for that 0:05:02.140000 --> 0:05:04.900000 parameter is. So that's how they apply. 0:05:04.900000 --> 0:05:08.120000 Now what about the policies themselves? 0:05:08.120000 --> 0:05:11.000000 And that's where we go into defining policies. 0:05:11.000000 --> 0:05:16.260000 And what you'll find with policies as with many things, most things now 0:05:16.260000 --> 0:05:20.960000 in Azure, is that they're defined using JSON, JavaScript object notation. 0:05:20.960000 --> 0:05:28.540000 Not a particularly complex standard, it's a data standard. 0:05:28.540000 --> 0:05:35.340000 I will tell you that the logic within policies can get a little bit complex. 0:05:35.340000 --> 0:05:38.920000 But the policy itself is pretty simple. 0:05:38.920000 --> 0:05:41.900000 You've got really a few things. 0:05:41.900000 --> 0:05:51.700000 I've got my display name for the policy. 0:05:51.700000 --> 0:05:57.140000 I've got the type of policy and I've got built in. 0:05:57.140000 --> 0:06:03.420000 The mode can be all or I'm sorry, policy type is built in mode. 0:06:03.420000 --> 0:06:06.700000 I put up their separate so are on the same line so I could fix it. 0:06:06.700000 --> 0:06:11.060000 Mode is a separate attribute, a separate property. 0:06:11.060000 --> 0:06:15.860000 Index are specific attributes that are pre-indexed. 0:06:15.860000 --> 0:06:18.240000 Description, that's pretty straightforward. 0:06:18.240000 --> 0:06:20.460000 Metadata is just more information. 0:06:20.460000 --> 0:06:22.820000 In this case, I've got a parameter. 0:06:22.820000 --> 0:06:27.220000 This is one of the built in, as you can see, the policy type built in, 0:06:27.220000 --> 0:06:30.240000 and list of allowed SKUs. 0:06:30.240000 --> 0:06:36.460000 And what this does is that ties the SKUs you're putting in and then if 0:06:36.460000 --> 0:06:41.480000 it's not all of those, then the effect is to deny. 0:06:41.480000 --> 0:06:47.940000 This would be used when you want to say that only certain virtual machine 0:06:47.940000 --> 0:06:51.720000 sizes are available in a particular resource group, for example. 0:06:51.720000 --> 0:06:55.060000 And I actually use a variation of this quite frequently. 0:06:55.060000 --> 0:06:59.580000 And so that's the definition of a policy, but then the assignment of a 0:06:59.580000 --> 0:07:03.180000 policy, there's a few different ways that you can assign a policy. 0:07:03.180000 --> 0:07:10.540000 One is you can assign a policy using, of course, PowerShell or the CLI, 0:07:10.540000 --> 0:07:13.080000 pretty straightforward, new AZ policy assignment. 0:07:13.080000 --> 0:07:18.060000 Now, the scope has to be the ID of what you're assigning the policy to. 0:07:18.060000 --> 0:07:24.040000 Typically again, either a resource group or a subscription, although it 0:07:24.040000 --> 0:07:28.300000 may go a level above a subscription, you can actually assign it to a management 0:07:28.300000 --> 0:07:33.400000 group as well. Demo name or display name, pretty straightforward, description, 0:07:33.400000 --> 0:07:34.480000 pretty straightforward. 0:07:34.480000 --> 0:07:36.900000 What matters is policy definitions. 0:07:36.900000 --> 0:07:40.480000 So the two things that matter when you are assigning a policy or the scope 0:07:40.480000 --> 0:07:42.740000 and the definition. 0:07:42.740000 --> 0:07:50.040000 Now a policy can also be assigned through the portal. 0:07:50.040000 --> 0:07:53.480000 That's what we have here, pretty straightforward. 0:07:53.480000 --> 0:07:58.060000 And this is actually looking at not only where I can go to assign policies, 0:07:58.060000 --> 0:08:00.320000 but also view policies. 0:08:00.320000 --> 0:08:04.100000 So in this particular screen, in the resource group that I'm associated 0:08:04.100000 --> 0:08:08.700000 with. So this is the resource group that this particular one is associated 0:08:08.700000 --> 0:08:11.500000 with. I've got two policies. 0:08:11.500000 --> 0:08:14.360000 One of the policies is non-compliant. 0:08:14.360000 --> 0:08:15.020000 That's a problem. 0:08:15.020000 --> 0:08:16.480000 The other one is compliant. 0:08:16.480000 --> 0:08:20.540000 Now the non-compliant, you'll see a lot of these policies. 0:08:20.540000 --> 0:08:24.180000 And that is actually an Azure Security Center. 0:08:24.180000 --> 0:08:30.240000 And so it's actually looking at all of the rules associated with the Security 0:08:30.240000 --> 0:08:31.920000 Center, all the best practices. 0:08:31.920000 --> 0:08:35.060000 And there's a few of the resources in there that are non-compliant. 0:08:35.060000 --> 0:08:39.360000 In fact, I can see that two out of 89. 0:08:39.360000 --> 0:08:43.240000 Now that's also pretty interesting because notice non-compliant policies, 0:08:43.240000 --> 0:08:45.280000 this is I have 89 policies. 0:08:45.280000 --> 0:08:48.260000 But if I look over here, this looks like two policies. 0:08:48.260000 --> 0:08:49.820000 So what's going on there? 0:08:49.820000 --> 0:08:52.800000 Well, what's going on there is the next topic. 0:08:52.800000 --> 0:08:55.340000 And that is initiatives. 0:08:55.340000 --> 0:09:00.420000 Rather than having a lot of individual policies that you need to assign, 0:09:00.420000 --> 0:09:04.260000 if you have a number of policies that are related, you can tie those together 0:09:04.260000 --> 0:09:06.420000 in what's called an initiative. 0:09:06.420000 --> 0:09:09.720000 And in fact, Azure Security Center, that's how that works. 0:09:09.720000 --> 0:09:12.920000 There are a number of policies that Security Center uses. 0:09:12.920000 --> 0:09:16.420000 And rather than assigning each of those policies individually, there are 0:09:16.420000 --> 0:09:20.620000 initiatives that are tie those together. 0:09:20.620000 --> 0:09:24.100000 And so that's really simply put what an initiative is. 0:09:24.100000 --> 0:09:29.180000 It is simply a grouping of policies that are applied as a unit. 0:09:29.180000 --> 0:09:31.100000 So they're all applied together. 0:09:31.100000 --> 0:09:35.360000 Now what is important about this, in addition to the fact that can simplify 0:09:35.360000 --> 0:09:40.940000 things for you, particularly if you have a complex application of policies, 0:09:40.940000 --> 0:09:44.840000 is that the policy itself has parameters. 0:09:44.840000 --> 0:09:48.360000 Every, excuse me, the initiative has parameters. 0:09:48.360000 --> 0:09:52.640000 Every policy that you add to an initiative can have its own parameters. 0:09:52.640000 --> 0:09:56.140000 And you need to define how they're going to be set. 0:09:56.140000 --> 0:09:58.040000 And those can be set two ways. 0:09:58.040000 --> 0:10:02.420000 It can be set for the policy as part of the initiative, so within the 0:10:02.420000 --> 0:10:07.100000 initiative itself, or it can surface when the initiative is assigned to 0:10:07.100000 --> 0:10:10.400000 act just like an individual policy parameter would. 0:10:10.400000 --> 0:10:15.020000 And as I mentioned, the initiatives are used by Azure, they're used by 0:10:15.020000 --> 0:10:16.800000 Security Center. 0:10:16.800000 --> 0:10:20.940000 One more topic here, and then we really have all the concept related to 0:10:20.940000 --> 0:10:21.860000 policies and initiatives. 0:10:21.860000 --> 0:10:28.700000 And that is, what is that relationship between policy and role? 0:10:28.700000 --> 0:10:32.440000 And the way it works is that if you think about RBAC, if you think about 0:10:32.440000 --> 0:10:35.820000 roles, roles really focus on permissions. 0:10:35.820000 --> 0:10:41.800000 What can a particular principle do? 0:10:41.800000 --> 0:10:47.040000 And it's tied to permissions, it's tied in that way to users or to principles. 0:10:47.040000 --> 0:10:52.420000 Policy focuses on resource properties. 0:10:52.420000 --> 0:10:58.020000 And RBAC defaults to deny, policy defaults to allow. 0:10:58.020000 --> 0:11:00.820000 And you want to use those together. 0:11:00.820000 --> 0:11:03.740000 And an example, and to me, I kind of wanted to get down to the example 0:11:03.740000 --> 0:11:07.920000 because I think it really ties this concept of policy and RBAC together. 0:11:07.920000 --> 0:11:12.620000 Let's say that you've got a role VM contributor. 0:11:12.620000 --> 0:11:17.940000 I could grant you contributor role on a particular resource group, VM 0:11:17.940000 --> 0:11:19.720000 contributors specifically. 0:11:19.720000 --> 0:11:23.400000 And what that will allow you to do is provision virtual machines, and 0:11:23.400000 --> 0:11:27.560000 it will allow you to provision the resources required for virtual machines, 0:11:27.560000 --> 0:11:30.000000 in addition to the virtual machine itself. 0:11:30.000000 --> 0:11:34.440000 However, what that will allow you to do, and what I have no control over, 0:11:34.440000 --> 0:11:40.200000 from the standpoint of the role, is that it will allow you to create any 0:11:40.200000 --> 0:11:42.180000 size virtual machine. 0:11:42.180000 --> 0:11:47.140000 And if you take a look at the cost of, say, an A1 size virtual machine, 0:11:47.140000 --> 0:11:51.460000 versus the cost of an H32 size virtual machine, you'll notice that there 0:11:51.460000 --> 0:11:53.860000 is a significant cost difference there. 0:11:53.860000 --> 0:11:57.340000 And so what I might want to do is allow you to provision virtual machines, 0:11:57.340000 --> 0:12:03.380000 but also be able to control the size or the skew of the virtual machines. 0:12:03.380000 --> 0:12:09.000000 And that's where I can use a role, and I can use a policy together. 0:12:09.000000 --> 0:12:13.320000 Now I assign the policy to a resource group, and that means anybody in 0:12:13.320000 --> 0:12:17.100000 that resource group is going to be subject to that policy. 0:12:17.100000 --> 0:12:22.400000 And that's also, by the way, where the role of owner comes into play, 0:12:22.400000 --> 0:12:24.160000 so there's multiple layers here. 0:12:24.160000 --> 0:12:28.580000 If I'm an owner, I can control policies at the object level, right? 0:12:28.580000 --> 0:12:31.940000 So if I own a resource group, and there's a policy I don't want the resource 0:12:31.940000 --> 0:12:35.520000 group to adhere to, I can just make that go away. 0:12:35.520000 --> 0:12:38.680000 And that's one of the reasons, kind of all of this being circular, is 0:12:38.680000 --> 0:12:42.260000 that you may, for example, want to define your own custom roles, because 0:12:42.260000 --> 0:12:46.140000 maybe I want a just a little bit less than owner role that does almost 0:12:46.140000 --> 0:12:51.500000 everything but can't disable policy, for example, or assign policy. 0:12:51.500000 --> 0:12:55.340000 And so these are the things that you want to think about as you blend 0:12:55.340000 --> 0:12:58.020000 the concept of roles and policies together. 0:12:58.020000 --> 0:13:02.600000 I will say that I think policies are a little bit more complex to work 0:13:02.600000 --> 0:13:06.660000 with in roles simply because there's more that you can do with them.