Task: Enforcing resource tagging

Video: Data Security in Azure

Estimated time: 10 minutes

Goal

In this task you will create a custom policy that requires resources to have a specific tag with a limited set of valid values. You will assign this policy to a resource group and verify the policy.

Pre-requisites

1. Non-production Azure subscription

Requirements

1. Create a custom policy requiring tagging
2. Assign the policy to a resource group
3. Test the policy

Pre-requisite setup

This task does not require any pre-requisite setup.

Requirement 1: Create a custom policy requiring tagging

To begin this task you will Create a custom policy named RequireSensitivity. This policy will require that all resources governed by the policy have a Sensitivity tag with a value that matches one of the following:

• Public
• General
• Sensitive
• Highly Sensitive

To complete this requirement:

• Navigate to the Policy blade of the Azure portal
• Add a policy definition with the following settings: | Setting | Value | | -----------: | ----------------------------------- | | Location | <your subscription> | | Name | SensitivityTag | | Description | <a meaningful description> | | Category | Data security | | Policy rule: | |

{
  "mode":"All",
  "policyRule": {
    "if": {
      "allof": [
        {
          "not": {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions/resourceGroups"
          }
        },
        {
          "anyof": [
            {
              "field": "tags['Sensitivity']",
              "exists": false
            },
            {
              "not":{
                "field": "tags['Sensitivity']",
                "in":["Public","General","Confidential","Highly confidential"]
              }
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

Requirement 2: Assign the policy to a resource group

Next you will provision a resource group named task-datasec-rg. You will then assign the SensitivityTag policy to the task-datasec-rg resource group.

Requirement 3: Test the policy

Finally, you will attempt to provision a storage account in the task-datasec-rg resource group. You will make three attempts at provisioning the storage account:

• Attempt to provision the storage account with no tags. This should fail.
• Attempt to provision the storage account with a Sensitivity tag set to unknown. This should fail.
• Attempt to provision the storage account with a Sensitivity tag set to Public. This should succeed.

Clean up

• Delete the task-datasec-rg resource group.
• Delete the SensitivityTag policy.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.