Do not use tags for filtering security related Azure Policies

Azure, Azure Policy 1 Minute

I spend a lot of time on Microsoft Q&A trying to help people by not just providing with answers but also educating them and pushing them to learn more. Recently I was asked to help with Azure Policy rule and I did.

Looking at the rule though got me thinking about using tags for filtering which policy to which resources to apply. Overall I am two hands up for that approach. I think it is good approach for doing management at scale and not having to deal with micro-management. At the same time such approach should be used with cautiousness. For me the stop line for this approach is security related policies where you may be try to enforce TLS 1.2 or disable public network access. The reason is that you are basically allowing people to avoid certain policy by just changing a tag or its value. There is a reason why Azure Policies are mainly subscription/management group scoped resource that you need additional permissions to control. So I highly recommend to not use tags filtering in your policy rules when the policy relates to security setting. Instead I would recommend to use Azure Policy exemptions or Azure Policy exclusions. Never the less if you decide to go that route I would also strongly recommend to do two things:

  • Create another policy with similar rule but to not include the tags filtering and be just in audit effect. That way you will have overview of which resources are not compliant due to having tag that filters them out by the other policy.
  • Regularly review the resources that are not compliant due tag exclusion. You can do that on daily or at least weekly bases. You can even use Log Analytics to alert on the Azure Policy states. You can check the blog post by my friend Tao Yang.

Published by Stanislav Zhelyazkov

Stanislav Zhelyazkov has been working in IT since 2007. Stanislav has started his IT career as a Help Desk Specialist in 2007 while studying Informatics in the University of Ruse. He also worked in HP Enterprise Services (now known as DXC), maintaining large corporate IT infrastructures for clients in Holland, Switzerland and Germany and was involved in a Private Cloud project based on MS Hyper-V and System Center. He was also in the role of Principal Consultant in Lumagate developing and consulting companies on Azure, OMS, management and Private clouds. Currently he is Cloud Infrastructure Engineer at Sentia Denmark. Stanislav is active community member at MSDN forums providing answers on Azure. His blogposts can be found at www.cloudadministrator.net or www.systemcentercentral.com.

Published

2 thoughts on “Do not use tags for filtering security related Azure Policies

  1. If you could create exemption/exclusion without resources already existing then it would not be an issue.

    Reply

    1. The exemptions indeed requires that the resource be already present but you can create an exemption on pre-created resource group and once the resource is deployed to remove it and create exemption on the resource.
      exceptions (not scopes) allows you to define the resource that will be excluded without having to exists in advance if you deploy your policies via IaC. After creation you can do the same thing by creating exemption for the resource and remove it it from excluded.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.