azure:az-500:alt:azure_policy [Core Dump]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
====== Azure Policy ======
> Azure Policy is a service you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources so that those resources stay compliant with your corporate standards and service level agreements.

  * [[https://docs.microsoft.com/en-us/azure/governance/policy/overview]]

  * Azure Policy is a free service
  * Multiple Azure Policies can be group together to form a **policy initiative**
  * By default policies apply to the scope where they are applied and all child scopes, but scopes can be excluded
  * Policies can be applied at all levels of scope supported by Azure (i.e. management group, subscription, resource group, resource). but the policies themselves are defined at either a subscription of management group level.
  * //Azure Policy// is the mechanism that powers **//Azure Security Center//** findings
===== Three Pillars =====
  * real-time enforcement and compliance assessment
  * applying policies at scale
  * remediation by leveraging a remediation policy
      * Remediation policies will bring resources into compliance; existing resources will be flagged and not remediated to avoid adverse effects to the environment.

===== Policy Examples =====
  * Ensure only VMs of certain type are created
  * Ensure resources are not created in certain regions
  * To add tags to resources that need for tracking purposes

===== Policy Responses =====
  * Deny the resource change
  *Log the change to the resource
  * Alter the resource before the change
  * Alter the resource after the change
  * Deploy related compliant resources

====== Policy Effects ======
  * **Append**—Adds fields to a resource during the creation/updating of the resource
  * **Audit**—Audit is used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn't stop the request.
  * **Deny**—The deny action prevents the creation/updating of a resource that does not meet specified conditions.
  * **DeployIfNotExists**—A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don't evaluate to true.