azure:azure_policy

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:azure_policy [2024/08/26 19:08] mmuzeazure:azure_policy [2024/10/04 14:13] (current) – [Effect Order Of Evaulation] mmuze
Line 2: Line 2:
   * [[https://learn.microsoft.com/en-us/azure/governance/policy/overview|Azure Policy]]   * [[https://learn.microsoft.com/en-us/azure/governance/policy/overview|Azure Policy]]
     * Azure Policy helps to enforce organizational standards and to assess compliance at-scale.     * Azure Policy helps to enforce organizational standards and to assess compliance at-scale.
-  * Policies can be grouped together into //Initiatives// or //policySet//.+  * Policies can be grouped together into //Initiatives// (aka //policySets//).
   * Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues   * Azure Policy Guest Configuration agent is the service that runs on a VM to audit and remediate configuration issues
  
Line 11: Line 11:
   * Require virtual machines to be configured with encryption at rest for disk storage   * Require virtual machines to be configured with encryption at rest for disk storage
  
 +===== Policy Evaluation =====
 +Times or events when policies are evaluated:
 +  * A resource is created or updated in a scope with a policy assignment.
 +  * A policy or initiative is newly assigned to a scope.
 +  * A policy or initiative already assigned to a scope is updated.
 +  * During the standard compliance evaluation cycle, which occurs once every 24 hours.
 +
 +==== Evaluation Response ====
 +Options for responding to compliance issues:
 +  * Deny the resource change
 +  * Log the change to the resource
 +  * Alter the resource before the change
 +  * Alter the resource after the change
 +  * Deploy related compliant resources
 +  * Block actions on resources
 +
 +==== Effect Order Of Evaulation ====
 +There is an order of precedence for the possible policy //effects//.
 +  * [[https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-basics#order-of-evaluation]]
 +
 +  * disable
 +  * append and modify
 +  * deny
 +    * The Deny effect prevents a resource from being created or modified (including deleted) if it violates a policy rule. 
 +  * audit
 +  * manual
 +  * auditIfNotExists
 +  * denyAction
 +    * It prevents the deletion of resources that match a specified condition, such as a specific resource type or tag value.
 +
 +<callout type="info">
 +//Deny// effect applies to all actions (create, update, delete), while //DenyAction// effect only applies to deletion actions.
 +  * Use Deny effect when you want to block all unauthorized actions (create, update, delete) on a resource that does not support tags and locations.
 +  * Use DenyAction effect when you want to specifically prevent the deletion of resources that support tags and locations, such as virtual networks or storage accounts.
 +</callout>
  • azure/azure_policy.1724699323.txt.gz
  • Last modified: 2024/08/26 19:08
  • by mmuze