Tuesday, September 7, 2021

Azure Policy to Enforce Azure Services to comply with DoD CC SRG Audit Scope IL5

Article Summary 

 

This article provides the technical controls leveraging Azure Policy (Azure Policy)  to enforce compliance with FedRAMP and the  Azure Services in FedRAMP and DoD SRG Audit Scope - Azure Government | Microsoft Docs . This solution is being provided as an additional architectural option for evaluation for organizations that must satisfy a regulatory requirement derived from a security policy that only permits IL5 workloads to be deployed on the Azure cloud platform. This process and controls within this article can be leveraged in any of Microsoft’s cloud platforms.

 

Intended Audience

 

The article is intended for IT planners, architects, and managers who are responsible for establishing and reviewing overall deployments and oversee operations practices within the Federal and Department of Defense (DoD). This industry vertical requires a higher level of compliance to satisfy their security and audit controls.  

 

Approach

 

The approach is to identify the resource providers, which are a set of application programming interfaces (API’s) corresponding to the Azure services identified in the FedRAMP and DoD SRG Audit Scope for IL5. Once all the appropriate resource providers are identified, a custom Azure Policy definition can be created denying non-compliant cloud services when being deployed towards a specified Azure subscription.

 

Azure Policy helps to enforce organizational standards and assess compliance at-scale. Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules. These business rules, described in JSON format, are known as policy definitions.  

 

To simplify management, several business rules can be grouped together to form a policy initiative, sometimes called a PolicySet. Once specific business rules have been formed, the policy definition or initiative is assigned to any scope of resources that Azure supports, such as management groups, subscriptions, or resource groups. A sample of the JSON code used in the Azure policy has been included “resources” section of the article as well as a PowerShell script which generates the mentioned JSON ARM Template. 

 

Microsoft recommends the use of Azure management groups as the most efficient method for deploying Azure Policy across the enterprise. Azure management groups provide a level of scope above subscriptions. A Federal or DoD agency can organize subscriptions into containers called "management groups" and apply governance conditions to the management groups.

 

All subscriptions within a management group automatically inherit the conditions applied to the management group. Management groups give enterprise-grade management at scale, no matter the type of subscription deployed. All subscriptions within a single management group must trust the same Azure Active Directory tenant.

 

For example, a policy can be applied to a management group that limits the regions available for virtual machine (VM) creation. Policies would be applied to all management groups, subscriptions, resource groups, and resources under that management group by only allowing VMs to be created in selected regions. This provides a flexible management structure for an agency to maintain control and compliance.

 

Please refer to the following graphic below which illustrates the management group & subscription taxonomy. Azure policy assignments would be linked to the management groups which would flow down to the subscriptions.

 

adelagarde_0-1631044606429.png

 

Details about management groups are outlined in the following Microsoft article Organize your resources with management groups - Azure Governance - Azure governance | Microsoft Docs

 

Requirements

 

The following requirements are prerequisites for the implementation of these controls.

  • An organization has provisioned an Azure subscription.
  • A mission owner technical lead with Owner privileges on the subscription will apply the specified Azure Policy.
  • If there are monthly updates and changes to the policy, the organization will have to provide an updated JSON template to apply against their subscriptions.
  • The organization will require an Azure subscription to generate the JSON template and validate. Common tools like Visual Studio Code,  Notepad ++, or any other common script editor that supports both JSON and PowerShell will be required.

 

Generation of the Azure Policy JSON Template

 

The following are step by step instructions to generate the initial JSON template that will be applied with Azure Policy to enforce the IL5 accredited services. Azure PowerShell can be installed using the following article and repository Install the Azure Az PowerShell module with PowerShellGet | Microsoft Docs. At the time of the writing of this document PowerShell 7.x and above are supported. The PowerShell code can be either executed on a secure workstation with access to the internet or through the Azure Cloud Shell console within the Azure portal.

 

IMPORTANT: The following section within the PowerShell script implements the restrictions and should be updated as services become available and compliant with the DoD CC SRG Audit Scope. If a service becomes compliant it can be removed and the JSON template can be regenerated to update the overall Azure policy definition:

 

$NonCompliantResourceTypes = @(

 

    "Microsoft.AppConfiguration/*",

    "Microsoft.DBforMariaDB/*",

    "Microsoft.LabServices/*",

    "Microsoft.Maps/*",

    "Microsoft.Network/virtualWans"

 

)

Add and remove the resource providers as necessary.

 

Step Number Instructions
1 Take the contents of the PowerShell script listed in the above section and save it to a file on your local computer. Call it New-AzureIL5Policy.ps1
2 Next, logon to an Azure subscription with an authorized user account that has subscription owner privileges.
3

Once you have logged into the Azure Portal look for the Cloud Shell icon that will be on the upper right hand of your portal. Click on the icon. The lower half of your portal page will open the Azure Cloud Shell. 

 

adelagarde_1-1631045011226.png

 

 

4

Make sure that your Cloud Shell is using PowerShell as the current script editor like the graphic has displayed. 

 

adelagarde_2-1631045072544.png

 

5 Ensure that you are logged on to the correct Azure subscription with your Cloud Shell session. To validate the Azure subscription, you can type the following command in the PowerShell screen get-azsubscription and hit enter. A list of all subscriptions will be displayed. 
6

Select the proper Azure subscription to generate the JSON template by entering the following command:

select-azsubscription -subscriptionname "place the desired subscription name here" and hit enter. The proper Azure subscription will be selected.
7

Proceed to upload the PowerShell script you created in Step 1 and called New-AzureIL5Policy.ps1 through the Azure Cloud Shell. Click on the upload download icon highlighted in red and select the PowerShell script from your computer. Choose upload.

 

adelagarde_3-1631045164217.png

 

8 Once you get notification that the script was uploaded successfully type inside the Cloud Shell “dir” to validate the file is listed within your current working directory.
9  Next type the following command to generate the JSON template: ./ New-AzureIL5Policy.ps1 and hit enter. The script will start to query the available resource providers and an output file called AllowResourceTypes.json will be generated. Type dir and enter to validate the file has been created in your working directory.
10

Click on the upload/download icon and when a prompt box appears on your screen type the name of the file and select download. Save the file to your desired location on your computer.

 

adelagarde_4-1631045417924.png

 

11 Open the file with your code editor installed on your computer to validate that the JSON template has been generated successfully. Recommendation -- use either Visual Studio Code or Notepad ++ with JSON support enabled. 
12  The contents of the file should look like the content listed below. Once you have verified the content you can proceed to apply the custom Azure policy. 

 

Custom Azure Policy Definition Implementation

 

The following step by step instruction will create the custom Azure policy with the JSON template AllowResourceTypes.json that was generated in the previous section.

 

Step Number Instructions
1 Make sure you are still logged on to the Azure MAG subscription with an authorized user account that has subscription owner.
22

At the top of the Azure Portal look for the Azure Search bar. Type Policy and hit enter. You should be redirected in the Azure portal to the policy section of your subscription::

 

adelagarde_5-1631045844029.png

 

 

3

Within the Policy Blade select Definitions. Please refer to the graphic below.

 

adelagarde_6-1631045882900.png

 

 

 

4 At the top of the page click on + Policy definition. A generic policy definition will appear in the screen.  Proceed to click on the ellipses button and in the Definition, location select the desired Azure Subscription and click the Select button.
5 Give the Azure Policy definition in the Name field a custom name like _IL5ApprovedServices. Enter in the description field a meaningful description. Suggested text “Approved services that comply with the DoD SRG Audit Scope IL5 services. Please do not modify.”
6 Next, create a new category in Category field and type in _IL5Policy
7 Next, in the policy rule delete the current JSON template definition that is within the Policy Rule box.
8 Open with Visual Studio Code or your preferred code editor the JSON template that was generated earlier called AllowResourceTypes.json.
9  Copy all the contents of that JSON template and paste into the current open policy definition in the portal. Click the Save button.
10 Once you close the policy definition you will be back in the main Azure policy blade in the Azure portal.
11

Validate that the new category _IL5Policy has been created. Within the Azure Policy definition Type search select Custom and see if you see the new category. Once you do this the custom category should appear in the list below. Click Refresh if you do not see it.

 

adelagarde_7-1631046233772.png

 

 

12 Once you have verified that the custom category _IL5Policy click + Initiative definition.
13 When the initiative definition opens. Click on the ellipse button under Initiative location. Select the Azure Subscription you would like to link the location of the initiative.  Select the desired Azure Subscription and click on the Select button.
14 Next, in the Name field give it a meaningful name. Type _IL5PolicyInitiative .
15 In the description field type the following text  “Approved services that comply with the DoD SRG Audit Scope. Please do not modify.” Under category select “Use existing and select _IL5Policy. In the version field type in 1.0.0.
16 Click Next, and then select the “Add policy definition(s) button” Search for _IL5ApprovedServices. Check the box next to the definition name and click the “Add” button.
17 Click on the Review + create button. A validation screen will appear then click on the Create button.
18 There will be a notification on the screen that the Initiative has been created. Next, click on the Assignments button and then select Assign initiative.
19  Under the Scope section click the ellipses button and choose the subscription the initiative should be assigned. Click the Select button.
20 Under the Basic section click the ellipses button. The available definitions blade will appear. In the drop down select custom and look for_IL5Initiative. Place a click on the initiative _IL5Initiative and then click the Select button.
21 Click the Next button all the way until you get to the Non-compliance message section. In the Default non-compliance message box type “Not an approved IL5 service” then click the checkbox next to the policy definition, then click Review and create.
22

A validation screen will appear click the Create button. At this point the initiative and policy will be assigned.

IMPORTANT it will take about 30 minutes for the policy engine to apply the new Azure Policy Initiative. If you want to force the initiative to take effect immediately in your Azure subscription Cloud Shell type the following command to Start-AzPolicyComplianceScan to force the Azure policy engine to initiate a scan. Wait for the command to complete. It can take up to 15 minutes to process.

 

Recommended Content

 

Microsoft recommends that the following content on Azure Government isolation guidelines for Impact Level 5 – Azure Government

Azure Government isolation guidelines for Impact Level 5 - Azure Government | Microsoft Docs.

 

We also have drafted the following article on Azure Government security which can be found in the following Microsoft article Azure Government Security - Azure Government | Microsoft Docs .

 

Resources

 

Please find the initial PowerShell script to generate the Azure JSON Policy attached to this article

 

The following is a list of all of the Azure resource providers for Azure Azure resource provider operations | Microsoft Docs

 

Authors:

 

Anthony de Lagarde, Principal Customer Engineer, FastTrack for Azure

Jason Masten, Customer Engineer, FastTrack for Azure

 

Posted at https://sl.advdat.com/3tl91XT