How to monitor your custom Azure Policy definitions with Azure Security Center recommendations

Azure Policy allows you to enforce organizational standards and to assess a required compliance state. For example, you can specify that resources in a particular subscription should be restricted to the European Union for deployment only. There are built-in policy definitions for common use cases already included, like implementing governance for resource consistency, regulatory compliance, security, cost, and management. The Azure Policy compliance dashboard provides an aggregated view to evaluate the overall state of the environment. More information about Azure Policy can be found here.

Image: Azure Policy Dashboard

Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your cloud, hybrid, and other cloud environments. It covers two broad pillars of cloud security:

  • Cloud security posture management (CSPM): this is also called the free version of Azure Security Center. It includes CSPM features like secure score, detection of misconfigurations in your Azure virtual machines, asset inventory, etc.
  • Cloud workload protection (CWP): the integrated workload protection, also called Azure Defender, brings advanced, intelligent protection of your Azure and hybrid resources and workloads. In addition to the built-in policies, when you’ve enabled any Azure Defender plan, you can add custom polices and initiatives. Furthermore, there are regulatory standards included – such as NIST and Azure CIS – as well as the Azure Security Benchmark for a truly customized view of your compliance. More information about Azure Security Center can be found here.
Image: Azure Security Center Dashboard

Create an Azure Policy definition

In the first step, we create an Azure Policy definition. I’m sure you may have already any existing ones that you would like to add to the Azure Security Center recommendations pane, which is of course possible as well. In this example, the definition only regulates the Azure location of the resources to be created.

Note: you must be granted at least Resource Policy Contributor permissions.

Image: Azure Policy Definition Allowed Locations

We regulate – only for the subscription “Visual Studio Enterprise Subscription” – that the allowed locations parameter have europe, northeurope, and westeurope in place.

Create an Azure Policy initiative

An Azure Policy initiative is a collection of Azure Policy definitions, or rules, that are grouped together towards a specific goal or purpose. Azure Security Center initiatives are also created in Azure Policy. You can use either the Azure Policy pane (as we do in this blog post), or you can also create the custom initiative in Azure Security Center directly; the result remains the same.

Note: you must be granted Owner permissions for every subscription you want to add your custom initiative.

Image: Azure Policy Initiative Assignment

Review the recommendations in Azure Security Center

After your Azure Policy definition and Azure Policy initiative has been created and assigned, you can see it first under Regulatory compliance in the Azure Security Center as shown in the following screenshot. (First, because it can take up to one hour or more until the custom initiative is also visible under Recommendations as well).

Image: Azure Security Center Regulatory Compliance

Note: Access to the regulatory compliance portal is only available if you have an Azure Defender in place (any kind of Azure Defender plan, e. g. Azure Defender for Servers).

And here is the view from the Azure Security Center recommendations:

Image: Azure Security Center Recommendations

Enhance your custom recommendations with detailed information

To get a more granular description and severity level, you can add both type of information to your custom recommendations via the REST API. The following two types are available:

  • RemediationDescription – String
  • Severity – Enum [Low, Medium, High]

The metadata should be added to the policy definition for a policy that is part of the custom initiative. You can edit these values in the Policy definition:

Image: Edit Azure Policy Definition

To add the RemediationDescription string and the severity parameter, just add the following JSON data within the properties brackets between line 2 and line 10:

“metadata”: {

      “securityCenter”: {

            “RemediationDescription”: “Your custom description”,

            “Severity”: “severity value (High, Medium, Low)”

    },

Many more PowerShell, Azure CLI, and REST API scripts and automation tasks for Azure Security Center can be found at GitHub. For example, this repository includes:

  • Programmatic remediation tools for security recommendations
  • PowerShell scripts for programmatic management
  • Azure Policy custom definitions for at-scale management of Azure Security Center
  • And many more!

Summary

In this post, we showed how custom Azure policies can be added to Azure Security Center to generate recommendations. With many subscriptions and resources, especially with agile teams within the organization, this way provides notifications as well as remediations based on the definition in the Azure policy and custom initiative in Azure Security Center.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s