Governance & Compliance - Policy Enforcement

Posted Jan 1, 2021

By Sakharam Shinde 4 min read

Introduction

Policies are essential for maintaining governance and compliance in cloud environments, helping to enforce best practices and security standards.

Restrict Allowed Resource Types: Restricts the types of resources that can be deployed to ensure compliance with organizational standards.
Enforce Tagging: Requires specific tags and values on resources for better management and organization.
Restrict Deployment Locations: Limits the geographical regions where resources can be deployed to comply with data residency requirements.
Audit Deprecated Resource Usage: Monitors and reports on the usage of deprecated resource types to ensure up-to-date infrastructure.
Require Specific Resource Naming Conventions: Enforces resource naming conventions to maintain consistency and manageability.

Enforce Use of Managed Disks for VMs: Ensures all virtual machines use managed disks for better performance and reliability.
Require HTTPS for Web Applications: Ensures web applications and services only accept HTTPS traffic to secure data in transit.
Prohibit Public IPs on VMs: Ensures virtual machine instances do not have public IP addresses to reduce the attack surface.
Restrict Public Access to Serverless Functions: Ensures that serverless functions (e.g., AWS Lambda, Azure Functions, GCP Cloud Functions) are not publicly accessible.
Disable Serial Port Access on VMs: Prevents the use of serial ports for interactive access to virtual machines to enhance security.

Deploy Diagnostic Settings for VMs: Automatically deploys diagnostic settings for virtual machines to centralize logging and monitoring.
Monitor Resource Utilization: Tracks and reports on resource utilization metrics (e.g., CPU, memory, disk) to optimize performance and cost.
Enable Activity Logs for Resources: Ensures that activity logs are enabled for resources to track changes and access events.
Set Up Alert Rules for Critical Metrics: Configures alert rules for critical metrics to notify administrators of potential issues in real-time.
Ensure Log Retention Policies: Enforces retention policies for logs to ensure compliance with regulatory requirements and organizational policies.

Enforce Secure Transfer for Storage: Ensures that data transfer to storage services is secure and encrypted in transit.
Prohibit Public Read Access on Storage Buckets: Ensures that storage buckets (e.g., S3, Azure Blob, GCP Cloud Storage) do not allow public read access to protect data privacy.
Enforce Encryption on Storage Data: Ensures that all data stored in storage services is encrypted to protect data at rest.
Monitor Storage Utilization: Tracks and reports on storage utilization to manage costs and capacity effectively.
Require Versioning for Critical Data: Enforces versioning on critical data storage to protect against accidental deletions and data corruption.

Require Threat Detection on Databases: Ensures that threat detection is enabled on databases to monitor and alert on suspicious activities.
Enforce Database Encryption: Ensures that database instances are encrypted to protect sensitive data.
Require Automated Backups for Databases: Ensures that automated backups are enabled for databases to support data recovery.
Restrict Database Access to Specific Networks: Ensures that database access is limited to specific networks or IP ranges to enhance security.
Monitor Database Performance Metrics: Tracks and reports on database performance metrics to optimize and maintain performance.

Enforce VM Backup Configuration: Ensures that virtual machines have backup configurations in place to support data recovery.
Require Encrypted Snapshots: Ensures that snapshots of virtual machines are encrypted to protect data.
Monitor Backup Compliance: Tracks and reports on backup compliance to ensure all critical resources are backed up.
Enforce Retention Policies for Backups: Ensures that backups are retained according to defined policies to meet regulatory requirements.
Automate Backup Verification: Periodically verifies backups to ensure they are complete and recoverable.

Require MFA for Root Accounts: Ensures that multi-factor authentication is enabled for root accounts to enhance security.
Enforce MFA for IAM Users: Ensures that IAM users have multi-factor authentication enabled for secure access.
Enforce Specific IAM Policies: Ensures that specific IAM policies are applied to resources to control access.
Monitor IAM Policy Changes: Tracks and reports on changes to IAM policies to maintain security and compliance.
Restrict IAM Role Assignments: Limits the assignment of IAM roles to authorized users and services to control access.

Ensure Security Group Usage: Ensures that security groups are attached to resources to control network traffic.
Prohibit Open Ports: Ensures that only necessary ports are open on network resources to minimize exposure.
Enforce Network Segmentation: Ensures that network segments are used to isolate and protect sensitive resources.
Monitor Network Traffic: Tracks and reports on network traffic to detect and respond to anomalies.
Require Network Encryption: Ensures that network traffic is encrypted to protect data in transit.

Enforce OS Login for VMs: Ensures that operating system login is used for virtual machines to enhance access security.
Require Security Patches: Ensures that security patches are applied to resources to protect against vulnerabilities.
Monitor Security Compliance: Tracks and reports on security compliance to ensure adherence to policies and standards.
Restrict Access to Sensitive Resources: Limits access to sensitive resources to authorized users and services only.
Automate Security Incident Response: Implements automated responses to security incidents to mitigate risks quickly.

This post is licensed under CC BY 4.0 by the author.