Governance & Compliance - Policy Enforcement
Introduction
- Policies are essential for maintaining governance and compliance in cloud environments, helping to enforce best practices and security standards.
General
Restrict Allowed Resource Types
: Restricts the types of resources that can be deployed to ensure compliance with organizational standards.Enforce Tagging
: Requires specific tags and values on resources for better management and organization.Restrict Deployment Locations
: Limits the geographical regions where resources can be deployed to comply with data residency requirements.Audit Deprecated Resource Usage
: Monitors and reports on the usage of deprecated resource types to ensure up-to-date infrastructure.Require Specific Resource Naming Conventions
: Enforces resource naming conventions to maintain consistency and manageability.
Compute
Enforce Use of Managed Disks for VMs
: Ensures all virtual machines use managed disks for better performance and reliability.Require HTTPS for Web Applications
: Ensures web applications and services only accept HTTPS traffic to secure data in transit.Prohibit Public IPs on VMs
: Ensures virtual machine instances do not have public IP addresses to reduce the attack surface.Restrict Public Access to Serverless Functions
: Ensures that serverless functions (e.g., AWS Lambda, Azure Functions, GCP Cloud Functions) are not publicly accessible.Disable Serial Port Access on VMs
: Prevents the use of serial ports for interactive access to virtual machines to enhance security.
Monitoring
Deploy Diagnostic Settings for VMs
: Automatically deploys diagnostic settings for virtual machines to centralize logging and monitoring.Monitor Resource Utilization
: Tracks and reports on resource utilization metrics (e.g., CPU, memory, disk) to optimize performance and cost.Enable Activity Logs for Resources
: Ensures that activity logs are enabled for resources to track changes and access events.Set Up Alert Rules for Critical Metrics
: Configures alert rules for critical metrics to notify administrators of potential issues in real-time.Ensure Log Retention Policies
: Enforces retention policies for logs to ensure compliance with regulatory requirements and organizational policies.
Storage
Enforce Secure Transfer for Storage
: Ensures that data transfer to storage services is secure and encrypted in transit.Prohibit Public Read Access on Storage Buckets
: Ensures that storage buckets (e.g., S3, Azure Blob, GCP Cloud Storage) do not allow public read access to protect data privacy.Enforce Encryption on Storage Data
: Ensures that all data stored in storage services is encrypted to protect data at rest.Monitor Storage Utilization
: Tracks and reports on storage utilization to manage costs and capacity effectively.Require Versioning for Critical Data
: Enforces versioning on critical data storage to protect against accidental deletions and data corruption.
Databases
Require Threat Detection on Databases
: Ensures that threat detection is enabled on databases to monitor and alert on suspicious activities.Enforce Database Encryption
: Ensures that database instances are encrypted to protect sensitive data.Require Automated Backups for Databases
: Ensures that automated backups are enabled for databases to support data recovery.Restrict Database Access to Specific Networks
: Ensures that database access is limited to specific networks or IP ranges to enhance security.Monitor Database Performance Metrics
: Tracks and reports on database performance metrics to optimize and maintain performance.
Backup
Enforce VM Backup Configuration
: Ensures that virtual machines have backup configurations in place to support data recovery.Require Encrypted Snapshots
: Ensures that snapshots of virtual machines are encrypted to protect data.Monitor Backup Compliance
: Tracks and reports on backup compliance to ensure all critical resources are backed up.Enforce Retention Policies for Backups
: Ensures that backups are retained according to defined policies to meet regulatory requirements.Automate Backup Verification
: Periodically verifies backups to ensure they are complete and recoverable.
IAM (Identity and Access Management)
Require MFA for Root Accounts
: Ensures that multi-factor authentication is enabled for root accounts to enhance security.Enforce MFA for IAM Users
: Ensures that IAM users have multi-factor authentication enabled for secure access.Enforce Specific IAM Policies
: Ensures that specific IAM policies are applied to resources to control access.Monitor IAM Policy Changes
: Tracks and reports on changes to IAM policies to maintain security and compliance.Restrict IAM Role Assignments
: Limits the assignment of IAM roles to authorized users and services to control access.
Networking
Ensure Security Group Usage
: Ensures that security groups are attached to resources to control network traffic.Prohibit Open Ports
: Ensures that only necessary ports are open on network resources to minimize exposure.Enforce Network Segmentation
: Ensures that network segments are used to isolate and protect sensitive resources.Monitor Network Traffic
: Tracks and reports on network traffic to detect and respond to anomalies.Require Network Encryption
: Ensures that network traffic is encrypted to protect data in transit.
Security
Enforce OS Login for VMs
: Ensures that operating system login is used for virtual machines to enhance access security.Require Security Patches
: Ensures that security patches are applied to resources to protect against vulnerabilities.Monitor Security Compliance
: Tracks and reports on security compliance to ensure adherence to policies and standards.Restrict Access to Sensitive Resources
: Limits access to sensitive resources to authorized users and services only.Automate Security Incident Response
: Implements automated responses to security incidents to mitigate risks quickly.
Kubernetes
- Ensure K8 clusters use RBAC (Role-Based Access Control).
- Restrict access to the Kubernetes dashboard.
- Ensure network policies are in place to control traffic between pods.
- Ensure K8 uses Azure AD/IAM for cluster authentication.
- Enforce the use of managed identities.
This post is licensed under CC BY 4.0 by the author.