diff --git a/404.html b/404.html index a15e1b0..d94168f 100644 --- a/404.html +++ b/404.html @@ -1 +1 @@ - Un Rinconcito donde contar lo que quiera
\ No newline at end of file + Un Rinconcito donde contar lo que quiera
\ No newline at end of file diff --git a/Azure/Security/MCSB/Asset Management/index.html b/Azure/Security/MCSB/Asset Management/index.html index 3281811..d43fe98 100644 --- a/Azure/Security/MCSB/Asset Management/index.html +++ b/Azure/Security/MCSB/Asset Management/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Asset Management

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
AM-1 Asset Management 1.1 - Utilize an Active Discovery Tool 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Track asset inventory and their risks Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets. The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in Azure (Name, Description, and Category). How to create queries with Azure Resource Graph Explorer: Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resource inventories. AWS Systems Manager Inventory: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
1.2 - Use a Passive Asset Discovery Tool 1.5 - Use a Passive Asset Discovery Tool PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html
1.4 - Maintain Detailed Asset Inventory 2.1 - Establish and Maintain a Software Inventory Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name, Description, and Category). Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
1.5 - Maintain Asset Inventory Information 2.4 - Utilize Automated Software Inventory Tools Microsoft Defender for Cloud asset inventory management: AWS Resource Groups and Tags:
2.1 - Maintain Inventory of Authorized Software Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions. https://docs.microsoft.com/azure/security-center/asset-inventory Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html
Note: Additional permissions might be required to get visibility into workloads and services. For more information about tagging assets, see the resource naming and tagging decision guide: Note: Additional permissions might be required to get visibility into workloads and services.
https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json
Overview of Security Reader Role:
https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader
AM-2 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved services Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. Configure and manage Azure Policy: Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to trigger alerts when a non-approved service is detected. AWS Resource Groups: Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html
2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software How to deny a specific resource type with Azure Policy:
https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer:
https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal
AM-3 Asset Management 1.4 - Maintain Detailed Asset Inventory 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Ensure security of asset lifecycle management Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. Delete Azure resource group and resource: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. How do I check for active resources that I no longer need on my AWS account? Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
1.5 - Maintain Asset Inventory Information 2.1 - Establish and Maintain a Software Inventory CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources/
2.1 - Maintain Inventory of Authorized Software Identify and remove Azure resources when they are no longer needed. Identify and remove AWS resources when they are no longer needed. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
2.4 - Track Software Inventory Information How do I terminate active resources that I no longer need on my AWS account?
https://aws.amazon.com/premiumsupport/knowledge-center/terminate-resources-account-closure/ Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
AM-4 Asset Management 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-3: ACCESS ENFORCEMENT nan Limit access to asset management Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. How to configure Conditional Access to block access to Azure Resources Manager: Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-based policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for your resources. AWS services that work with IAM: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control their permissions and access to Azure resources. For example, a user with only the 'Reader' Azure RBAC role can view all resources, but is not allowed to make any changes. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Lock your resources to protect your infrastructure:
Use Resource Locks to prevent either deletions or modifications to resources. Resource Locks may also be administered through Azure Blueprints. https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json
Protect new resources with Azure Blueprints resource locks:
https://learn.microsoft.com/azure/governance/blueprints/tutorials/protect-new-resources
AM-5 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved applications in virtual machine Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software can executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Microsoft Defender for Cloud adaptive application controls: Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config rules to ensure that non-authorized software is blocked from executing on EC2 instances. Preventing blacklisted applications with AWS Systems Manager and AWS Config: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/security-center/security-center-adaptive-application https://aws.amazon.com/blogs/mt/preventing-blacklisted-applications-with-aws-systems-manager-and-aws-config/
2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts CM-10: SOFTWARE USAGE RESTRICTIONS Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time information are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to a Log Analytics workspace. You can also use a third-party solution to discover and identify unapproved software. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-11: USER-INSTALLED SOFTWARE Understand Azure Automation Change Tracking and Inventory:
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. https://docs.microsoft.com/azure/automation/change-tracking Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
You can also use a third-party solution to discover and identify unapproved software. How to control PowerShell script execution in Windows environments:
https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Asset Management

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
AM-1 Asset Management 1.1 - Utilize an Active Discovery Tool 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Track asset inventory and their risks Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets. The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in Azure (Name, Description, and Category). How to create queries with Azure Resource Graph Explorer: Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resource inventories. AWS Systems Manager Inventory: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
1.2 - Use a Passive Asset Discovery Tool 1.5 - Use a Passive Asset Discovery Tool PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html
1.4 - Maintain Detailed Asset Inventory 2.1 - Establish and Maintain a Software Inventory Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name, Description, and Category). Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
1.5 - Maintain Asset Inventory Information 2.4 - Utilize Automated Software Inventory Tools Microsoft Defender for Cloud asset inventory management: AWS Resource Groups and Tags:
2.1 - Maintain Inventory of Authorized Software Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions. https://docs.microsoft.com/azure/security-center/asset-inventory Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html
Note: Additional permissions might be required to get visibility into workloads and services. For more information about tagging assets, see the resource naming and tagging decision guide: Note: Additional permissions might be required to get visibility into workloads and services.
https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json
Overview of Security Reader Role:
https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader
AM-2 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved services Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. Configure and manage Azure Policy: Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to trigger alerts when a non-approved service is detected. AWS Resource Groups: Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html
2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software How to deny a specific resource type with Azure Policy:
https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types
How to create queries with Azure Resource Graph Explorer:
https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal
AM-3 Asset Management 1.4 - Maintain Detailed Asset Inventory 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Ensure security of asset lifecycle management Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. Delete Azure resource group and resource: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. How do I check for active resources that I no longer need on my AWS account? Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
1.5 - Maintain Asset Inventory Information 2.1 - Establish and Maintain a Software Inventory CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources/
2.1 - Maintain Inventory of Authorized Software Identify and remove Azure resources when they are no longer needed. Identify and remove AWS resources when they are no longer needed. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
2.4 - Track Software Inventory Information How do I terminate active resources that I no longer need on my AWS account?
https://aws.amazon.com/premiumsupport/knowledge-center/terminate-resources-account-closure/ Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
AM-4 Asset Management 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-3: ACCESS ENFORCEMENT nan Limit access to asset management Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring "Block access" for the "Microsoft Azure Management" App. How to configure Conditional Access to block access to Azure Resources Manager: Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-based policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for your resources. AWS services that work with IAM: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control their permissions and access to Azure resources. For example, a user with only the 'Reader' Azure RBAC role can view all resources, but is not allowed to make any changes. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Lock your resources to protect your infrastructure:
Use Resource Locks to prevent either deletions or modifications to resources. Resource Locks may also be administered through Azure Blueprints. https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json
Protect new resources with Azure Blueprints resource locks:
https://learn.microsoft.com/azure/governance/blueprints/tutorials/protect-new-resources
AM-5 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved applications in virtual machine Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software can executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Microsoft Defender for Cloud adaptive application controls: Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config rules to ensure that non-authorized software is blocked from executing on EC2 instances. Preventing blacklisted applications with AWS Systems Manager and AWS Config: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/security-center/security-center-adaptive-application https://aws.amazon.com/blogs/mt/preventing-blacklisted-applications-with-aws-systems-manager-and-aws-config/
2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts CM-10: SOFTWARE USAGE RESTRICTIONS Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time information are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to a Log Analytics workspace. You can also use a third-party solution to discover and identify unapproved software. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-11: USER-INSTALLED SOFTWARE Understand Azure Automation Change Tracking and Inventory:
Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. https://docs.microsoft.com/azure/automation/change-tracking Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
You can also use a third-party solution to discover and identify unapproved software. How to control PowerShell script execution in Windows environments:
https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6
\ No newline at end of file diff --git a/Azure/Security/MCSB/Backup and Recovery/index.html b/Azure/Security/MCSB/Backup and Recovery/index.html index 6e6930e..c107cdc 100644 --- a/Azure/Security/MCSB/Backup and Recovery/index.html +++ b/Azure/Security/MCSB/Backup and Recovery/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Backup and Recovery

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
BR-1 Backup and recovery 10.1 - Ensure Regular Automated Backups 11.2 - Perform Automated Backups CP-2: CONTINGENCY PLAN nan Ensure regular automated backups Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. How to enable Azure Backup: For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency and retention period. AWS Backup supported resources and third-party applications: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
CP-4: CONTINGENCY PLAN TESTING https://docs.microsoft.com/azure/backup/ https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html
CP-9: INFORMATION SYSTEM BACKUP For resources or services not supported by Azure Backup, use the native backup capability provided by the resource or service. For example, Azure Key Vault provides a native backup capability. For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resource creation. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Auto-Enable Backup on VM Creation using Azure Policy: Amazon S3 versioning:
For resources/services that are neither supported by Azure Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
- If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow you to preserve, retrieve, and restore every version of every object stored in your Azure Storage. - If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve, and restore every version of every object stored in your S3 bucket.
- Service configuration settings can usually be exported to Azure Resource Manager templates. - Service configuration settings can usually be exported to CloudFormation templates. AWS CloudFormation best practices: Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html
BR-2 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-6: ALTERNATE STORAGE SITE 3.4 Protect backup and recovery data Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. Overview of security features in Azure Backup: Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and restore points. Example controls include: Security in AWS Backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/security-overview - Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point. https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html
For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. - Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Encryption of backup data using customer-managed keys: - Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. Security Best Practices for Amazon S3:
Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-region restoration to ensure backup data is restorable when there is a disaster in primary region. You can also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures. https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk - Use AWS Backup Vault Lock for immutable storage of critical data. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
- Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control.
Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls. Security features to help protect hybrid backups from attacks:
https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks
Azure Backup - set cross region restore
https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore
BR-3 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-9: INFORMATION SYSTEM BACKUP nan Monitor backups Ensure all business-critical protectable resources are compliant with the defined backup policy and standard. Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported resources, Backup Center helps you centrally govern your backup estate. Govern your backup estate using Backup Center: AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following: AWS Backup Monitoring: Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
https://docs.microsoft.com/azure/backup/backup-center-govern-environment - Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance. https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html
Ensure critical backup operations (delete, change retention, updates to backup config) are monitored, audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, and audit triggered user actions on vaults. - Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Monitor and operate backups using Backup center: - Use CloudWatch to track metrics, create alarms, and view dashboards. Monitoring AWS Backup events using EventBridge:
Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. https://docs.microsoft.com/azure/backup/backup-center-monitor-operate - Use EventBridge to view and monitor AWS Backup events. https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html
- Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, and copy events.
Monitoring and reporting solutions for Azure Backup: Monitoring AWS Backup metrics with CloudWatch:
https://docs.microsoft.com/azure/backup/monitoring-and-alerts-overview https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html
Using Amazon SNS to track AWS Backup events:
https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html
Audit backups and create reports with AWS Backup Audit Manager:
https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html
BR-4 Backup and recovery 10.3 - Test Data on Backup Media 11.5 - Test Data Recovery CP-4: CONTINGENCY PLAN TESTING nan Regularly test backup Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. How to recover files from Azure Virtual Machine backup: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. Restoring a backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
How to restore Key Vault keys in Azure:
https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Backup and Recovery

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
BR-1 Backup and recovery 10.1 - Ensure Regular Automated Backups 11.2 - Perform Automated Backups CP-2: CONTINGENCY PLAN nan Ensure regular automated backups Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. How to enable Azure Backup: For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency and retention period. AWS Backup supported resources and third-party applications: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
CP-4: CONTINGENCY PLAN TESTING https://docs.microsoft.com/azure/backup/ https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html
CP-9: INFORMATION SYSTEM BACKUP For resources or services not supported by Azure Backup, use the native backup capability provided by the resource or service. For example, Azure Key Vault provides a native backup capability. For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resource creation. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Auto-Enable Backup on VM Creation using Azure Policy: Amazon S3 versioning:
For resources/services that are neither supported by Azure Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
- If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow you to preserve, retrieve, and restore every version of every object stored in your Azure Storage. - If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve, and restore every version of every object stored in your S3 bucket.
- Service configuration settings can usually be exported to Azure Resource Manager templates. - Service configuration settings can usually be exported to CloudFormation templates. AWS CloudFormation best practices: Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html
BR-2 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-6: ALTERNATE STORAGE SITE 3.4 Protect backup and recovery data Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. Overview of security features in Azure Backup: Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and restore points. Example controls include: Security in AWS Backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/security-overview - Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point. https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html
For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. - Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Encryption of backup data using customer-managed keys: - Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. Security Best Practices for Amazon S3:
Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-region restoration to ensure backup data is restorable when there is a disaster in primary region. You can also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures. https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk - Use AWS Backup Vault Lock for immutable storage of critical data. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
- Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control.
Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls. Security features to help protect hybrid backups from attacks:
https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks
Azure Backup - set cross region restore
https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore
BR-3 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-9: INFORMATION SYSTEM BACKUP nan Monitor backups Ensure all business-critical protectable resources are compliant with the defined backup policy and standard. Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported resources, Backup Center helps you centrally govern your backup estate. Govern your backup estate using Backup Center: AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following: AWS Backup Monitoring: Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
https://docs.microsoft.com/azure/backup/backup-center-govern-environment - Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance. https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html
Ensure critical backup operations (delete, change retention, updates to backup config) are monitored, audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, and audit triggered user actions on vaults. - Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Monitor and operate backups using Backup center: - Use CloudWatch to track metrics, create alarms, and view dashboards. Monitoring AWS Backup events using EventBridge:
Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. https://docs.microsoft.com/azure/backup/backup-center-monitor-operate - Use EventBridge to view and monitor AWS Backup events. https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html
- Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, and copy events.
Monitoring and reporting solutions for Azure Backup: Monitoring AWS Backup metrics with CloudWatch:
https://docs.microsoft.com/azure/backup/monitoring-and-alerts-overview https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html
Using Amazon SNS to track AWS Backup events:
https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html
Audit backups and create reports with AWS Backup Audit Manager:
https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html
BR-4 Backup and recovery 10.3 - Test Data on Backup Media 11.5 - Test Data Recovery CP-4: CONTINGENCY PLAN TESTING nan Regularly test backup Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. How to recover files from Azure Virtual Machine backup: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. Restoring a backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
How to restore Key Vault keys in Azure:
https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
\ No newline at end of file diff --git a/Azure/Security/MCSB/Data Protection/index.html b/Azure/Security/MCSB/Data Protection/index.html index 5ab1956..35758ee 100644 --- a/Azure/Security/MCSB/Data Protection/index.html +++ b/Azure/Security/MCSB/Data Protection/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Data Protection

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: AWS Foundational Security Best Practices controls AWS Config Rule (WIP) Azure Policy CIS AWS Foundations Benchmark 1.4.0 Customer Security Stakeholders:
DP-1 Data Protection 13.1 - Maintain an Inventory of Sensitive Information 3.2 - Establish and Maintain a Data Inventory RA-2: SECURITY CATEGORIZATION A3.2 Discover, classify, and label sensitive data Establish and maintain an inventory of the sensitive data, based on the defined sensitive data scope. Use tools to discover, classify and label the in- scope sensitive data. Use tools such as Microsoft Purview, which combines the former Azure Purview and Microsoft 365 compliance solutions, and Azure SQL Data Discovery and Classification to centrally scan, classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations. Data classification overview: Replicate your data from various sources to a S3 storage bucket and use AWS Macie to scan, classify and label the sensitive data stored in the bucket. AWS Macie can detect sensitive data such as security credentials, financial information, PHI and PII data, or other data pattern based on the custom data identifier rules. Data Classification Process: nan nan [Preview]: Sensitive data in your SQL databases should be classified 2.3.1 Ensure that encryption is enabled for RDS Instances Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.5 - Utilize an Active Discovery Tool to Identify Sensitive Data 3.7 - Establish and Maintain a Data Classification Scheme SC-28: PROTECTION OF INFORMATION AT REST https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification https://docs.aws.amazon.com/whitepapers/latest/data-classification/data-classification-process.html (Automated)
3.13 - Deploy a Data Loss Prevention Solution You may also use the Azure Purview multi-cloud scanning connector to scan, classify and label the sensitive data residing in a S3 storage bucket. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
Labeling in the Microsoft Purview Data Map: AWS Marketplace - DLP Solution:
https://docs.microsoft.com/azure/purview/create-sensitivity-label Note: You can also use third-party enterprise solutions from AWS marketplace for the purpose of data discovery classification and labeling https://aws.amazon.com/marketplace/search/results?searchTerms=DLP Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Tag sensitive information using Azure Information Protection:
https://docs.microsoft.com/azure/information-protection/what-is-information-protection
How to implement Azure SQL Data Discovery:
https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification
Microsoft Purview data sources:
https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources
DP-2 Data Protection 13.3 - Monitor and Block Unauthorized Network Traffic 3.13 - Deploy a Data Loss Prevention Solution AC-4: INFORMATION FLOW ENFORCEMENT A3.2 Monitor anomalies and threats targeting sensitive data Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Enable Azure Defender for SQL: Use AWS Macie to monitor the data that has been classified and labeled, and use GuardDuty to detect anomalous activities on some resources (S3, EC2 or Kubernetes or IAM resources). Findings and alerts can be triaged, analyzed, and tracked using EventBridge and forwarded to Microsoft Sentinel or Security Hub for incident aggregation and tracking. GuardDuty S3 finding types: nan nan Azure Defender for open-source relational databases should be enabled nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
14.7 - Enforce Access Control to Data through Automated Tools SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html Azure Defender for Storage should be enabled
Use Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. You may also connect your AWS accounts to Microsoft Defender for Cloud for compliance checks, container security, and endpoint security capabilities. Azure Defender for SQL servers on machines should be enabled Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Enable Azure Defender for Storage: Amazon S3 protection in Amazon GuardDuty: Azure Defender for Azure SQL Database servers should be enabled
Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from AWS Marketplace. https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
Enable Microsoft Defender for Azure Cosmos DB:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections?tabs=azure-portal
Enable Microsoft Defender for open-source relational databases and respond to alerts:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage
DP-3 Data Protection 14.4 - Encrypt All Sensitive Information in Transit 3.10 - Encrypt Sensitive Data In Transit SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.5 Encrypt sensitive data in transit Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Double encryption for Azure data in transit: Enforce secure transfer in services such as Amazon S3, RDS and CloudFront, where a native data in transit encryption feature is built in. TLS security policies in Elastic Load Balancer: CloudFront distributions should require encryption in transit nan Kubernetes clusters should be accessible only over HTTPS 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
3.6 https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls-security-policies Classic Load Balancer listeners should be configured with HTTPS or TLS termination Only secure connections to your Azure Cache for Redis should be enabled
4.1 Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. Enforce HTTPS for web application workloads and services by ensuring that any clients connecting to your Azure resources use transport layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Enforce HTTPS (such as in AWS Elastic Load Balancer) for workload web application and services (either on the server side or client side, or on both) by ensuring that any clients connecting to your AWS resources use TLS v1.2 or later. Application load balancers should be configured to drop HTTP headers FTPS only should be required in your Function App Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Understand encryption in transit with Azure: AWS Transfer SFTP and FTPS: Application Load Balancer should be configured to redirect all HTTP requests to HTTPS Secure transfer to storage accounts should be enabled
For remote management of Azure virtual machines, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use the SFTP/FTPS service in Azure Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service. https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit For remote management of EC2 instances, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use AWS Transfer SFTP or FTPS service instead of a regular FTP service. https://aws.amazon.com/aws-transfer-family/getting-started/?pg=ln&cp=bn Connections to Elasticsearch domains should be encrypted using TLS 1.2 FTPS should be required in your Web App Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
S3 buckets should require requests to use Secure Socket Layer Windows web servers should be configured to use secure communication protocols
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side. Information on TLS Security: Note: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported Amazon EC2 instance types. TLS v1.2 or later is enabled on most AWS services by default. And some services such as AWS Load Balancer can enforce TLS v1.2 or later on the server side. Function App should only be accessible over HTTPS Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
https://docs.microsoft.com/security/engineering/solving-tls1-problem Latest TLS version should be used in your API App
FTPS only should be required in your API App
Enforce secure transfer in Azure storage: Web Application should only be accessible over HTTPS
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account API App should only be accessible over HTTPS
Enforce SSL connection should be enabled for PostgreSQL database servers
Enforce SSL connection should be enabled for MySQL database servers
Latest TLS version should be used in your Web App
Latest TLS version should be used in your Function App
DP-4 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-28: PROTECTION OF INFORMATION AT REST 3.4 Enable data at rest encryption by default To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. These service-managed keys are generated on the customer’s behalf and automatically rotated every two years. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Many AWS services have data at rest encryption enabled by default at the infrastructure/platform layer using an AWS-managed customer master key. These AWS-managed customer master keys are generated on the customer's behalf and rotated automatically every three years. AWS Protecting Data at Rest: API Gateway REST API cache data should be encrypted at rest nan Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.1.1 Ensure all S3 buckets employ encryption-at-rest (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
3.5 https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html CloudTrail should have encryption at rest enabled Transparent Data Encryption on SQL databases should be enabled 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs at the storage level, file level, or database level. Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Where technically feasible and not enabled by default, you can enable data at rest encryption in the AWS services, or in your VMs at the storage level, file level, or database level DynamoDB Accelerator (DAX) clusters should be encrypted at rest Automation account variables should be encrypted 2.2.1 Ensure EBS volume encryption is enabled (Manual) Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Attached EBS volumes should be encrypted at rest Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 2.3.1 Ensure that encryption is enabled for RDS Instances
Encryption model and key management table: EBS default encryption should be enabled (Automated) Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/security/fundamentals/encryption-models Amazon EFS should be configured to encrypt file data at rest using AWS KMS
Elasticsearch domains should have encryption at-rest enabled Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
Amazon Elasticsearch Service domains should encrypt data sent between nodes
RDS DB instances should have encryption at rest enabled
RDS cluster snapshots and database snapshots should be encrypted at rest
S3 buckets should have server-side encryption enabled
SNS topics should be encrypted at rest using AWS KMS
AWS WAF Classic global web ACL logging should be enabled
Amazon SQS queues should be encrypted at rest
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DP-5 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 Use customer-managed key option in data at rest encryption when required If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. Azure also provides an encryption option using keys managed by yourself (customer-managed keys) for most services. Encryption model and key management table: AWS also provides an encryption option using keys managed by yourself (customer-managed customer master key stored in AWS Key Management Service) for certain services. AWS Services Integrated with AWS KMS: nan nan SQL managed instances should use customer-managed keys to encrypt data at rest nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
SC-28: PROTECTION OF INFORMATION AT REST 3.5 https://docs.microsoft.com/azure/security/fundamentals/encryption-models https://aws.amazon.com/kms/features/ SQL servers should use customer-managed keys to encrypt data at rest
3.6 Azure Key Vault Standard, Premium, and Managed HSM are natively integrated with many Azure Services for customer-managed key use cases. You may use Azure Key Vault to generate your key or bring your own keys. AWS Key Management Service (KMS) is natively integrated with many AWS services for customer-managed customer master key use cases. You may either use AWS Key Management Service (KMS) to generate your master keys or bring your own keys. PostgreSQL servers should use customer-managed keys to encrypt data at rest Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services AWS-managed and Customer-managed CMKs: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
However, using the customer-managed key option requires additional operational effort to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. However, using the customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt Container registries should be encrypted with a customer-managed key Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Cognitive Services accounts should enable data encryption with a customer-managed key
Storage accounts should use customer-managed key for encryption Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
MySQL servers should use customer-managed keys to encrypt data at rest
Azure Machine Learning workspaces should be encrypted with a customer-managed key
DP-6 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure key management process Document and implement an enterprise cryptographic key management standard, processes, and procedures to control your key lifecycle. When there is a need to use customer-managed key in the services, use a secured key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule and when there is a key retirement or compromise. Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or compromise. Require a certain cryptographic type and minimum key size when generating keys. Azure Key Vault overview: Use AWS Key Management Service (KMS) to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in KMS and your service based on the defined schedule and when there is a key retirement or compromise. AWS-managed and Customer-managed CMKs: IAM users' access keys should be rotated every 90 days or less nan Key Vault keys should have an expiration date nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/general/overview https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html Secrets Manager secrets should have automatic rotation enabled Key Vault secrets should have an expiration date
SC-28: PROTECTION OF INFORMATION AT REST When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the best practices: When there is a need to use customer-managed customer master key in the workload services or applications, ensure you follow the best practices: Secrets Manager secrets configured with automatic rotation should rotate successfully Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault. Azure data encryption at rest--Key Hierarchy: - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your KMS. Importing key material in AWS KMS keys: Secrets Manager secrets should be rotated within a specified number of days
- Ensure keys are registered with Azure Key Vault and implemented via key IDs in each service or application. https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#key-hierarchy - Ensure keys are registered with KMS and implement via IAM policies in each service or application. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault). Follow the recommended guideline to perform the key generation and key transfer. BYOK(Bring Your Own Key) specification: To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into KMS or Cloud HSM). Follow the recommended guideline to perform the key generation and key transfer. Secure transfer of keys into to CloudHSM: Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
https://docs.microsoft.com/azure/key-vault/keys/byok-specification https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-import-keys-openssl/
Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance/validation level. Note: AWS KMS uses shared HSM infrastructure in the backend. Use AWS KMS Custom Key Store backed by AWS CloudHSM when you need to manage your own key store and dedicated HSMs (e.g. regulatory compliance requirement for higher level of key security) to generate and store your encryption keys.
- Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1 Creating a custom key store backed by CloudHSM:
- HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2 Note: Refer to the below for the FIPS 140-2 level for FIPS compliance level in AWS KMS and CloudHSM https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html
- HSM-protected keys in Managed HSM: FIPS 140-2 Level 3 - AWS KMS default: FIPS 140-2 Level 2 validated
Azure Key Vault Premium uses a shared HSM infrastructure in the backend. Azure Key Vault Managed HSM uses dedicated, confidential service endpoints with a dedicated HSM for when you need a higher level of key security. - AWS KMS using CloudHSM: FIPS 140-2 Level 3 (for certain services) validated
- AWS CloudHSM: FIPS 140-2 Level 3 validated
Note: For secrets management(credentials, password, API keys etc.), use AWS Secrets Manager.
DP-7 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure certificate management process Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and supported Azure services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use a manual rotation in Azure Key Vault. Get started with Key Vault certificates: Use AWS Certificate Manager (ACM) to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in ACM and supported AWS services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use manual rotation in ACM. In the meantime, you should always track your certificate renewal status to ensure the certificate validity. AWS Certificate Manager - Check a certificate's renewal status: [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates nan [Preview]: Certificates should have the specified maximum validity period nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios https://docs.aws.amazon.com/acm/latest/userguide/check-certificate-renewal-status.html
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificates in Azure Key Vault. The following Certificate Authorities (CAs) are the partnered providers that are currently integrated with Azure Key Vault. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, create public-signed certificates (signed by the Amazon Certificate Authority) in ACM and deploy it programmatically in services such as CloudFront, Load Balancers, API Gateway etc. You also can use ACM to establish your private certificate authority (CA) to sign the private certificates. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. Certificate Access Control in Azure Key Vault:
- GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control Note: Use only an approved CA and ensure that known bad CA root/intermediate certificates issued by these CAs are disabled. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Note: Use only approved CA and ensure that known bad root/intermediate certificates issued by these CAs are disabled. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
DP-8 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Ensure security of key and certificate repository Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: Azure Key Vault overview: For cryptographic keys security, secure your keys by hardening your AWS Key Management Service (KMS) service through the following controls: Security best practice for AWS Key Management Service: IAM customer managed policies should not allow decryption actions on all KMS keys nan Key vaults should have purge protection enabled nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT - Implement access control using RBAC policies in Azure Key Vault Managed HSM at the key level to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. For Azure Key Vault Standard and Premium, create unique vaults for different applications to ensure the least privilege and separation of duties principles are followed. https://docs.microsoft.com/azure/key-vault/general/overview - Implement access control using key policies (key-level access control) in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Azure Defender for Key Vault should be enabled
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES - Turn on Azure Key Vault logging to ensure critical management plane and data plane activities are logged. - Use detective controls such as CloudTrails to log and track the usage of keys in KMS and alert you on critical actions. AWS KMS keys should not be unintentionally deleted Key vaults should have soft delete enabled Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure minimal exposure of the service Azure Key Vault security best practices: - Never store keys in plaintext format outside of KMS. Security in AWS Certificate Manager: [Preview]: Azure Key Vault should disable public network access
- Use managed identity to access keys stored in Azure Key Vault in your workload applications. https://docs.microsoft.com/azure/key-vault/general/best-practices - When keys need to be deleted, consider disabling keys in KMS instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. https://docs.aws.amazon.com/acm/latest/userguide/security.html [Preview]: Private endpoint should be configured for Key Vault Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. Resource logs in Key Vault should be enabled
- Backup your keys and certificates using Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.When keys need to be deleted, consider disabling keys instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. Use managed identity to access Azure Key Vault: - For bring your own key (BYOK) uses cases, generate keys in an on-premise HSM and import them to maximize the lifetime and portability of the keys. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
- For bring your own key (BYOK) use cases, generate keys in an on-premises HSM and import them to maximize the lifetime and portability of the keys. https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
- Never store keys in plaintext format outside of the Azure Key Vault. Keys in all key vault services are not exportable by default. For certificates security, secure your certificates by hardening your AWS Certificate Manager (ACM) service through the following controls:
- Use HSM-backed key types (RSA-HSM) in Azure Key Vault Premium and Azure Managed HSM for the hardware protection and the strongest FIPS levels. Overview of Microsoft Defender for Key Vault: - Implement access control using resource-level policies in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties is in place for user accounts: user accounts who generate certificates are separate from the user accounts who only require read-only access to certificates.
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction - Use detective controls such as CloudTrails to log and track the usage of the certificates in ACM, and alert you on critical actions.
Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. - Follow the KMS security guidance to secure your private key (generated for certificate request) used for service certificate integration.
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Data Protection

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: AWS Foundational Security Best Practices controls AWS Config Rule (WIP) Azure Policy CIS AWS Foundations Benchmark 1.4.0 Customer Security Stakeholders:
DP-1 Data Protection 13.1 - Maintain an Inventory of Sensitive Information 3.2 - Establish and Maintain a Data Inventory RA-2: SECURITY CATEGORIZATION A3.2 Discover, classify, and label sensitive data Establish and maintain an inventory of the sensitive data, based on the defined sensitive data scope. Use tools to discover, classify and label the in- scope sensitive data. Use tools such as Microsoft Purview, which combines the former Azure Purview and Microsoft 365 compliance solutions, and Azure SQL Data Discovery and Classification to centrally scan, classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations. Data classification overview: Replicate your data from various sources to a S3 storage bucket and use AWS Macie to scan, classify and label the sensitive data stored in the bucket. AWS Macie can detect sensitive data such as security credentials, financial information, PHI and PII data, or other data pattern based on the custom data identifier rules. Data Classification Process: nan nan [Preview]: Sensitive data in your SQL databases should be classified 2.3.1 Ensure that encryption is enabled for RDS Instances Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.5 - Utilize an Active Discovery Tool to Identify Sensitive Data 3.7 - Establish and Maintain a Data Classification Scheme SC-28: PROTECTION OF INFORMATION AT REST https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification https://docs.aws.amazon.com/whitepapers/latest/data-classification/data-classification-process.html (Automated)
3.13 - Deploy a Data Loss Prevention Solution You may also use the Azure Purview multi-cloud scanning connector to scan, classify and label the sensitive data residing in a S3 storage bucket. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
Labeling in the Microsoft Purview Data Map: AWS Marketplace - DLP Solution:
https://docs.microsoft.com/azure/purview/create-sensitivity-label Note: You can also use third-party enterprise solutions from AWS marketplace for the purpose of data discovery classification and labeling https://aws.amazon.com/marketplace/search/results?searchTerms=DLP Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Tag sensitive information using Azure Information Protection:
https://docs.microsoft.com/azure/information-protection/what-is-information-protection
How to implement Azure SQL Data Discovery:
https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification
Microsoft Purview data sources:
https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources
DP-2 Data Protection 13.3 - Monitor and Block Unauthorized Network Traffic 3.13 - Deploy a Data Loss Prevention Solution AC-4: INFORMATION FLOW ENFORCEMENT A3.2 Monitor anomalies and threats targeting sensitive data Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Enable Azure Defender for SQL: Use AWS Macie to monitor the data that has been classified and labeled, and use GuardDuty to detect anomalous activities on some resources (S3, EC2 or Kubernetes or IAM resources). Findings and alerts can be triaged, analyzed, and tracked using EventBridge and forwarded to Microsoft Sentinel or Security Hub for incident aggregation and tracking. GuardDuty S3 finding types: nan nan Azure Defender for open-source relational databases should be enabled nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
14.7 - Enforce Access Control to Data through Automated Tools SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html Azure Defender for Storage should be enabled
Use Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. You may also connect your AWS accounts to Microsoft Defender for Cloud for compliance checks, container security, and endpoint security capabilities. Azure Defender for SQL servers on machines should be enabled Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Enable Azure Defender for Storage: Amazon S3 protection in Amazon GuardDuty: Azure Defender for Azure SQL Database servers should be enabled
Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from AWS Marketplace. https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
Enable Microsoft Defender for Azure Cosmos DB:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections?tabs=azure-portal
Enable Microsoft Defender for open-source relational databases and respond to alerts:
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage
DP-3 Data Protection 14.4 - Encrypt All Sensitive Information in Transit 3.10 - Encrypt Sensitive Data In Transit SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.5 Encrypt sensitive data in transit Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Double encryption for Azure data in transit: Enforce secure transfer in services such as Amazon S3, RDS and CloudFront, where a native data in transit encryption feature is built in. TLS security policies in Elastic Load Balancer: CloudFront distributions should require encryption in transit nan Kubernetes clusters should be accessible only over HTTPS 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
3.6 https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls-security-policies Classic Load Balancer listeners should be configured with HTTPS or TLS termination Only secure connections to your Azure Cache for Redis should be enabled
4.1 Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. Enforce HTTPS for web application workloads and services by ensuring that any clients connecting to your Azure resources use transport layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Enforce HTTPS (such as in AWS Elastic Load Balancer) for workload web application and services (either on the server side or client side, or on both) by ensuring that any clients connecting to your AWS resources use TLS v1.2 or later. Application load balancers should be configured to drop HTTP headers FTPS only should be required in your Function App Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Understand encryption in transit with Azure: AWS Transfer SFTP and FTPS: Application Load Balancer should be configured to redirect all HTTP requests to HTTPS Secure transfer to storage accounts should be enabled
For remote management of Azure virtual machines, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use the SFTP/FTPS service in Azure Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service. https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit For remote management of EC2 instances, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use AWS Transfer SFTP or FTPS service instead of a regular FTP service. https://aws.amazon.com/aws-transfer-family/getting-started/?pg=ln&cp=bn Connections to Elasticsearch domains should be encrypted using TLS 1.2 FTPS should be required in your Web App Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
S3 buckets should require requests to use Secure Socket Layer Windows web servers should be configured to use secure communication protocols
Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side. Information on TLS Security: Note: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported Amazon EC2 instance types. TLS v1.2 or later is enabled on most AWS services by default. And some services such as AWS Load Balancer can enforce TLS v1.2 or later on the server side. Function App should only be accessible over HTTPS Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
https://docs.microsoft.com/security/engineering/solving-tls1-problem Latest TLS version should be used in your API App
FTPS only should be required in your API App
Enforce secure transfer in Azure storage: Web Application should only be accessible over HTTPS
https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account API App should only be accessible over HTTPS
Enforce SSL connection should be enabled for PostgreSQL database servers
Enforce SSL connection should be enabled for MySQL database servers
Latest TLS version should be used in your Web App
Latest TLS version should be used in your Function App
DP-4 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-28: PROTECTION OF INFORMATION AT REST 3.4 Enable data at rest encryption by default To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. These service-managed keys are generated on the customer’s behalf and automatically rotated every two years. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Many AWS services have data at rest encryption enabled by default at the infrastructure/platform layer using an AWS-managed customer master key. These AWS-managed customer master keys are generated on the customer's behalf and rotated automatically every three years. AWS Protecting Data at Rest: API Gateway REST API cache data should be encrypted at rest nan Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.1.1 Ensure all S3 buckets employ encryption-at-rest (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
3.5 https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html CloudTrail should have encryption at rest enabled Transparent Data Encryption on SQL databases should be enabled 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual)
Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs at the storage level, file level, or database level. Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Where technically feasible and not enabled by default, you can enable data at rest encryption in the AWS services, or in your VMs at the storage level, file level, or database level DynamoDB Accelerator (DAX) clusters should be encrypted at rest Automation account variables should be encrypted 2.2.1 Ensure EBS volume encryption is enabled (Manual) Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Attached EBS volumes should be encrypted at rest Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 2.3.1 Ensure that encryption is enabled for RDS Instances
Encryption model and key management table: EBS default encryption should be enabled (Automated) Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/security/fundamentals/encryption-models Amazon EFS should be configured to encrypt file data at rest using AWS KMS
Elasticsearch domains should have encryption at-rest enabled Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
Amazon Elasticsearch Service domains should encrypt data sent between nodes
RDS DB instances should have encryption at rest enabled
RDS cluster snapshots and database snapshots should be encrypted at rest
S3 buckets should have server-side encryption enabled
SNS topics should be encrypted at rest using AWS KMS
AWS WAF Classic global web ACL logging should be enabled
Amazon SQS queues should be encrypted at rest
DynamoDB Accelerator (DAX) clusters should be encrypted at rest
DP-5 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 Use customer-managed key option in data at rest encryption when required If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. Azure also provides an encryption option using keys managed by yourself (customer-managed keys) for most services. Encryption model and key management table: AWS also provides an encryption option using keys managed by yourself (customer-managed customer master key stored in AWS Key Management Service) for certain services. AWS Services Integrated with AWS KMS: nan nan SQL managed instances should use customer-managed keys to encrypt data at rest nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
SC-28: PROTECTION OF INFORMATION AT REST 3.5 https://docs.microsoft.com/azure/security/fundamentals/encryption-models https://aws.amazon.com/kms/features/ SQL servers should use customer-managed keys to encrypt data at rest
3.6 Azure Key Vault Standard, Premium, and Managed HSM are natively integrated with many Azure Services for customer-managed key use cases. You may use Azure Key Vault to generate your key or bring your own keys. AWS Key Management Service (KMS) is natively integrated with many AWS services for customer-managed customer master key use cases. You may either use AWS Key Management Service (KMS) to generate your master keys or bring your own keys. PostgreSQL servers should use customer-managed keys to encrypt data at rest Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services AWS-managed and Customer-managed CMKs: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
However, using the customer-managed key option requires additional operational effort to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. However, using the customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt Container registries should be encrypted with a customer-managed key Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Cognitive Services accounts should enable data encryption with a customer-managed key
Storage accounts should use customer-managed key for encryption Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
MySQL servers should use customer-managed keys to encrypt data at rest
Azure Machine Learning workspaces should be encrypted with a customer-managed key
DP-6 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure key management process Document and implement an enterprise cryptographic key management standard, processes, and procedures to control your key lifecycle. When there is a need to use customer-managed key in the services, use a secured key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule and when there is a key retirement or compromise. Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or compromise. Require a certain cryptographic type and minimum key size when generating keys. Azure Key Vault overview: Use AWS Key Management Service (KMS) to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in KMS and your service based on the defined schedule and when there is a key retirement or compromise. AWS-managed and Customer-managed CMKs: IAM users' access keys should be rotated every 90 days or less nan Key Vault keys should have an expiration date nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/general/overview https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html Secrets Manager secrets should have automatic rotation enabled Key Vault secrets should have an expiration date
SC-28: PROTECTION OF INFORMATION AT REST When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the best practices: When there is a need to use customer-managed customer master key in the workload services or applications, ensure you follow the best practices: Secrets Manager secrets configured with automatic rotation should rotate successfully Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault. Azure data encryption at rest--Key Hierarchy: - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your KMS. Importing key material in AWS KMS keys: Secrets Manager secrets should be rotated within a specified number of days
- Ensure keys are registered with Azure Key Vault and implemented via key IDs in each service or application. https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#key-hierarchy - Ensure keys are registered with KMS and implement via IAM policies in each service or application. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault). Follow the recommended guideline to perform the key generation and key transfer. BYOK(Bring Your Own Key) specification: To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into KMS or Cloud HSM). Follow the recommended guideline to perform the key generation and key transfer. Secure transfer of keys into to CloudHSM: Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
https://docs.microsoft.com/azure/key-vault/keys/byok-specification https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-import-keys-openssl/
Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance/validation level. Note: AWS KMS uses shared HSM infrastructure in the backend. Use AWS KMS Custom Key Store backed by AWS CloudHSM when you need to manage your own key store and dedicated HSMs (e.g. regulatory compliance requirement for higher level of key security) to generate and store your encryption keys.
- Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1 Creating a custom key store backed by CloudHSM:
- HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2 Note: Refer to the below for the FIPS 140-2 level for FIPS compliance level in AWS KMS and CloudHSM https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html
- HSM-protected keys in Managed HSM: FIPS 140-2 Level 3 - AWS KMS default: FIPS 140-2 Level 2 validated
Azure Key Vault Premium uses a shared HSM infrastructure in the backend. Azure Key Vault Managed HSM uses dedicated, confidential service endpoints with a dedicated HSM for when you need a higher level of key security. - AWS KMS using CloudHSM: FIPS 140-2 Level 3 (for certain services) validated
- AWS CloudHSM: FIPS 140-2 Level 3 validated
Note: For secrets management(credentials, password, API keys etc.), use AWS Secrets Manager.
DP-7 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure certificate management process Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and supported Azure services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use a manual rotation in Azure Key Vault. Get started with Key Vault certificates: Use AWS Certificate Manager (ACM) to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in ACM and supported AWS services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use manual rotation in ACM. In the meantime, you should always track your certificate renewal status to ensure the certificate validity. AWS Certificate Manager - Check a certificate's renewal status: [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates nan [Preview]: Certificates should have the specified maximum validity period nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios https://docs.aws.amazon.com/acm/latest/userguide/check-certificate-renewal-status.html
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificates in Azure Key Vault. The following Certificate Authorities (CAs) are the partnered providers that are currently integrated with Azure Key Vault. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, create public-signed certificates (signed by the Amazon Certificate Authority) in ACM and deploy it programmatically in services such as CloudFront, Load Balancers, API Gateway etc. You also can use ACM to establish your private certificate authority (CA) to sign the private certificates. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. Certificate Access Control in Azure Key Vault:
- GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control Note: Use only an approved CA and ensure that known bad CA root/intermediate certificates issued by these CAs are disabled. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Note: Use only approved CA and ensure that known bad root/intermediate certificates issued by these CAs are disabled. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
DP-8 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Ensure security of key and certificate repository Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: Azure Key Vault overview: For cryptographic keys security, secure your keys by hardening your AWS Key Management Service (KMS) service through the following controls: Security best practice for AWS Key Management Service: IAM customer managed policies should not allow decryption actions on all KMS keys nan Key vaults should have purge protection enabled nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT - Implement access control using RBAC policies in Azure Key Vault Managed HSM at the key level to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. For Azure Key Vault Standard and Premium, create unique vaults for different applications to ensure the least privilege and separation of duties principles are followed. https://docs.microsoft.com/azure/key-vault/general/overview - Implement access control using key policies (key-level access control) in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Azure Defender for Key Vault should be enabled
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES - Turn on Azure Key Vault logging to ensure critical management plane and data plane activities are logged. - Use detective controls such as CloudTrails to log and track the usage of keys in KMS and alert you on critical actions. AWS KMS keys should not be unintentionally deleted Key vaults should have soft delete enabled Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Secure the Azure Key Vault using Private Link and Azure Firewall to ensure minimal exposure of the service Azure Key Vault security best practices: - Never store keys in plaintext format outside of KMS. Security in AWS Certificate Manager: [Preview]: Azure Key Vault should disable public network access
- Use managed identity to access keys stored in Azure Key Vault in your workload applications. https://docs.microsoft.com/azure/key-vault/general/best-practices - When keys need to be deleted, consider disabling keys in KMS instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. https://docs.aws.amazon.com/acm/latest/userguide/security.html [Preview]: Private endpoint should be configured for Key Vault Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. Resource logs in Key Vault should be enabled
- Backup your keys and certificates using Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.When keys need to be deleted, consider disabling keys instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. Use managed identity to access Azure Key Vault: - For bring your own key (BYOK) uses cases, generate keys in an on-premise HSM and import them to maximize the lifetime and portability of the keys. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security
- For bring your own key (BYOK) use cases, generate keys in an on-premises HSM and import them to maximize the lifetime and portability of the keys. https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad
- Never store keys in plaintext format outside of the Azure Key Vault. Keys in all key vault services are not exportable by default. For certificates security, secure your certificates by hardening your AWS Certificate Manager (ACM) service through the following controls:
- Use HSM-backed key types (RSA-HSM) in Azure Key Vault Premium and Azure Managed HSM for the hardware protection and the strongest FIPS levels. Overview of Microsoft Defender for Key Vault: - Implement access control using resource-level policies in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties is in place for user accounts: user accounts who generate certificates are separate from the user accounts who only require read-only access to certificates.
https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction - Use detective controls such as CloudTrails to log and track the usage of the certificates in ACM, and alert you on critical actions.
Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. - Follow the KMS security guidance to secure your private key (generated for certificate request) used for service certificate integration.
\ No newline at end of file diff --git a/Azure/Security/MCSB/DevOps Security/index.html b/Azure/Security/MCSB/DevOps Security/index.html index 5cf71a7..819a1c9 100644 --- a/Azure/Security/MCSB/DevOps Security/index.html +++ b/Azure/Security/MCSB/DevOps Security/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - DevOps Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Azure Implementation and additional context AWS Guidance AWS Implementation and additional context Customer Security Stakeholders:
DS-1 DevOps Security nan 16.10 - Apply Secure Design Principles in Application Architectures SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 Conduct threat modeling Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure your threat modeling serves the following purposes: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Threat Modeling Overview: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Microsoft Threat Modeling Tool: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
16.14 - Conduct Threat Modeling 12.2 https://www.microsoft.com/securityengineering/sdl/threatmodeling https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
Secure your applications and services in the production run-time stage. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and deployment. The threat modeling at least should include the following aspects: Application threat analysis (including STRIDE + questionnaire based method): How to approach threat modeling for AWS:
Define the security requirements of the application. Ensure these requirements are adequately addressed in the threat modeling. Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Analyze application components, data connections and their relationship. Ensure this analysis also includes the upstream and downstream connections outside of your application scope.
List the potential threats and attack vectors that your application components, data connections and upstream and downstream services may be exposed to. Azure Template - Microsoft Security Threat Model Stencil: Application threat analysis (including STRIDE + questionnaire based method):
Identify the applicable security controls that can be used to mitigate the threats enumerated and identify any controls gaps (e.g., security vulnerabilities) that may require additional treatment plans. https://github.com/AzureArchitecture/threat-model-templates https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model
Enumerate and design the controls that can mitigate the vulnerabilities identified.
DS-2 DevOps Security 18.3 - Verify That Acquired Software is Still Supported 16.4 - Establish and Manage an Inventory of Third-Party Software Components SA-12: SUPPLY CHAIN PROTECTION 6.3 Ensure software supply chain security Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of security controls to govern the in-house and third-party software components (including both proprietary and open-source software) where your applications have dependencies. Define gating criteria to prevent vulnerable or malicious components being integrated and deployed into the environment. For the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub’s native feature:- Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities through Advisory Database. GitHub Dependency Graph: If you use AWS CI/CD platforms such as CodeCommit or CodePipeline, ensure the software supply chain security using CodeGuru Reviewer to scan the source code (for Java and Python) through the CI/CD workflows. Platforms such as CodeCommit and CodePipeline also supports third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities. GitHub Dependency Graph: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
18.4 - Only Use Up-to-Date And Trusted Third-Party Components 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.11 - Leverage Vetted Modules or Services for Application Security Components The software supply chain security controls should at least include the following aspects: - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. If you manage your source code through the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub’s native feature: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. GitHub Dependabot: - Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities through Advisory Database. GitHub Dependabot:
Properly manage a Software Bill of Materials (SBOM) by identifying the upstream dependencies required for the service/resource development, build, integration and deployment phase. - Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
Inventory and track the in-house and third-party software components for known vulnerability when there is a fix available in the upstream. For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally.
Assess the vulnerabilities and malware in the software components using static and dynamic application testing for unknown vulnerabilities. Identify vulnerable container images in your CI/CD workflows: - If applicable, use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. DevOps in AWS:
Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may include source code local or upstream fix, feature exclusion and/or applying compensating controls if the direct mitigation is not available. https://docs.microsoft.com/azure/security-center/defender-for-container-registries-cicd https://aws.amazon.com/devops/
If closed source third-party components are used in your production environment, you may have limited visibility to its security posture. You should consider additional controls such as access control, network isolation and endpoint security to minimize the impact if there is a malicious activity or vulnerability associated with the component.
Azure DevOps Marketplace – supply chain security: Software Bill of Materials:
https://marketplace.visualstudio.com/search?term=tag%3ASupply%20Chain%20Security&target=VSTS https://www.cisa.gov/sbom
DS-3 DevOps Security 18.11 - Use Standard Hardening Configuration Templates for Databases 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure CM-2: BASELINE CONFIGURATION 2.2 Secure DevOps infrastructure Ensure the DevOps infrastructure and pipeline follow security best practices across environments including your build, test, and production stages. This typically includes the security controls for following scope: As part of applying the Microsoft Cloud Security Benchmark to your DevOps infrastructure security controls, prioritize the following controls: DevSecOps controls overview – secure pipelines: As part of applying the Microsoft Cloud Security Benchmark to the security controls of your DevOps infrastructure, such as GitHub, CodeCommit, CodeArtifact, CodePipeline, CodeBuild and CodeDeploy, prioritize the following controls: AWS Well-architected Framework - security pillar: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
CM-6: CONFIGURATION SETTINGS 6.3 - Protect artifacts and the underlying environment to ensure the CI/CD pipelines don’t become avenues to insert malicious code. For example, review your CI/CD pipeline to identify any misconfiguration in core areas of Azure DevOps such as Organization, Projects, Users, Pipelines (Build & Release), Connections, and Build Agent to identify any misconfigurations such as open access, weak authentication, insecure connection setup and so on. For GitHub, use similar controls to secure the Organization permission levels. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls - Refer to this guidance and the AWS Well-architected Framework security pillar to secure your DevOps environments in AWS. https://wa.aws.amazon.com/wat.pillar.security.en.html
AC-2: ACCOUNT MANAGEMENT 7.1 - Artifact repositories that store source code, built packages and images, project artifacts and business data. - Ensure your DevOps infrastructure is deployed consistently across development projects. Track compliance of your DevOps infrastructure at scale by using Microsoft Defender for Cloud (such as Compliance Dashboard, Azure Policy, Cloud Posture Management) or your own compliance monitoring tools. - Protect artifacts and the underlying supporting infrastructure to ensure the CI/CD pipelines don’t become avenues to insert malicious code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
AC-3: ACCESS ENFORCEMENT - Servers, services, and tooling that host CI/CD pipelines. - Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. Secure your GitHub organization: - Ensure your DevOps infrastructure is deployed and sustained consistently across development projects. Track compliance of your DevOps infrastructure at scale by using AWS Config or your own compliance check solution.
AC-6: LEAST PRIVILEGE - CI/CD pipeline configuration. - Avoid providing permanent “standing” privileged access to the human accounts such as developers or testers by using features such as Azure managed identifies and just-in-time access. https://docs.github.com/en/code-security/getting-started/securing-your-organization - Use CodeArtifact to securely store and share software packages used for application development. You can use CodeArtifact with popular build tools and package managers such as Maven, Gradle, npm, yarn, pip, and twine. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
- Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in a key store or Azure Key Vault. - Configure identity/role permissions and permission policies in AWS IAM, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized.
- If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Azure DevOps pipeline – Microsoft hosted agent security considerations: - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store or AWS KMS Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
https://docs.microsoft.com/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#security - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Use AWS Inspector for vulnerability scanning for vulnerabilities in EC2 or containerized environment as the build environment.
Note: Refer to the Logging and Threat Detection, DS-7, and the Posture and Vulnerability Management sections to use services such as Azure Monitor and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure.
Note: Refer to the Logging and Threat Detection, DS-7, and the and Posture and Vulnerability Management sections to use services such as AWS CloudTrail, CloudWatch and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure.
DS-4 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate static application security testing into DevOps pipeline Ensure static application security testing (SAST) fuzzy testing, interactive testing, mobile application testing, are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production. Integrate SAST into your pipeline (e.g., in your infrastructure as code template) so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate the below tools and third-party SAST tools into the workflow. GitHub CodeQL: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.5 - GitHub CodeQL for source code analysis. https://codeql.github.com/docs/ https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/
- Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. If using AWS CodeCommit, use AWS CodeGuru Reviewer for Python and Java source code analysis. AWS Codepipeline can also support integration of third-part SAST tools into the code deployment pipeline. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Azure DevOps Credential Scanner (Microsoft Security DevOps extension) and GitHub native secret scanning for credential scan in the source code. BinSkim Binary Analyzer:
https://github.com/microsoft/binskim If using GitHub, the below tools and third-party SAST tools can be integrated into the workflow.
- GitHub CodeQL for source code analysis.
Azure DevOps Credential Scan: - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis.
https://secdevtools.azurewebsites.net/helpcredscan.html - GitHub native secret scanning for credential scan in the source code.
- AWS CodeGuru Reviewer for Python and Java source code analysis.
GitHub secret scanning:
https://docs.github.com/en/code-security/secret-security/about-secret-scanning
DS-5 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate dynamic application security testing into DevOps pipeline Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production. Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. DAST tools in Azure DevOps marketplace: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in AWS CodePipeline or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.5 https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/
Azure DevOps Pipeline or GitHub supports the integration of third-party DAST tools into the CI/CD workflow. AWS CodePipeline or GitHub supports integration of third-party DAST tools into the CI/CD workflow. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
DS-6 DevOps Security 5.2 - Deploy System Configuration Management Tools 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets CM-2: BASELINE CONFIGURATION 6.1 Enforce security of workload throughout DevOps lifecycle Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Microsoft Cloud Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: Guidance for Azure VMs: Shared Image Gallery overview: Use Amazon Elastic Container Registry to share and control access to your images by different users and roles within your organization. And Use AWS IAM to ensure that only authorized users can access your custom images. AWS ECR image scanning: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
5.3 - Securely Store Master Images 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets CM-6: CONFIGURATION SETTINGS 6.2 - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
5.4 - Deploy System Configuration Management Tools 7.7 - Remediate Detected Vulnerabilities AC-2: ACCOUNT MANAGEMENT 6.3 - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configuration baselines through custom images, Azure Resource Manager templates, and/or Azure Policy guest configuration. Define the secure configuration baselines for the EC2 AMI images to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configurations baselines through custom AMI images, CloudFormation templates, and/or AWS Config Rules. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems 16.1 - Establish and Maintain a Secure Application Development Process AC-3: ACCESS ENFORCEMENT - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations AWS Inspector:
18.1 - Establish Secure Coding Practices 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure AC-6: LEAST PRIVILEGE - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. Guidance for Azure container services: Use AWS Inspector for vulnerability scanning of VM's and Containerized environments, securing them from malicious manipulation. https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Use Azure Container Registry (ACR) to create your private container registry where granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. Security considerations for Azure Container:
- Use Defender for Containers for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to integrate the container image scans as part of your CI/CD workflows. https://docs.microsoft.com/azure/container-instances/container-instances-image-security For AWS serverless services, use AWS CodePipeline in conjunction with AWS AppConfig to adopt similar controls to ensure security controls "shift left" to the stage prior to deployment. AWS AppConfig:
https://docs.aws.amazon.com/appconfig/latest/userguide/getting-started-with-appconfig.html
For Azure serverless services, adopt similar controls to ensure security controls "shift-left" to the stage prior to deployment. Azure Defender for container registries:
https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction
DS-7 DevOps Security 6.2 - Activate audit logging 8.2 Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging and monitoring in DevOps Ensure your logging and monitoring scope includes non-production environments and CI/CD workflow elements used in DevOps (and any other development processes). The vulnerabilities and threats targeting these environments can introduce significant risks to your production environment if they are not monitored properly. The events from the CI/CD build, test and deployment workflow should also be monitored to identify any deviations in the CI/CD workflow jobs. Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such as Azure DevOps and GitHub) used throughout the DevOps process. Azure DevOps - audit streaming: Enable and configure AWS CloudTrail for audit logging capabilities in non-production and CI/CD tooling environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) used throughout the DevOps process. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
6.3 - Enable Detailed Logging 8.5 Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
6.5 - Central Log Management 8.9 Centralize Audit Logs AU-12: AUDIT GENERATION 10.3 Follow Microsoft Cloud Security Benchmark – Logging and Threat Detection as the guideline to implement your logging and monitoring controls for workload. The events generated from Azure DevOps and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. The events generated from the AWS CI/CD environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.6 - Deploy SIEM or Log Analytic tool 8.11 Conduct Audit Log Reviews SI-4: INFORMATION SYSTEM MONITORING 10.6 GitHub logging: GitHub Logging:
6.7 - Regularly Review Logs Ingest the above logs and events into Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Ingest the above logs and events into AWS CloudWatch, Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
6.8 - Regularly Tune SIEM
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - DevOps Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Azure Implementation and additional context AWS Guidance AWS Implementation and additional context Customer Security Stakeholders:
DS-1 DevOps Security nan 16.10 - Apply Secure Design Principles in Application Architectures SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 Conduct threat modeling Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure your threat modeling serves the following purposes: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Threat Modeling Overview: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Microsoft Threat Modeling Tool: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
16.14 - Conduct Threat Modeling 12.2 https://www.microsoft.com/securityengineering/sdl/threatmodeling https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
Secure your applications and services in the production run-time stage. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and deployment. The threat modeling at least should include the following aspects: Application threat analysis (including STRIDE + questionnaire based method): How to approach threat modeling for AWS:
Define the security requirements of the application. Ensure these requirements are adequately addressed in the threat modeling. Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Analyze application components, data connections and their relationship. Ensure this analysis also includes the upstream and downstream connections outside of your application scope.
List the potential threats and attack vectors that your application components, data connections and upstream and downstream services may be exposed to. Azure Template - Microsoft Security Threat Model Stencil: Application threat analysis (including STRIDE + questionnaire based method):
Identify the applicable security controls that can be used to mitigate the threats enumerated and identify any controls gaps (e.g., security vulnerabilities) that may require additional treatment plans. https://github.com/AzureArchitecture/threat-model-templates https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model
Enumerate and design the controls that can mitigate the vulnerabilities identified.
DS-2 DevOps Security 18.3 - Verify That Acquired Software is Still Supported 16.4 - Establish and Manage an Inventory of Third-Party Software Components SA-12: SUPPLY CHAIN PROTECTION 6.3 Ensure software supply chain security Ensure your enterprise’s SDLC (Software Development Lifecycle) or process include a set of security controls to govern the in-house and third-party software components (including both proprietary and open-source software) where your applications have dependencies. Define gating criteria to prevent vulnerable or malicious components being integrated and deployed into the environment. For the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub’s native feature:- Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities through Advisory Database. GitHub Dependency Graph: If you use AWS CI/CD platforms such as CodeCommit or CodePipeline, ensure the software supply chain security using CodeGuru Reviewer to scan the source code (for Java and Python) through the CI/CD workflows. Platforms such as CodeCommit and CodePipeline also supports third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities. GitHub Dependency Graph: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
18.4 - Only Use Up-to-Date And Trusted Third-Party Components 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.11 - Leverage Vetted Modules or Services for Application Security Components The software supply chain security controls should at least include the following aspects: - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. If you manage your source code through the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub’s native feature: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. GitHub Dependabot: - Use Dependency Graph to scan, inventory and identify all your project’s dependencies and related vulnerabilities through Advisory Database. GitHub Dependabot:
Properly manage a Software Bill of Materials (SBOM) by identifying the upstream dependencies required for the service/resource development, build, integration and deployment phase. - Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
Inventory and track the in-house and third-party software components for known vulnerability when there is a fix available in the upstream. For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally.
Assess the vulnerabilities and malware in the software components using static and dynamic application testing for unknown vulnerabilities. Identify vulnerable container images in your CI/CD workflows: - If applicable, use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. DevOps in AWS:
Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may include source code local or upstream fix, feature exclusion and/or applying compensating controls if the direct mitigation is not available. https://docs.microsoft.com/azure/security-center/defender-for-container-registries-cicd https://aws.amazon.com/devops/
If closed source third-party components are used in your production environment, you may have limited visibility to its security posture. You should consider additional controls such as access control, network isolation and endpoint security to minimize the impact if there is a malicious activity or vulnerability associated with the component.
Azure DevOps Marketplace – supply chain security: Software Bill of Materials:
https://marketplace.visualstudio.com/search?term=tag%3ASupply%20Chain%20Security&target=VSTS https://www.cisa.gov/sbom
DS-3 DevOps Security 18.11 - Use Standard Hardening Configuration Templates for Databases 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure CM-2: BASELINE CONFIGURATION 2.2 Secure DevOps infrastructure Ensure the DevOps infrastructure and pipeline follow security best practices across environments including your build, test, and production stages. This typically includes the security controls for following scope: As part of applying the Microsoft Cloud Security Benchmark to your DevOps infrastructure security controls, prioritize the following controls: DevSecOps controls overview – secure pipelines: As part of applying the Microsoft Cloud Security Benchmark to the security controls of your DevOps infrastructure, such as GitHub, CodeCommit, CodeArtifact, CodePipeline, CodeBuild and CodeDeploy, prioritize the following controls: AWS Well-architected Framework - security pillar: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
CM-6: CONFIGURATION SETTINGS 6.3 - Protect artifacts and the underlying environment to ensure the CI/CD pipelines don’t become avenues to insert malicious code. For example, review your CI/CD pipeline to identify any misconfiguration in core areas of Azure DevOps such as Organization, Projects, Users, Pipelines (Build & Release), Connections, and Build Agent to identify any misconfigurations such as open access, weak authentication, insecure connection setup and so on. For GitHub, use similar controls to secure the Organization permission levels. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls - Refer to this guidance and the AWS Well-architected Framework security pillar to secure your DevOps environments in AWS. https://wa.aws.amazon.com/wat.pillar.security.en.html
AC-2: ACCOUNT MANAGEMENT 7.1 - Artifact repositories that store source code, built packages and images, project artifacts and business data. - Ensure your DevOps infrastructure is deployed consistently across development projects. Track compliance of your DevOps infrastructure at scale by using Microsoft Defender for Cloud (such as Compliance Dashboard, Azure Policy, Cloud Posture Management) or your own compliance monitoring tools. - Protect artifacts and the underlying supporting infrastructure to ensure the CI/CD pipelines don’t become avenues to insert malicious code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
AC-3: ACCESS ENFORCEMENT - Servers, services, and tooling that host CI/CD pipelines. - Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. Secure your GitHub organization: - Ensure your DevOps infrastructure is deployed and sustained consistently across development projects. Track compliance of your DevOps infrastructure at scale by using AWS Config or your own compliance check solution.
AC-6: LEAST PRIVILEGE - CI/CD pipeline configuration. - Avoid providing permanent “standing” privileged access to the human accounts such as developers or testers by using features such as Azure managed identifies and just-in-time access. https://docs.github.com/en/code-security/getting-started/securing-your-organization - Use CodeArtifact to securely store and share software packages used for application development. You can use CodeArtifact with popular build tools and package managers such as Maven, Gradle, npm, yarn, pip, and twine. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
- Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in a key store or Azure Key Vault. - Configure identity/role permissions and permission policies in AWS IAM, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized.
- If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Azure DevOps pipeline – Microsoft hosted agent security considerations: - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store or AWS KMS Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
https://docs.microsoft.com/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#security - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Use AWS Inspector for vulnerability scanning for vulnerabilities in EC2 or containerized environment as the build environment.
Note: Refer to the Logging and Threat Detection, DS-7, and the Posture and Vulnerability Management sections to use services such as Azure Monitor and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure.
Note: Refer to the Logging and Threat Detection, DS-7, and the and Posture and Vulnerability Management sections to use services such as AWS CloudTrail, CloudWatch and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure.
DS-4 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate static application security testing into DevOps pipeline Ensure static application security testing (SAST) fuzzy testing, interactive testing, mobile application testing, are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production. Integrate SAST into your pipeline (e.g., in your infrastructure as code template) so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate the below tools and third-party SAST tools into the workflow. GitHub CodeQL: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.5 - GitHub CodeQL for source code analysis. https://codeql.github.com/docs/ https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/
- Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. If using AWS CodeCommit, use AWS CodeGuru Reviewer for Python and Java source code analysis. AWS Codepipeline can also support integration of third-part SAST tools into the code deployment pipeline. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Azure DevOps Credential Scanner (Microsoft Security DevOps extension) and GitHub native secret scanning for credential scan in the source code. BinSkim Binary Analyzer:
https://github.com/microsoft/binskim If using GitHub, the below tools and third-party SAST tools can be integrated into the workflow.
- GitHub CodeQL for source code analysis.
Azure DevOps Credential Scan: - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis.
https://secdevtools.azurewebsites.net/helpcredscan.html - GitHub native secret scanning for credential scan in the source code.
- AWS CodeGuru Reviewer for Python and Java source code analysis.
GitHub secret scanning:
https://docs.github.com/en/code-security/secret-security/about-secret-scanning
DS-5 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate dynamic application security testing into DevOps pipeline Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production. Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. DAST tools in Azure DevOps marketplace: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in AWS CodePipeline or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.5 https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/
Azure DevOps Pipeline or GitHub supports the integration of third-party DAST tools into the CI/CD workflow. AWS CodePipeline or GitHub supports integration of third-party DAST tools into the CI/CD workflow. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
DS-6 DevOps Security 5.2 - Deploy System Configuration Management Tools 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets CM-2: BASELINE CONFIGURATION 6.1 Enforce security of workload throughout DevOps lifecycle Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Microsoft Cloud Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: Guidance for Azure VMs: Shared Image Gallery overview: Use Amazon Elastic Container Registry to share and control access to your images by different users and roles within your organization. And Use AWS IAM to ensure that only authorized users can access your custom images. AWS ECR image scanning: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
5.3 - Securely Store Master Images 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets CM-6: CONFIGURATION SETTINGS 6.2 - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
5.4 - Deploy System Configuration Management Tools 7.7 - Remediate Detected Vulnerabilities AC-2: ACCOUNT MANAGEMENT 6.3 - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configuration baselines through custom images, Azure Resource Manager templates, and/or Azure Policy guest configuration. Define the secure configuration baselines for the EC2 AMI images to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configurations baselines through custom AMI images, CloudFormation templates, and/or AWS Config Rules. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems 16.1 - Establish and Maintain a Secure Application Development Process AC-3: ACCESS ENFORCEMENT - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations AWS Inspector:
18.1 - Establish Secure Coding Practices 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure AC-6: LEAST PRIVILEGE - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. Guidance for Azure container services: Use AWS Inspector for vulnerability scanning of VM's and Containerized environments, securing them from malicious manipulation. https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Use Azure Container Registry (ACR) to create your private container registry where granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. Security considerations for Azure Container:
- Use Defender for Containers for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to integrate the container image scans as part of your CI/CD workflows. https://docs.microsoft.com/azure/container-instances/container-instances-image-security For AWS serverless services, use AWS CodePipeline in conjunction with AWS AppConfig to adopt similar controls to ensure security controls "shift left" to the stage prior to deployment. AWS AppConfig:
https://docs.aws.amazon.com/appconfig/latest/userguide/getting-started-with-appconfig.html
For Azure serverless services, adopt similar controls to ensure security controls "shift-left" to the stage prior to deployment. Azure Defender for container registries:
https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction
DS-7 DevOps Security 6.2 - Activate audit logging 8.2 Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging and monitoring in DevOps Ensure your logging and monitoring scope includes non-production environments and CI/CD workflow elements used in DevOps (and any other development processes). The vulnerabilities and threats targeting these environments can introduce significant risks to your production environment if they are not monitored properly. The events from the CI/CD build, test and deployment workflow should also be monitored to identify any deviations in the CI/CD workflow jobs. Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such as Azure DevOps and GitHub) used throughout the DevOps process. Azure DevOps - audit streaming: Enable and configure AWS CloudTrail for audit logging capabilities in non-production and CI/CD tooling environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) used throughout the DevOps process. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
6.3 - Enable Detailed Logging 8.5 Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
6.5 - Central Log Management 8.9 Centralize Audit Logs AU-12: AUDIT GENERATION 10.3 Follow Microsoft Cloud Security Benchmark – Logging and Threat Detection as the guideline to implement your logging and monitoring controls for workload. The events generated from Azure DevOps and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. The events generated from the AWS CI/CD environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.6 - Deploy SIEM or Log Analytic tool 8.11 Conduct Audit Log Reviews SI-4: INFORMATION SYSTEM MONITORING 10.6 GitHub logging: GitHub Logging:
6.7 - Regularly Review Logs Ingest the above logs and events into Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Ingest the above logs and events into AWS CloudWatch, Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
6.8 - Regularly Tune SIEM
\ No newline at end of file diff --git a/Azure/Security/MCSB/Endpoint Security/index.html b/Azure/Security/MCSB/Endpoint Security/index.html index aba9c09..d947bc9 100644 --- a/Azure/Security/MCSB/Endpoint Security/index.html +++ b/Azure/Security/MCSB/Endpoint Security/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Endpoint Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
ES-1 Endpoint security 9.4 - Apply Host-Based Firewalls or Port Filtering 13.7 - Deploy a Host-Based Intrusion Prevention Solution SC-3: SECURITY FUNCTION ISOLATION 11.5 Use Endpoint Detection and Response (EDR) Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for servers introduction: Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats. Protect your endpoints with Defender for Cloud's integrated EDR solution: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows
SI-3: MALICIOUS CODE PROTECTION Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel. Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
SI-16 MEMORY PROTECTION Microsoft Defender for Endpoint overview:
https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Microsoft Defender for Cloud feature coverage for machines: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows
Connector for Defender for servers integration into SIEM:
https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows
ES-2 Endpoint security 8.1 - Utilize Centrally Managed Anti-malware Software 10.1 - Deploy and Maintain Anti-Malware Software SC-3: SECURITY FUNCTION ISOLATION 5.1 Use modern anti-malware software Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning. Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations. Supported endpoint protection solutions: Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions-
SI-3: MALICIOUS CODE PROTECTION Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Microsoft Defender supported endpoint protection solutions: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
SI-16 MEMORY PROTECTION How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?tabs=features-windows#supported-endpoint-protection-solutions-
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. https://docs.microsoft.com/azure/security/fundamentals/antimalware For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Endpoint protection recommendations in Microsoft Defender for Clouds:
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment. https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
ES-3 Endpoint security 8.2 - Ensure Anti-Malware Software and Signatures are Updated 10.2 - Configure Automatic Anti-Malware Signature Updates SI-2: FLAW REMEDIATION 5.2 Ensure anti-malware software and signatures are updated Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. How to deploy Microsoft Antimalware for Cloud Services and virtual machine: With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. Connect your AWS accounts to Microsoft Defender for Cloud: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-3: MALICIOUS CODE PROTECTION 5.3 https://docs.microsoft.com/azure/security/fundamentals/antimalware https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Endpoint protection assessment and recommendations in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Endpoint Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
ES-1 Endpoint security 9.4 - Apply Host-Based Firewalls or Port Filtering 13.7 - Deploy a Host-Based Intrusion Prevention Solution SC-3: SECURITY FUNCTION ISOLATION 11.5 Use Endpoint Detection and Response (EDR) Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for servers introduction: Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats. Protect your endpoints with Defender for Cloud's integrated EDR solution: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows
SI-3: MALICIOUS CODE PROTECTION Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel. Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
SI-16 MEMORY PROTECTION Microsoft Defender for Endpoint overview:
https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Microsoft Defender for Cloud feature coverage for machines: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows
Connector for Defender for servers integration into SIEM:
https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows
ES-2 Endpoint security 8.1 - Utilize Centrally Managed Anti-malware Software 10.1 - Deploy and Maintain Anti-Malware Software SC-3: SECURITY FUNCTION ISOLATION 5.1 Use modern anti-malware software Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning. Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations. Supported endpoint protection solutions: Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions-
SI-3: MALICIOUS CODE PROTECTION Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Microsoft Defender supported endpoint protection solutions: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
SI-16 MEMORY PROTECTION How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?tabs=features-windows#supported-endpoint-protection-solutions-
For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. https://docs.microsoft.com/azure/security/fundamentals/antimalware For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Endpoint protection recommendations in Microsoft Defender for Clouds:
Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment. https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
ES-3 Endpoint security 8.2 - Ensure Anti-Malware Software and Signatures are Updated 10.2 - Configure Automatic Anti-Malware Signature Updates SI-2: FLAW REMEDIATION 5.2 Ensure anti-malware software and signatures are updated Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. How to deploy Microsoft Antimalware for Cloud Services and virtual machine: With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. Connect your AWS accounts to Microsoft Defender for Cloud: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security
SI-3: MALICIOUS CODE PROTECTION 5.3 https://docs.microsoft.com/azure/security/fundamentals/antimalware https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Endpoint protection assessment and recommendations in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
\ No newline at end of file diff --git a/Azure/Security/MCSB/Governance and Strategy/index.html b/Azure/Security/MCSB/Governance and Strategy/index.html index a531fbe..45a3428 100644 --- a/Azure/Security/MCSB/Governance and Strategy/index.html +++ b/Azure/Security/MCSB/Governance and Strategy/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Governance and Strategy

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle General Guidance Implementation and additional context Customer Security Stakeholders:
GS-1 Governance and Strategy 17.2 - Deliver Training to Fill the Skills Gap 14.9 - Conduct Role-Specific Security Awareness and Skills Training PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and accountabilities N/A Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
PM-10: SECURITY AUTHORIZATION PROCESS https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey
PM-13: INFORMATION SECURITY WORKFORCE
AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology:
AT-3: ROLE-BASED SECURITY TRAINING https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud
GS-2 Governance and Strategy 2.10 - Physically or Logically Segregate High Risk Applications 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.2 Define and implement enterprise segmentation/separation of duties strategy N/A Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
14.1 - Segment the Network Based on Sensitivity SC-7: BOUNDARY PROTECTION 6.4 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect
SC-2: APPLICATION PARTITIONING Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy:
Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy
GS-3 Governance and Strategy 14.1 - Segment the Network Based on Sensitivity 3.1 - Establish and Maintain a Data Management Process AC-4: INFORMATION FLOW ENFORCEMENT 3.1 Define and implement data protection strategy N/A Establish an enterprise-wide strategy for data protection in your cloud environment: Azure Security Benchmark - Data Protection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
3.7 - Establish and Maintain a Data Classification Scheme SI-4: INFORMATION SYSTEM MONITORING 3.2 - Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection
3.12 - Segment Data Processing and Storage Based on Sensitivity SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.3 - Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 - Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. Cloud Adoption Framework - Azure data security and encryption best practices:
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES 3.5 - Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices
SC-28: PROTECTION OF INFORMATION AT REST 3.6 - Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.
RA-2: SECURITY CATEGORIZATION 3.7 Azure Security Fundamentals - Azure Data security, encryption, and storage:
4.1 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview
A3.2
GS-4 Governance and Strategy 12.1 - Maintain an Inventory of Network Boundaries 12.2 - Establish and Maintain a Secure Network Infrastructure AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Define and implement network security strategy N/A Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: Azure Security Best Practice 11 - Architecture. Single unified security strategy: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
12.4 - Establish and Maintain Architecture Diagram(s) AC-17: REMOTE ACCESS 1.2 - Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
CA-3: SYSTEM INTERCONNECTIONS 1.3 - A virtual network segmentation model aligned with the enterprise segmentation strategy.
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1.5 - An Internet edge and ingress and egress strategy. Azure Security Benchmark - Network Security:
CM-2: BASELINE CONFIGURATION 4.1 - A hybrid cloud and on-premises interconnectivity strategy. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security
CM-6: CONFIGURATION SETTINGS 6.6 - A network monitoring and logging strategy.
CM-7: LEAST FUNCTIONALITY 11.4 - An up-to-date network security artifacts (such as network diagrams, reference network architecture). Azure network security overview:
SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES A2.1 https://docs.microsoft.com/azure/security/fundamentals/network-overview
SC-2: APPLICATION PARTITIONING A2.2
SC-5: DENIAL OF SERVICE PROTECTION A2.3 Enterprise network architecture strategy:
SC-7: BOUNDARY PROTECTION A3.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SI-4: INFORMATION SYSTEM MONITORING
GS-5 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1.1 Define and implement security posture management strategy N/A Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. Azure Security Benchmark - Posture and vulnerability management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CA-8: PENETRATION TESTING 1.2 https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 2.2 The security configuration management in cloud should include the following areas:
CM-2: BASELINE CONFIGURATION 6.1 - Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. Azure Security Best Practice 9 - Establish security posture management:
CM-6: CONFIGURATION SETTINGS 6.2 - Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management
RA-1: RISK ASSESSMENT POLICY AND PROCEDURES 6.5 - Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline.
RA-3: RISK ASSESSMENT 6.6 - Develop a cadence to stay updated with security features, for instance, subscribe to the service updates.
RA-5: VULNERABILITY SCANNING 11.2 - Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified.
SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 11.3
SI-2: FLAW REMEDIATION 11.5 The vulnerability management in the cloud should include the following security aspects:
SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components.
- Use a risk-based approach to prioritize assessment and remediation.
- Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates.
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization.
GS-6 Governance and Strategy 4.5 - Use Multifactor Authentication For All Administrative Access 5.6 - Centralize Account Management AC-1: ACCESS CONTROL POLICY AND PROCEDURES 7.1 Define and implement identity and privileged access strategy N/A Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: Azure Security Benchmark - Identity management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
16.2 - Configure Centralized Point of Authentication 6.5 - Require MFA for Administrative Access AC-2: ACCOUNT MANAGEMENT 7.2 - Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management
6.7 - Centralize Access Control AC-3: ACCESS ENFORCEMENT 7.3 - Privileged identity and access governance (such as access request, review and approval)
AC-4: INFORMATION FLOW ENFORCEMENT 8.1 - Privileged accounts in emergency (break-glass) situation Azure Security Benchmark - Privileged access:
AC-5: SEPARATION OF DUTIES 8.2 - Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access
AC-6: LEAST PRIVILEGE 8.3 - Secure access by administrative operations through web portal/console, command-line and API.
IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 8.4 Azure Security Best Practice 11 - Architecture. Single unified security strategy:
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.5 For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
IA-4: IDENTIFIER MANAGEMENT 8.6 - Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks)
IA-5: AUTHENTICATOR MANAGEMENT 8.7 - Privileged users authenticated locally and/or use non-strong authentication methods Azure identity management security overview:
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 8.8 https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION A3.4
SI-4: INFORMATION SYSTEM MONITORING
GS-7 Governance and Strategy 6.2 -Activate audit logging 8.1 - Establish and Maintain an Audit Log Management Process AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 10.1 Define and implement logging, threat detection and incident response strategy N/A Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. Azure Security Benchmark - Logging and threat detection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
6.3 - Enable Detailed Logging 13.1 - Centralize Security Event Alerting IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES 10.2 This strategy should include documented policy, procedure and standards for the following aspects: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection
6.6 - Deploy SIEM or Log Analytic tool 17.2 - Establish and Maintain Contact Information for Reporting Security Incidents IR-2: INCIDENT RESPONSE TRAINING 10.3 - The security operations (SecOps) organization's role and responsibilities
6.7 - Regularly Review Logs 17.4 - Establish and Maintain an Incident Response Process IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 10.4 - A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. Azure Security Benchmark - Incident response:
19.1 - Document Incident Response Procedures 17.7 - Conduct Routine Incident Response Exercises SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 10.5 - Communication and notification plan with your customers, suppliers, and public parties of interest. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response
19.5 - Maintain Contact Information For Reporting Security Incidents SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 10.6 - Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 10.7 - Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud:
10.8 - Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. https://aka.ms/AzSec4
10.9 - Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses.
12.10 - Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. Azure Adoption Framework, logging, and reporting decision guide:
A3.5 - Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/
- Post-incident activities, such as lessons learned and evidence retention.
Azure enterprise scale, management, and monitoring:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
NIST SP 800-61 Computer Security Incident Handling Guide:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
GS-8 Governance and Strategy 10.1 - Ensure Regular Automated Backups 11.1 - Establish and Maintain a Data Recovery Process CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES 3.4 Define and implement backup and recovery strategy N/A Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: Azure Security Benchmark - Backup and recovery: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
CP-9: INFORMATION SYSTEM BACKUP - Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery
CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION - Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks.
- Monitoring the backup and recovery data and operations for audit and alerting purposes. Azure Adoption Framework-business continuity and disaster recovery:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
Backup and restore plan to protect against ransomware:
https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware
GS-9 Governance and Strategy 8.1 - Utilize Centrally Managed Anti-malware Software 4.4 - Implement and Manage a Firewall on Servers SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security strategy N/A Establish a cloud endpoint security strategy which includes the following aspects: Azure Security Benchmark - Endpoint security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
9.4 - Apply Host-Based Firewalls or Port-Filtering 10.1 - Deploy and Maintain Anti-Malware Software SI-3: MALICIOUS CODE PROTECTION 5.2 - Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security
SC-3: SECURITY FUNCTION ISOLATION 5.3 - Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint.
5.4 - Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. Best practices for endpoint security on Azure:
11.5 https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints
GS-10 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process SA-12: SUPPLY CHAIN PROTECTION 2.2 Define and implement DevOps security strategy N/A Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. Azure Security Benchmark - DevOps security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
18.1 - Establish Secure Coding Practices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.1 https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.1 - Establish and Maintain a Secure Application Development Process CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 6.2 Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production.
16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities CM-2: BASELINE CONFIGURATION 6.3 Secure DevOps:
CM-6: CONFIGURATION SETTINGS 6.5 When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. https://www.microsoft.com/securityengineering/devsecops
AC-2: ACCOUNT MANAGEMENT 7.1
AC-3: ACCESS ENFORCEMENT 10.1 For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. Cloud Adoption Framework - DevSecOps controls:
AC-6: LEAST PRIVILEGE 10.2 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls
SA-11: DEVELOPER TESTING AND EVALUATION 10.3
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.6
AU-12: AUDIT GENERATION 12.2
SI-4: INFORMATION SYSTEM MONITORING
GS-11 Governance and Strategy nan nan nan nan Define and implement multi-cloud security strategy N/A Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: Azure hybrid and multicloud: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
- Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. https://docs.microsoft.com/en-us/hybrid/
- Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated.
- Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. Azure hybrid and multicloud documentation:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview
AWS to Azure services comparison:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services
Azure for AWS professionals:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Governance and Strategy

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle General Guidance Implementation and additional context Customer Security Stakeholders:
GS-1 Governance and Strategy 17.2 - Deliver Training to Fill the Skills Gap 14.9 - Conduct Role-Specific Security Awareness and Skills Training PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and accountabilities N/A Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. Azure Security Best Practice 1 – People: Educate Teams on Cloud Security Journey: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
PM-10: SECURITY AUTHORIZATION PROCESS https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey
PM-13: INFORMATION SECURITY WORKFORCE
AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology:
AT-3: ROLE-BASED SECURITY TRAINING https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology
Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions:
https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud
GS-2 Governance and Strategy 2.10 - Physically or Logically Segregate High Risk Applications 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.2 Define and implement enterprise segmentation/separation of duties strategy N/A Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
14.1 - Segment the Network Based on Sensitivity SC-7: BOUNDARY PROTECTION 6.4 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect
SC-2: APPLICATION PARTITIONING Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data.
Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy:
Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy
GS-3 Governance and Strategy 14.1 - Segment the Network Based on Sensitivity 3.1 - Establish and Maintain a Data Management Process AC-4: INFORMATION FLOW ENFORCEMENT 3.1 Define and implement data protection strategy N/A Establish an enterprise-wide strategy for data protection in your cloud environment: Azure Security Benchmark - Data Protection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
3.7 - Establish and Maintain a Data Classification Scheme SI-4: INFORMATION SYSTEM MONITORING 3.2 - Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection
3.12 - Segment Data Processing and Storage Based on Sensitivity SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.3 - Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems.
SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 - Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. Cloud Adoption Framework - Azure data security and encryption best practices:
SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES 3.5 - Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices
SC-28: PROTECTION OF INFORMATION AT REST 3.6 - Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys.
RA-2: SECURITY CATEGORIZATION 3.7 Azure Security Fundamentals - Azure Data security, encryption, and storage:
4.1 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview
A3.2
GS-4 Governance and Strategy 12.1 - Maintain an Inventory of Network Boundaries 12.2 - Establish and Maintain a Secure Network Infrastructure AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Define and implement network security strategy N/A Establish a cloud network security strategy as part of your organization’s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: Azure Security Best Practice 11 - Architecture. Single unified security strategy: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
12.4 - Establish and Maintain Architecture Diagram(s) AC-17: REMOTE ACCESS 1.2 - Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
CA-3: SYSTEM INTERCONNECTIONS 1.3 - A virtual network segmentation model aligned with the enterprise segmentation strategy.
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1.5 - An Internet edge and ingress and egress strategy. Azure Security Benchmark - Network Security:
CM-2: BASELINE CONFIGURATION 4.1 - A hybrid cloud and on-premises interconnectivity strategy. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security
CM-6: CONFIGURATION SETTINGS 6.6 - A network monitoring and logging strategy.
CM-7: LEAST FUNCTIONALITY 11.4 - An up-to-date network security artifacts (such as network diagrams, reference network architecture). Azure network security overview:
SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES A2.1 https://docs.microsoft.com/azure/security/fundamentals/network-overview
SC-2: APPLICATION PARTITIONING A2.2
SC-5: DENIAL OF SERVICE PROTECTION A2.3 Enterprise network architecture strategy:
SC-7: BOUNDARY PROTECTION A3.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture
SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)
SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER)
SI-4: INFORMATION SYSTEM MONITORING
GS-5 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1.1 Define and implement security posture management strategy N/A Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. Azure Security Benchmark - Posture and vulnerability management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CA-8: PENETRATION TESTING 1.2 https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 2.2 The security configuration management in cloud should include the following areas:
CM-2: BASELINE CONFIGURATION 6.1 - Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. Azure Security Best Practice 9 - Establish security posture management:
CM-6: CONFIGURATION SETTINGS 6.2 - Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management
RA-1: RISK ASSESSMENT POLICY AND PROCEDURES 6.5 - Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline.
RA-3: RISK ASSESSMENT 6.6 - Develop a cadence to stay updated with security features, for instance, subscribe to the service updates.
RA-5: VULNERABILITY SCANNING 11.2 - Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified.
SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 11.3
SI-2: FLAW REMEDIATION 11.5 The vulnerability management in the cloud should include the following security aspects:
SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components.
- Use a risk-based approach to prioritize assessment and remediation.
- Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates.
- Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization.
GS-6 Governance and Strategy 4.5 - Use Multifactor Authentication For All Administrative Access 5.6 - Centralize Account Management AC-1: ACCESS CONTROL POLICY AND PROCEDURES 7.1 Define and implement identity and privileged access strategy N/A Establish a cloud identity and privileged access approach as part of your organization’s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: Azure Security Benchmark - Identity management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
16.2 - Configure Centralized Point of Authentication 6.5 - Require MFA for Administrative Access AC-2: ACCOUNT MANAGEMENT 7.2 - Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management
6.7 - Centralize Access Control AC-3: ACCESS ENFORCEMENT 7.3 - Privileged identity and access governance (such as access request, review and approval)
AC-4: INFORMATION FLOW ENFORCEMENT 8.1 - Privileged accounts in emergency (break-glass) situation Azure Security Benchmark - Privileged access:
AC-5: SEPARATION OF DUTIES 8.2 - Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access
AC-6: LEAST PRIVILEGE 8.3 - Secure access by administrative operations through web portal/console, command-line and API.
IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 8.4 Azure Security Best Practice 11 - Architecture. Single unified security strategy:
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.5 For exception cases, where an enterprise system isn’t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy
IA-4: IDENTIFIER MANAGEMENT 8.6 - Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks)
IA-5: AUTHENTICATOR MANAGEMENT 8.7 - Privileged users authenticated locally and/or use non-strong authentication methods Azure identity management security overview:
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 8.8 https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION A3.4
SI-4: INFORMATION SYSTEM MONITORING
GS-7 Governance and Strategy 6.2 -Activate audit logging 8.1 - Establish and Maintain an Audit Log Management Process AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 10.1 Define and implement logging, threat detection and incident response strategy N/A Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. Azure Security Benchmark - Logging and threat detection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
6.3 - Enable Detailed Logging 13.1 - Centralize Security Event Alerting IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES 10.2 This strategy should include documented policy, procedure and standards for the following aspects: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection
6.6 - Deploy SIEM or Log Analytic tool 17.2 - Establish and Maintain Contact Information for Reporting Security Incidents IR-2: INCIDENT RESPONSE TRAINING 10.3 - The security operations (SecOps) organization's role and responsibilities
6.7 - Regularly Review Logs 17.4 - Establish and Maintain an Incident Response Process IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 10.4 - A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. Azure Security Benchmark - Incident response:
19.1 - Document Incident Response Procedures 17.7 - Conduct Routine Incident Response Exercises SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 10.5 - Communication and notification plan with your customers, suppliers, and public parties of interest. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response
19.5 - Maintain Contact Information For Reporting Security Incidents SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 10.6 - Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 10.7 - Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud:
10.8 - Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. https://aka.ms/AzSec4
10.9 - Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses.
12.10 - Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. Azure Adoption Framework, logging, and reporting decision guide:
A3.5 - Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/
- Post-incident activities, such as lessons learned and evidence retention.
Azure enterprise scale, management, and monitoring:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring
NIST SP 800-61 Computer Security Incident Handling Guide:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
GS-8 Governance and Strategy 10.1 - Ensure Regular Automated Backups 11.1 - Establish and Maintain a Data Recovery Process CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES 3.4 Define and implement backup and recovery strategy N/A Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: Azure Security Benchmark - Backup and recovery: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
CP-9: INFORMATION SYSTEM BACKUP - Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery
CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION - Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy.
- Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery
- Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks.
- Monitoring the backup and recovery data and operations for audit and alerting purposes. Azure Adoption Framework-business continuity and disaster recovery:
https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery
Backup and restore plan to protect against ransomware:
https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware
GS-9 Governance and Strategy 8.1 - Utilize Centrally Managed Anti-malware Software 4.4 - Implement and Manage a Firewall on Servers SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security strategy N/A Establish a cloud endpoint security strategy which includes the following aspects: Azure Security Benchmark - Endpoint security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
9.4 - Apply Host-Based Firewalls or Port-Filtering 10.1 - Deploy and Maintain Anti-Malware Software SI-3: MALICIOUS CODE PROTECTION 5.2 - Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security
SC-3: SECURITY FUNCTION ISOLATION 5.3 - Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint.
5.4 - Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. Best practices for endpoint security on Azure:
11.5 https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints
GS-10 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process SA-12: SUPPLY CHAIN PROTECTION 2.2 Define and implement DevOps security strategy N/A Mandate the security controls as part of the organization’s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. Azure Security Benchmark - DevOps security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
18.1 - Establish Secure Coding Practices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.1 https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security
18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.1 - Establish and Maintain a Secure Application Development Process CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 6.2 Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This ‘shift left’ approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production.
16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities CM-2: BASELINE CONFIGURATION 6.3 Secure DevOps:
CM-6: CONFIGURATION SETTINGS 6.5 When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. https://www.microsoft.com/securityengineering/devsecops
AC-2: ACCOUNT MANAGEMENT 7.1
AC-3: ACCESS ENFORCEMENT 10.1 For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. Cloud Adoption Framework - DevSecOps controls:
AC-6: LEAST PRIVILEGE 10.2 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls
SA-11: DEVELOPER TESTING AND EVALUATION 10.3
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.6
AU-12: AUDIT GENERATION 12.2
SI-4: INFORMATION SYSTEM MONITORING
GS-11 Governance and Strategy nan nan nan nan Define and implement multi-cloud security strategy N/A Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: Azure hybrid and multicloud: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions
- Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. https://docs.microsoft.com/en-us/hybrid/
- Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated.
- Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. Azure hybrid and multicloud documentation:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview
AWS to Azure services comparison:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services
Azure for AWS professionals:
https://docs.microsoft.com/en-us/azure/architecture/aws-professional/
\ No newline at end of file diff --git a/Azure/Security/MCSB/Identity Management/index.html b/Azure/Security/MCSB/Identity Management/index.html index ea99806..d1aec8e 100644 --- a/Azure/Security/MCSB/Identity Management/index.html +++ b/Azure/Security/MCSB/Identity Management/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Identity Management

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders:
IM-1 Identity Management 16.1 - Maintain an Inventory of 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT 7.2 Use centralized identity and authentication system Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: Tenancy in Azure AD: AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On (SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate accounts separately in two cloud platforms. AWS IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Authentication Systems 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT 8.3 - Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
16.2 - Configure Centralized IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS resources. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Point of Authentication IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. How to create and configure an Azure AD instance: AWS Single Sign-On:
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.aws.amazon.com/singlesignon/index.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications.
Define Azure AD tenants: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/
Use external identity providers for an application:
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
IM-2 Identity Management 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 8.2 Protect identity and authentication systems Secure your identity and authentication system as a high priority in your organization's cloud security practice. Common security controls include: Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture, and remediate security and configuration gaps. What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score Use the following security best practices to secure your AWS IAM: Security Best Practice in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
4.5 - Use Multi-Factor Authentication for All Administrative Access 6.5 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.3 - Restrict privileged roles and accounts The Azure AD Identity Secure Score evaluates Azure AD for the following configurations: - Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access) https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Require strong authentication for all privileged access - Use limited administrative roles Best Practices for Securing Active Directory: - Follow least privilege principles for access assignments Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Monitor and audit high risk activities - Turn on user risk policy https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory - Leverage IAM groups to apply policies instead of individual user(s). IAM Access Advisor:
SI-4: INFORMATION SYSTEM MONITORING - Designate more than one global admin - Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Enable policy to block legacy authentication What is Identity Protection? - Use AWS Organizations SCP (Service Control Policy) and permission boundaries
- Ensure all users can complete multi-factor authentication for secure access https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - Use IAM Access Advisor to audit service access IAM Credential Report: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Require MFA for administrative roles - Use IAM credential report to track user accounts and credential status https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
- Enable self-service password reset What is Microsoft Defender for Identity?
- Do not expire passwords https://learn.microsoft.com/en-us/defender-for-identity/what-is Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD security baseline if you use Azure AD to manage AWS identity and access.
- Turn on sign-in risk policy
- Do not allow users to grant consent to unmanaged applications
Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks. To similarly protect your on-premises Active Directory domain, use Defender for Identity.
Note: Follow published best practices for all other identity components, including your on-premises Active Directory and any third party capabilities, and the infrastructure (such as operating systems, networks, databases) that host them.
IM-3 Identity Management nan nan AC-2: ACCOUNT MANAGEMENT N/A Manage application identities securely and automatically Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credentials to ensure the security of the identities. Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. Azure managed identities: Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating long-term access keys or a username/password for applications and hard-coded credentials in source code or configuration files. AWS IAM Roles: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
IA-4: IDENTIFIER MANAGEMENT For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. You may use service-linked roles which are attached with pre-defined permission policies for access between AWS services instead of customizing your own role permissions for the IAM roles. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
IA-5: AUTHENTICATOR MANAGEMENT Services that support managed identities for Azure resources: Providing access to an AWS service:
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8: Restrict the exposure of credential and secrets to secure your keys. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html
Azure service principal:
https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps
Create a service principal with certificates:
https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell
IM-4 Identity Management nan nan IA-9: SERVICE IDENTITIFICATION AND AUTHENTICATION nan Authenticate server and services Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Many Azure services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. Enforce Transport Layer Security (TLS) for a storage account: Many AWS services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. AWS Certificate Manager certificate pinning. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning
Note: Mutual authentication can be used when both the server and the client authenticate one-another. Note: Services such as API Management and API Gateway support TLS mutual authentication. Note: Services such as API Gateway support TLS mutual authentication. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
SSL certificate for backend authentication:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
IM-5 Identity Management 16.2 - Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) IA-4: IDENTIFIER MANAGEMENT nan Use single sign-on (SSO) for application access Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments. Use Azure AD for workload application workload access (customer facing) through Azure AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides identity and access management to Azure resources (in the management plane including CLI, PowerShell, portal), cloud applications, and on-premises applications. Understand application SSO with Azure AD: Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to allow customers to bridge their third-party identities from different identity providers. AWS Single Sign-On: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.aws.amazon.com/singlesignon/
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Azure AD also supports SSO for enterprise identities such as corporate user identities, as well as external user identities from trusted third-party and public users. For SSO access to the AWS native resources (including AWS console access or service management and data plane level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
AWS Cognito Single Sign-On Adding SAML identity providers:
AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS identities, as well as external user identities from trusted third-party and public users. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
IM-6 Identity Management 4.2 - Change Default Passwords 6.3 - Require MFA for Externally-Exposed Applications AC-2: ACCOUNT MANAGEMENT 7.2 Use strong authentication controls Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). How to enable MFA in Azure: AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on all users, select users, or at the per-user level based on defined conditions. Using multi-factor authentication (MFA) in AWS: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.5 - Use Multifactor Authentication For All Administrative Access 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.2 - Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security keys. In addition, customers can use on-premises authentication methods such as smart cards. https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
12.11 - Require All Remote Logins to Use Multi-Factor Authentication IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.3 When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. - Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities, follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control if you use Azure AD to manage AWS access. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
16.3 - Require Multi-Factor Authentication IA-5: AUTHENTICATOR MANAGEMENT 8.4 Introduction to passwordless authentication options for Azure Active Directory: IAM supported MFA form factors:
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or change them during initial service setup. https://aws.amazon.com/iam/features/mfa/ Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. Azure AD default password policy:
https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad
Block legacy authentication:
https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication
IM-7 Identity Management 12.11 - Require All Remote Logins to Use Multi-Factor Authentication 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.2 Restrict resource access based on conditions Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on. Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. Azure Conditional Access overview: Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may include single or multiple conditions as well as logic. Policies and permissions in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
12.12 - Manage All Devices Remotely Logging Into Internal Network 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/conditional-access/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
14.6 - Protect Information Through Access Control Lists 13.5 - Manage Access Control for Remote Assets AC-6: LEAST PRIVILEGE Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common use cases: Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
16.3 - Require Multi-Factor Authentication - Requiring multi-factor authentication for users with administrative roles Common Conditional Access policies: Conditions key table:
- Requiring multi-factor authentication for Azure management tasks https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration Conditional Access insights and reporting: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
- Blocking or granting access from specific locations https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications Configure authentication session management with Conditional Access:
https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Note: Granular authentication session management controls can also be implemented through Azure AD conditional access policies such as sign-in frequency and persistent browser session.
IM-8 Identity Management 18.1 - Establish Secure Coding Practices 16.9 - Train Developers in Application Security Concepts and Secure Coding IA-5: AUTHENTICATOR MANAGEMENT 3.5 Restrict the exposure of credential and secrets Ensure that application developers securely handle credentials and secrets: When using a managed identity is not an option, ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. How to setup Credential Scanner: When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into the code and configuration files. AWS IAM roles in EC2: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
18.6 - Ensure Software Development Personnel Are Trained in Secure Coding 16.12 - Implement Code-Level Security Checks 6.3 - Avoid embedding the credentials and secrets into the code and configuration files https://secdevtools.azurewebsites.net/helpcredscan.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
18.7 - Apply Static and Dynamic Code Analysis Tools 8.2 - Use key vault or a secure key store service to store the credentials and secrets If you use Azure DevOps and GitHub for your code management platform: Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Scan for credentials in source code. - Implement Azure DevOps Credential Scanner to identify credentials within the code. GitHub secret scanning: AWS Secrets Manager integrated services:
- For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. https://docs.github.com/github/administering-a-repository/about-secret-scanning If you use the Azure DevOps and GitHub for your code management platform: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html
Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process - Implement Azure DevOps Credential Scanner to identify credentials within the code.
Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. CodeGuru Reviewer Secrets Detection:
https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html
Note: Azure Key Vault provides automatic rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use.
IM-9 Identity Management 12.10 Decrypt Network Traffic at Proxy 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT nan Secure user access to existing applications In a hybrid environment, where you have on-premises applications or non-native cloud applications using legacy authentication, consider solutions such as cloud access security broker (CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefits: Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: Azure AD Application Proxy: Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: AWS Marketplace Application Proxy solutions: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
16.2 Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT - Enforce a centralized strong authentication - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy
SC-11: TRUSTED PATH - Monitor and control risky end-user activities - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Monitor and remediate risky legacy applications activities - Your existing third-party application delivery controllers and networks. Microsoft Cloud App Security best practices: - Your existing third-party application delivery controllers and networks. AWS Marketplace CASB solutions:
- Detect and prevent sensitive data transmission https://docs.microsoft.com/cloud-app-security/best-practices https://aws.amazon.com/marketplace/search/results?searchTerms=CASB Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring.
Azure AD secure hybrid access:
https://docs.microsoft.com/azure/active-directory/manage-apps/secure-hybrid-access
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Identity Management

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders:
IM-1 Identity Management 16.1 - Maintain an Inventory of 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT 7.2 Use centralized identity and authentication system Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: Tenancy in Azure AD: AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On (SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate accounts separately in two cloud platforms. AWS IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
Authentication Systems 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT 8.3 - Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
16.2 - Configure Centralized IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS resources. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Point of Authentication IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. How to create and configure an Azure AD instance: AWS Single Sign-On:
https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.aws.amazon.com/singlesignon/index.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications.
Define Azure AD tenants: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/
Use external identity providers for an application:
https://docs.microsoft.com/azure/active-directory/b2b/identity-providers
IM-2 Identity Management 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 8.2 Protect identity and authentication systems Secure your identity and authentication system as a high priority in your organization's cloud security practice. Common security controls include: Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture, and remediate security and configuration gaps. What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score Use the following security best practices to secure your AWS IAM: Security Best Practice in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
4.5 - Use Multi-Factor Authentication for All Administrative Access 6.5 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.3 - Restrict privileged roles and accounts The Azure AD Identity Secure Score evaluates Azure AD for the following configurations: - Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access) https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Require strong authentication for all privileged access - Use limited administrative roles Best Practices for Securing Active Directory: - Follow least privilege principles for access assignments Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Monitor and audit high risk activities - Turn on user risk policy https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory - Leverage IAM groups to apply policies instead of individual user(s). IAM Access Advisor:
SI-4: INFORMATION SYSTEM MONITORING - Designate more than one global admin - Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Enable policy to block legacy authentication What is Identity Protection? - Use AWS Organizations SCP (Service Control Policy) and permission boundaries
- Ensure all users can complete multi-factor authentication for secure access https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - Use IAM Access Advisor to audit service access IAM Credential Report: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Require MFA for administrative roles - Use IAM credential report to track user accounts and credential status https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
- Enable self-service password reset What is Microsoft Defender for Identity?
- Do not expire passwords https://learn.microsoft.com/en-us/defender-for-identity/what-is Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD security baseline if you use Azure AD to manage AWS identity and access.
- Turn on sign-in risk policy
- Do not allow users to grant consent to unmanaged applications
Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks. To similarly protect your on-premises Active Directory domain, use Defender for Identity.
Note: Follow published best practices for all other identity components, including your on-premises Active Directory and any third party capabilities, and the infrastructure (such as operating systems, networks, databases) that host them.
IM-3 Identity Management nan nan AC-2: ACCOUNT MANAGEMENT N/A Manage application identities securely and automatically Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credentials to ensure the security of the identities. Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. Azure managed identities: Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating long-term access keys or a username/password for applications and hard-coded credentials in source code or configuration files. AWS IAM Roles: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
IA-4: IDENTIFIER MANAGEMENT For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. You may use service-linked roles which are attached with pre-defined permission policies for access between AWS services instead of customizing your own role permissions for the IAM roles. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
IA-5: AUTHENTICATOR MANAGEMENT Services that support managed identities for Azure resources: Providing access to an AWS service:
IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8: Restrict the exposure of credential and secrets to secure your keys. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html
Azure service principal:
https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps
Create a service principal with certificates:
https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell
IM-4 Identity Management nan nan IA-9: SERVICE IDENTITIFICATION AND AUTHENTICATION nan Authenticate server and services Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server’s certificate was issued by a trusted certificate authority. Many Azure services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. Enforce Transport Layer Security (TLS) for a storage account: Many AWS services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server’s certificate issued by a trusted certificate authority) in the handshake stage. AWS Certificate Manager certificate pinning. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning
Note: Mutual authentication can be used when both the server and the client authenticate one-another. Note: Services such as API Management and API Gateway support TLS mutual authentication. Note: Services such as API Gateway support TLS mutual authentication. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
SSL certificate for backend authentication:
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
IM-5 Identity Management 16.2 - Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) IA-4: IDENTIFIER MANAGEMENT nan Use single sign-on (SSO) for application access Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments. Use Azure AD for workload application workload access (customer facing) through Azure AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides identity and access management to Azure resources (in the management plane including CLI, PowerShell, portal), cloud applications, and on-premises applications. Understand application SSO with Azure AD: Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to allow customers to bridge their third-party identities from different identity providers. AWS Single Sign-On: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.aws.amazon.com/singlesignon/
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Azure AD also supports SSO for enterprise identities such as corporate user identities, as well as external user identities from trusted third-party and public users. For SSO access to the AWS native resources (including AWS console access or service management and data plane level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
AWS Cognito Single Sign-On Adding SAML identity providers:
AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS identities, as well as external user identities from trusted third-party and public users. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
IM-6 Identity Management 4.2 - Change Default Passwords 6.3 - Require MFA for Externally-Exposed Applications AC-2: ACCOUNT MANAGEMENT 7.2 Use strong authentication controls Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). How to enable MFA in Azure: AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on all users, select users, or at the per-user level based on defined conditions. Using multi-factor authentication (MFA) in AWS: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.5 - Use Multifactor Authentication For All Administrative Access 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.2 - Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security keys. In addition, customers can use on-premises authentication methods such as smart cards. https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html
12.11 - Require All Remote Logins to Use Multi-Factor Authentication IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.3 When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. - Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities, follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control if you use Azure AD to manage AWS access. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
16.3 - Require Multi-Factor Authentication IA-5: AUTHENTICATOR MANAGEMENT 8.4 Introduction to passwordless authentication options for Azure Active Directory: IAM supported MFA form factors:
IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or change them during initial service setup. https://aws.amazon.com/iam/features/mfa/ Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. Azure AD default password policy:
https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad
Block legacy authentication:
https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication
IM-7 Identity Management 12.11 - Require All Remote Logins to Use Multi-Factor Authentication 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.2 Restrict resource access based on conditions Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on. Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions. Azure Conditional Access overview: Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may include single or multiple conditions as well as logic. Policies and permissions in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
12.12 - Manage All Devices Remotely Logging Into Internal Network 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/conditional-access/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
14.6 - Protect Information Through Access Control Lists 13.5 - Manage Access Control for Remote Assets AC-6: LEAST PRIVILEGE Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common use cases: Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
16.3 - Require Multi-Factor Authentication - Requiring multi-factor authentication for users with administrative roles Common Conditional Access policies: Conditions key table:
- Requiring multi-factor authentication for Azure management tasks https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration Conditional Access insights and reporting: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
- Blocking or granting access from specific locations https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications Configure authentication session management with Conditional Access:
https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
Note: Granular authentication session management controls can also be implemented through Azure AD conditional access policies such as sign-in frequency and persistent browser session.
IM-8 Identity Management 18.1 - Establish Secure Coding Practices 16.9 - Train Developers in Application Security Concepts and Secure Coding IA-5: AUTHENTICATOR MANAGEMENT 3.5 Restrict the exposure of credential and secrets Ensure that application developers securely handle credentials and secrets: When using a managed identity is not an option, ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. How to setup Credential Scanner: When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into the code and configuration files. AWS IAM roles in EC2: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
18.6 - Ensure Software Development Personnel Are Trained in Secure Coding 16.12 - Implement Code-Level Security Checks 6.3 - Avoid embedding the credentials and secrets into the code and configuration files https://secdevtools.azurewebsites.net/helpcredscan.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
18.7 - Apply Static and Dynamic Code Analysis Tools 8.2 - Use key vault or a secure key store service to store the credentials and secrets If you use Azure DevOps and GitHub for your code management platform: Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Scan for credentials in source code. - Implement Azure DevOps Credential Scanner to identify credentials within the code. GitHub secret scanning: AWS Secrets Manager integrated services:
- For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. https://docs.github.com/github/administering-a-repository/about-secret-scanning If you use the Azure DevOps and GitHub for your code management platform: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html
Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process - Implement Azure DevOps Credential Scanner to identify credentials within the code.
Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. CodeGuru Reviewer Secrets Detection:
https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html
Note: Azure Key Vault provides automatic rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use.
IM-9 Identity Management 12.10 Decrypt Network Traffic at Proxy 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT nan Secure user access to existing applications In a hybrid environment, where you have on-premises applications or non-native cloud applications using legacy authentication, consider solutions such as cloud access security broker (CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefits: Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: Azure AD Application Proxy: Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: AWS Marketplace Application Proxy solutions: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
16.2 Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT - Enforce a centralized strong authentication - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy
SC-11: TRUSTED PATH - Monitor and control risky end-user activities - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Monitor and remediate risky legacy applications activities - Your existing third-party application delivery controllers and networks. Microsoft Cloud App Security best practices: - Your existing third-party application delivery controllers and networks. AWS Marketplace CASB solutions:
- Detect and prevent sensitive data transmission https://docs.microsoft.com/cloud-app-security/best-practices https://aws.amazon.com/marketplace/search/results?searchTerms=CASB Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring.
Azure AD secure hybrid access:
https://docs.microsoft.com/azure/active-directory/manage-apps/secure-hybrid-access
\ No newline at end of file diff --git a/Azure/Security/MCSB/Incident Response/index.html b/Azure/Security/MCSB/Incident Response/index.html index 40cd6bf..2af74fe 100644 --- a/Azure/Security/MCSB/Incident Response/index.html +++ b/Azure/Security/MCSB/Incident Response/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Incident Response

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
IR-1 Incident Response 19.1 - Document Incident Response Procedures 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 10.8 Preparation - update incident response plan and handling process Ensure your organization follows industry best practice to develop processes and plans to respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a direct impact to how you collaborate with your cloud provider in incident response and handling activities, such as incident notification and triage, evidence collection, investigation, eradication, and recovery. Update your organization's incident response process to include the handling of incidents in the Azure platform. Based on the Azure services used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. Implement security across the enterprise environment: Update your organization's incident response process to include the handling of incidents. Ensure a unified multi-cloud incident response plan is in place by updating your organization's incident response process to include the handling of incidents in the AWS platform. Based on the AWS services used and your application nature, follow the AWS Security Incident Response Guide to customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. AWS Security Incident Response Guide: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 17.7 - Conduct Routine Incident Response Exercises IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Regularly test the incident response plan and handling process to ensure they're up to date. Incident response reference guide:
https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
NIST SP800-61 Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Incident response overview:
https://docs.microsoft.com/en-us/security/compass/incident-response-overview
IR-2 Incident Response 19.2 - Assign Job Titles and Duties for Incident Response 17.1 - Designate Personnel to Manage Incident Handling IR-4: INCIDENT HANDLING 12.1 Preparation - setup incident contact information Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs. How to set the Microsoft Defender for Cloud security contact: Set up security incident contact information in AWS Systems Manager Incident Manager (the incident management center for AWS). This contact information is used for incident management communication between you and AWS through the different channels (i.e., Email, SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how and when the Incident Manager engages the contact and to escalate if the contact(s) does not response to an incident. Incident Manager Contact: https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.3 - Designate Management Personnel to Support Incident Handling 17.3 - Establish and Maintain an Enterprise Process for Reporting Incidents IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details
19.4 - Devise Organization-wide Standards for Reporting Incidents 17.6 - Define Mechanisms for Communicating During Incident Response IR-5: INCIDENT MONITORING Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
19.5 - Maintain Contact Information For Reporting Security Incidents IR-6: INCIDENT REPORTING
IR-3 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.9 - Establish and Maintain Security Incident Thresholds IR-4: INCIDENT HANDLING 10.8 Detection and analysis - create incidents based on high-quality alerts Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. How to configure export: Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in Incident Manager based on the defined criteria and rule sets. You can also manually create incidents in the Incident Manager for further incident handling and tracking. Incident creation in Incident Manager: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/continuous-export https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html
IR-7 INCIDENT RESPONSE ASSISTANCE High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud on AWS resources. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
How to stream alerts into Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment:
https://docs.microsoft.com/azure/sentinel/connect-azure-security-center https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
IR-4 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Detection and analysis - investigate an incident Ensure the security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. Ensure your security operations team can query and use diverse data sources that are collected from the in-scope services and systems. In addition, it sources can also include: Snapshot a Windows machine's disk: The data sources for investigation are the centralized logging sources that collect from the in-scope services and running systems, but can also include: Traffic Mirroring: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Identity and access log data: Use Azure AD logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk - Identity and access log data: Use IAM logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
Use the cloud native SIEM and incident management solution if your organization does not have an existing solution to aggregate security logs and alerts information. Correlate incident data based on the data sourced from different sources to facility the incident investigations. - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch to capture network flow logs and other analytics information. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
- Incident related activity data of from snapshots of the impacted systems, which can be obtained through: Snapshot a Linux machine's disk: - Snapshots of running systems, which can be obtained through: Creating EBS volume backups with AMIs and EBS snapshots:
a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's disk. https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory.
c) The snapshot feature of the other supported Azure services or your software's own capability, to create snapshots of the running systems. Microsoft Azure Support diagnostic information and memory dump collection: c) The snapshot feature of the AWS services or your software's own capability, to create snapshots of the running systems. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-immutable-storage.html
https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/
Microsoft Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
Investigate incidents with Azure Sentinel:
Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity.
IR-5 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 12.1 Detection and analysis - prioritize incidents Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Security alerts in Microsoft Defender for Cloud: For each incident created in the Incident Manager, assign an impact level based on your organization's defined criteria, such as a measure of the severity of the incident and criticality level of the assets impacted. Define your naming convention best practice: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
17.9 - Establish and Maintain Security Incident Thresholds https://docs.microsoft.com/azure/security-center/security-center-alerts-overview https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
Additionally, mark resources using tags and create a naming system to identify and categorize your cloud resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the resources and environment where the incident occurred. Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Use tags to organize your Azure resources:
https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Create incidents from Microsoft security alerts:
https://learn.microsoft.com/azure/sentinel/create-incidents-from-alerts
IR-6 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Containment, eradication and recovery - automate the incident handling Automate the manual, repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbooks to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks. Configure workflow automation in Security Center: If you use Microsoft Sentinel to centrally manage your incident, you can also create automated actions or run a playbooks to respond to incoming security alerts. AWS Systems Manager - runbooks and automation: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html
IR-6: INCIDENT REPORTING Alternatively, use automation features in AWS System Manager to automatically trigger actions defined in the incident response plan, including notifying the contacts and/or running a runbook to respond to alerts, such as disabling accounts, and isolating problematic networks. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Set up automated threat responses in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Set up automated threat responses in Microsoft Sentinel:
https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook
IR-7 Incident Response nan 17.8 - Conduct Post-Incident Reviews IR-4 INCIDENT HANDLING 12.1 Post-incident activity - conduct lesson learned and retain evidence Conduct lessons learned in your organization periodically and/or after major incidents, to improve your future capability in incident response and handling. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Azure. Incident response process - Post-incident cleanup: Create incident analysis for a closed incident in Incident Manager using the standard incident analysis template or your own custom template. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as the AWS Systems Manager runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of the incidents in AWS. Post-incident analysis: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
https://docs.microsoft.com/security/compass/incident-response-process#2-post-incident-cleanup https://docs.aws.amazon.com/incident-manager/latest/userguide/analysis.html
Based on the nature of the incident, retain the evidence related to the incident for the period defined in the incident handling standard for further analysis or legal actions. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshots in storage such as an Azure Storage account for immutable retention. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshot in storage such as an Amazon S3 bucket or Azure Storage account for immutable retention. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Incident Response

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
IR-1 Incident Response 19.1 - Document Incident Response Procedures 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 10.8 Preparation - update incident response plan and handling process Ensure your organization follows industry best practice to develop processes and plans to respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a direct impact to how you collaborate with your cloud provider in incident response and handling activities, such as incident notification and triage, evidence collection, investigation, eradication, and recovery. Update your organization's incident response process to include the handling of incidents in the Azure platform. Based on the Azure services used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. Implement security across the enterprise environment: Update your organization's incident response process to include the handling of incidents. Ensure a unified multi-cloud incident response plan is in place by updating your organization's incident response process to include the handling of incidents in the AWS platform. Based on the AWS services used and your application nature, follow the AWS Security Incident Response Guide to customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. AWS Security Incident Response Guide: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 17.7 - Conduct Routine Incident Response Exercises IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud
Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Regularly test the incident response plan and handling process to ensure they're up to date. Incident response reference guide:
https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
NIST SP800-61 Computer Security Incident Handling Guide
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Incident response overview:
https://docs.microsoft.com/en-us/security/compass/incident-response-overview
IR-2 Incident Response 19.2 - Assign Job Titles and Duties for Incident Response 17.1 - Designate Personnel to Manage Incident Handling IR-4: INCIDENT HANDLING 12.1 Preparation - setup incident contact information Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs. How to set the Microsoft Defender for Cloud security contact: Set up security incident contact information in AWS Systems Manager Incident Manager (the incident management center for AWS). This contact information is used for incident management communication between you and AWS through the different channels (i.e., Email, SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how and when the Incident Manager engages the contact and to escalate if the contact(s) does not response to an incident. Incident Manager Contact: https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
19.3 - Designate Management Personnel to Support Incident Handling 17.3 - Establish and Maintain an Enterprise Process for Reporting Incidents IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details
19.4 - Devise Organization-wide Standards for Reporting Incidents 17.6 - Define Mechanisms for Communicating During Incident Response IR-5: INCIDENT MONITORING Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
19.5 - Maintain Contact Information For Reporting Security Incidents IR-6: INCIDENT REPORTING
IR-3 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.9 - Establish and Maintain Security Incident Thresholds IR-4: INCIDENT HANDLING 10.8 Detection and analysis - create incidents based on high-quality alerts Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. How to configure export: Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in Incident Manager based on the defined criteria and rule sets. You can also manually create incidents in the Incident Manager for further incident handling and tracking. Incident creation in Incident Manager: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/continuous-export https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html
IR-7 INCIDENT RESPONSE ASSISTANCE High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud on AWS resources. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
How to stream alerts into Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment:
https://docs.microsoft.com/azure/sentinel/connect-azure-security-center https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
IR-4 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Detection and analysis - investigate an incident Ensure the security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. Ensure your security operations team can query and use diverse data sources that are collected from the in-scope services and systems. In addition, it sources can also include: Snapshot a Windows machine's disk: The data sources for investigation are the centralized logging sources that collect from the in-scope services and running systems, but can also include: Traffic Mirroring: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Identity and access log data: Use Azure AD logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk - Identity and access log data: Use IAM logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html
Use the cloud native SIEM and incident management solution if your organization does not have an existing solution to aggregate security logs and alerts information. Correlate incident data based on the data sourced from different sources to facility the incident investigations. - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch to capture network flow logs and other analytics information. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
- Incident related activity data of from snapshots of the impacted systems, which can be obtained through: Snapshot a Linux machine's disk: - Snapshots of running systems, which can be obtained through: Creating EBS volume backups with AMIs and EBS snapshots:
a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's disk. https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory.
c) The snapshot feature of the other supported Azure services or your software's own capability, to create snapshots of the running systems. Microsoft Azure Support diagnostic information and memory dump collection: c) The snapshot feature of the AWS services or your software's own capability, to create snapshots of the running systems. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-immutable-storage.html
https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/
Microsoft Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes.
Investigate incidents with Azure Sentinel:
Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity.
IR-5 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 12.1 Detection and analysis - prioritize incidents Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan. Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Security alerts in Microsoft Defender for Cloud: For each incident created in the Incident Manager, assign an impact level based on your organization's defined criteria, such as a measure of the severity of the incident and criticality level of the assets impacted. Define your naming convention best practice: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
17.9 - Establish and Maintain Security Incident Thresholds https://docs.microsoft.com/azure/security-center/security-center-alerts-overview https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming
Additionally, mark resources using tags and create a naming system to identify and categorize your cloud resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the resources and environment where the incident occurred. Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Use tags to organize your Azure resources:
https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Create incidents from Microsoft security alerts:
https://learn.microsoft.com/azure/sentinel/create-incidents-from-alerts
IR-6 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Containment, eradication and recovery - automate the incident handling Automate the manual, repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbooks to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks. Configure workflow automation in Security Center: If you use Microsoft Sentinel to centrally manage your incident, you can also create automated actions or run a playbooks to respond to incoming security alerts. AWS Systems Manager - runbooks and automation: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html
IR-6: INCIDENT REPORTING Alternatively, use automation features in AWS System Manager to automatically trigger actions defined in the incident response plan, including notifying the contacts and/or running a runbook to respond to alerts, such as disabling accounts, and isolating problematic networks. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Set up automated threat responses in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Set up automated threat responses in Microsoft Sentinel:
https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook
IR-7 Incident Response nan 17.8 - Conduct Post-Incident Reviews IR-4 INCIDENT HANDLING 12.1 Post-incident activity - conduct lesson learned and retain evidence Conduct lessons learned in your organization periodically and/or after major incidents, to improve your future capability in incident response and handling. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Azure. Incident response process - Post-incident cleanup: Create incident analysis for a closed incident in Incident Manager using the standard incident analysis template or your own custom template. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as the AWS Systems Manager runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of the incidents in AWS. Post-incident analysis: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
https://docs.microsoft.com/security/compass/incident-response-process#2-post-incident-cleanup https://docs.aws.amazon.com/incident-manager/latest/userguide/analysis.html
Based on the nature of the incident, retain the evidence related to the incident for the period defined in the incident handling standard for further analysis or legal actions. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshots in storage such as an Azure Storage account for immutable retention. Keep the evidence collected during the "Detection and analysis - investigate an incident step" such as system logs, network traffic dumps and running system snapshot in storage such as an Amazon S3 bucket or Azure Storage account for immutable retention. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
\ No newline at end of file diff --git a/Azure/Security/MCSB/Logging and Threat Detection/index.html b/Azure/Security/MCSB/Logging and Threat Detection/index.html index bb90ce9..d62b342 100644 --- a/Azure/Security/MCSB/Logging and Threat Detection/index.html +++ b/Azure/Security/MCSB/Logging and Threat Detection/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Logging and Threat Detection

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 AWS Config Rule (WIP) Customer Security Stakeholders:
LT-1 Logging and threat detection 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS Enable threat detection capabilities To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services. Introduction to Microsoft Defender for Cloud: Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP addresses, or domains. Amazon GuardDuty: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
AU-12: AUDIT GENERATION For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365 Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to build analytics rules, which hunt detect threats and create alerts that match specific criteria across your environment. Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings when needed. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING Microsoft Defender for Cloud security alerts reference guide: Amazon GuardDuty data sources:
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. https://docs.microsoft.com/azure/security-center/alerts-reference For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within the supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Microsoft Sentinel. Create custom analytics rules to detect threats: You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances. Connect your AWS accounts to Microsoft Defender for Cloud: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Threat indicators for cyber threat intelligence in Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment
https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws
Security recommendations for AWS resources - a reference guide:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws
LT-2 Logging and threat detection 4.9 - Log and Alert on Unsuccessful Administrative Account Login 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS 10.6 Enable threat detection for identity and access management Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: Audit activity reports in Azure AD: AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM credential report: IAM credential reports: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
6.7 - Regularly Review Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.8 - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs - Every successful sign-in and unsuccessful login attempts. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
16.13 - Alert on Account Login Behavior Deviation AU-12: AUDIT GENERATION A3.5 - Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Multi-factor authentication (MFA) status for each user. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. Enable Azure Identity Protection: - Dormant IAM user GuardDuty data source:
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM. Examples of these findings include:
Azure AD also provides an Identity Protection module to detect and remediate risks related to user accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. Threat protection in Microsoft Defender for Cloud: - An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive measures GuardDuty IAM finding types: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/security-center/threat-protection - An API used to: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. a) discover resources was invoked in an anomalous way Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Overview of Microsoft Defender for Identity: b) collect data from an AWS environment was invoked in an anomalous way.
Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. https://learn.microsoft.com/defender-for-identity/what-is b) tamper with data or processes in an AWS environment was invoked in an anomalous way.
c) gain unauthorized access to an AWS environment was invoked in an anomalous way.
d) maintain unauthorized access to an AWS environment was invoked in an anomalous way.
e) obtain high-level permissions to an AWS environment was invoked in an anomalous way.
f) be invoked from a known malicious IP address.
g) be invoked using root credentials.
- AWS CloudTrail logging was disabled.
- Account password policy was weakened.
- Multiple worldwide successful console logins were observed.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address.
- An API was invoked from a known malicious IP address.
- An API was invoked from an IP address on a custom threat list.
- An API was invoked from a Tor exit node IP address.
LT-3 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging for security investigation Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Understand logging and different log types in Azure: Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and monitor these trails with CloudWatch for automated actions. Enabling logging from certain AWS services: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
8.8 - Enable Command-Line Audit Logging 8.12 - Collect Service Provider Logs AU-12: AUDIT GENERATION 10.3 Be mindful about different types of logs for security, audit, and other operational logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in near real time. There are three main categories of logs: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. Understand Microsoft Defender for Cloud data collection: - Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 53 logs are the two supported types. These two logs are enabled by default. https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection - Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. - Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing CloudWatch Agent in your operating systems and forward them to CloudWatch. https://aws.amazon.com/cloudwatch/features/
Enable and configure antimalware monitoring: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amazon Kinesis Data Firehose where you can use different logging storage and retention policies.
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Operating systems and application logs inside in your compute resources:
https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest
LT-4 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.8 Enable network logging for security investigation Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection agent for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. How to enable network security group flow logs: Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3 storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal
7.6 - Log All URL Requests 8.6 - Collect DNS Query Audit Logs AU-12: AUDIT GENERATION Collect DNS query logs to assist in correlating other network data. Infrastructure and endpoint security
8.7 - Enable DNS Query Logging 8.7 - Collect URL Request Audit Logs SI-4: INFORMATION SYSTEM MONITORING Azure Firewall logs and metrics:
12.8 - Deploy NetFlow Collection on Networking Boundary Devices 13.6 - Collect Network Traffic Flow Logs https://docs.microsoft.com/azure/firewall/logs-and-metrics Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Azure networking monitoring solutions in Azure Monitor: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics
Gather insights about your DNS infrastructure with the DNS Analytics solution:
https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics
LT-5 Logging and threat detection 6.5 - Central Log Management 8.9 - Centralize Audit Logs AU-3: CONTENT OF AUDIT RECORDS nan Centralize security log management and analysis Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. How to collect platform logs and metrics with Azure Monitor: Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices, network resources, and other security systems. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
6.6 - Deploy SIEM or Log Analytic tool 8.11 - Conduct Audit Log Reviews AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
6.7 - Regularly Review Logs 13.1 - Centralize Security Event Alerting AU-12: AUDIT GENERATION Use Cloud native SIEM if you don't have an existing SIEM solution for CSPs. or aggregate logs/alerts into your existing SIEM. In addition, enable and onboard data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
8.6 - Centralize Anti-Malware Logging SI-4: INFORMATION SYSTEM MONITORING How to onboard Azure Sentinel:
https://docs.microsoft.com/azure/sentinel/quickstart-onboard Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
LT-6 Logging and threat detection 6.4 - Ensure Adequate Storage for Logs 8.3 - Ensure Adequate Audit Log Storage AU-11: AUDIT RECORD RETENTION 10.5 Configure log storage retention Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources managed by yourself such as logs in the operating systems and applications inside VMs. Change the data retention period in Log Analytics: By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. Altering CloudWatch log retention: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
8.10 - Retain Audit Logs 10.7 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
You have the log retention option as below: Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. You can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. How to configure retention policy for Azure Storage account logs: Copy data from Amazon S3 to Azure Storage by using AzCopy:
- Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3 Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Use Azure Event Hubs to forward logs to an external resource outside of Azure.
Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time.
LT-7 Logging and threat detection 6.1 - Utilize Three Synchronized Time Sources 8.4 - Standardize Time Synchronization AU-8: TIME STAMPS 10.4 Use approved time synchronization sources Use approved time synchronization sources for your logging time stamp which include date, time and time zone information. Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. How to configure time synchronization for Azure Windows compute resources: AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. Set the time for a Linux instance: nan Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
https://docs.microsoft.com/azure/virtual-machines/windows/time-sync https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html
All logs generated by resources within Azure provide time stamps with the time zone specified by default. All logs generated by resources within AWS provide time stamps with the time zone specified by default. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
How to configure time synchronization for Azure Linux compute resources: Set the time for a Windows instance:
https://docs.microsoft.com/azure/virtual-machines/linux/time-sync https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
How to disable inbound UDP for Azure services:
https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Logging and Threat Detection

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 AWS Config Rule (WIP) Customer Security Stakeholders:
LT-1 Logging and threat detection 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS Enable threat detection capabilities To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services. Introduction to Microsoft Defender for Cloud: Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP addresses, or domains. Amazon GuardDuty: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
AU-12: AUDIT GENERATION For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365 Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to build analytics rules, which hunt detect threats and create alerts that match specific criteria across your environment. Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings when needed. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING Microsoft Defender for Cloud security alerts reference guide: Amazon GuardDuty data sources:
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. https://docs.microsoft.com/azure/security-center/alerts-reference For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within the supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Microsoft Sentinel. Create custom analytics rules to detect threats: You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances. Connect your AWS accounts to Microsoft Defender for Cloud: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Threat indicators for cyber threat intelligence in Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment
https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws
Security recommendations for AWS resources - a reference guide:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws
LT-2 Logging and threat detection 4.9 - Log and Alert on Unsuccessful Administrative Account Login 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS 10.6 Enable threat detection for identity and access management Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: Audit activity reports in Azure AD: AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM credential report: IAM credential reports: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
6.7 - Regularly Review Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.8 - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs - Every successful sign-in and unsuccessful login attempts. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
16.13 - Alert on Account Login Behavior Deviation AU-12: AUDIT GENERATION A3.5 - Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Multi-factor authentication (MFA) status for each user. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. Enable Azure Identity Protection: - Dormant IAM user GuardDuty data source:
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM. Examples of these findings include:
Azure AD also provides an Identity Protection module to detect and remediate risks related to user accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. Threat protection in Microsoft Defender for Cloud: - An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive measures GuardDuty IAM finding types: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
https://docs.microsoft.com/azure/security-center/threat-protection - An API used to: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html
In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. a) discover resources was invoked in an anomalous way Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Overview of Microsoft Defender for Identity: b) collect data from an AWS environment was invoked in an anomalous way.
Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. https://learn.microsoft.com/defender-for-identity/what-is b) tamper with data or processes in an AWS environment was invoked in an anomalous way.
c) gain unauthorized access to an AWS environment was invoked in an anomalous way.
d) maintain unauthorized access to an AWS environment was invoked in an anomalous way.
e) obtain high-level permissions to an AWS environment was invoked in an anomalous way.
f) be invoked from a known malicious IP address.
g) be invoked using root credentials.
- AWS CloudTrail logging was disabled.
- Account password policy was weakened.
- Multiple worldwide successful console logins were observed.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS.
- Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address.
- An API was invoked from a known malicious IP address.
- An API was invoked from an IP address on a custom threat list.
- An API was invoked from a Tor exit node IP address.
LT-3 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging for security investigation Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Understand logging and different log types in Azure: Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and monitor these trails with CloudWatch for automated actions. Enabling logging from certain AWS services: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
8.8 - Enable Command-Line Audit Logging 8.12 - Collect Service Provider Logs AU-12: AUDIT GENERATION 10.3 Be mindful about different types of logs for security, audit, and other operational logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in near real time. There are three main categories of logs: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
SI-4: INFORMATION SYSTEM MONITORING - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. Understand Microsoft Defender for Cloud data collection: - Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 53 logs are the two supported types. These two logs are enabled by default. https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html
- Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection - Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. - Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing CloudWatch Agent in your operating systems and forward them to CloudWatch. https://aws.amazon.com/cloudwatch/features/
Enable and configure antimalware monitoring: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amazon Kinesis Data Firehose where you can use different logging storage and retention policies.
Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
Operating systems and application logs inside in your compute resources:
https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest
LT-4 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.8 Enable network logging for security investigation Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection agent for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. How to enable network security group flow logs: Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3 storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal
7.6 - Log All URL Requests 8.6 - Collect DNS Query Audit Logs AU-12: AUDIT GENERATION Collect DNS query logs to assist in correlating other network data. Infrastructure and endpoint security
8.7 - Enable DNS Query Logging 8.7 - Collect URL Request Audit Logs SI-4: INFORMATION SYSTEM MONITORING Azure Firewall logs and metrics:
12.8 - Deploy NetFlow Collection on Networking Boundary Devices 13.6 - Collect Network Traffic Flow Logs https://docs.microsoft.com/azure/firewall/logs-and-metrics Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Azure networking monitoring solutions in Azure Monitor: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence
https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics
Gather insights about your DNS infrastructure with the DNS Analytics solution:
https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics
LT-5 Logging and threat detection 6.5 - Central Log Management 8.9 - Centralize Audit Logs AU-3: CONTENT OF AUDIT RECORDS nan Centralize security log management and analysis Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. How to collect platform logs and metrics with Azure Monitor: Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices, network resources, and other security systems. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
6.6 - Deploy SIEM or Log Analytic tool 8.11 - Conduct Audit Log Reviews AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3
6.7 - Regularly Review Logs 13.1 - Centralize Security Event Alerting AU-12: AUDIT GENERATION Use Cloud native SIEM if you don't have an existing SIEM solution for CSPs. or aggregate logs/alerts into your existing SIEM. In addition, enable and onboard data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
8.6 - Centralize Anti-Malware Logging SI-4: INFORMATION SYSTEM MONITORING How to onboard Azure Sentinel:
https://docs.microsoft.com/azure/sentinel/quickstart-onboard Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
LT-6 Logging and threat detection 6.4 - Ensure Adequate Storage for Logs 8.3 - Ensure Adequate Audit Log Storage AU-11: AUDIT RECORD RETENTION 10.5 Configure log storage retention Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources managed by yourself such as logs in the operating systems and applications inside VMs. Change the data retention period in Log Analytics: By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. Altering CloudWatch log retention: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
8.10 - Retain Audit Logs 10.7 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html
You have the log retention option as below: Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. You can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. How to configure retention policy for Azure Storage account logs: Copy data from Amazon S3 to Azure Storage by using AzCopy:
- Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3 Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Use Azure Event Hubs to forward logs to an external resource outside of Azure.
Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time.
LT-7 Logging and threat detection 6.1 - Utilize Three Synchronized Time Sources 8.4 - Standardize Time Synchronization AU-8: TIME STAMPS 10.4 Use approved time synchronization sources Use approved time synchronization sources for your logging time stamp which include date, time and time zone information. Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. How to configure time synchronization for Azure Windows compute resources: AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. Set the time for a Linux instance: nan Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards
https://docs.microsoft.com/azure/virtual-machines/windows/time-sync https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html
All logs generated by resources within Azure provide time stamps with the time zone specified by default. All logs generated by resources within AWS provide time stamps with the time zone specified by default. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
How to configure time synchronization for Azure Linux compute resources: Set the time for a Windows instance:
https://docs.microsoft.com/azure/virtual-machines/linux/time-sync https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
How to disable inbound UDP for Azure services:
https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services
\ No newline at end of file diff --git a/Azure/Security/MCSB/Network Security/index.html b/Azure/Security/MCSB/Network Security/index.html index a0bbf53..91e3608 100644 --- a/Azure/Security/MCSB/Network Security/index.html +++ b/Azure/Security/MCSB/Network Security/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Network Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders:
NS-1 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Establish network segmentation boundaries Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Azure Virtual Network concepts and best practices: Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach in your AWS network, so resources such as EC2 instances can be deployed into the VPC within a network boundary. To further segment the network, you can create subnets inside VPC for smaller sub-networks. Control traffic to EC2 instances with security groups: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.4 - Apply Host-Based Firewalls or Port Filtering 13.4 - Perform Traffic Filtering Between Network Segments SC-2: APPLICATION PARTITIONING 1.2 Examples of high-risk workload include: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
12.3 - Deny Communications with Known Malicious IP Addresses 4.4 - Implement and Manage a Firewall on Severs SC-7: BOUNDARY PROTECTION 1.3 - An application storing or processing highly sensitive data. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network security configuration to use Adaptive Network Hardening to recommend NSG hardening rules based on threat intelligence and traffic analysis result. For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic by port, protocol, source IP address, or destination IP address. At the VPC subnet level, use Network Access Control List (NACL) as a stateless firewall to have explicit rules for ingress and egress traffic to the subnet. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
12.4 - Deny Communication over Unauthorized Ports - An external network-facing application accessible by the public or users outside of your organization. Add, change, or delete a virtual network subnet: Compare security groups and network ACLs:
14.1 - Segment the Network Based on Sensitivity - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet Note: To control VPC traffic, Internet and NAT Gateway should be configured to ensure the traffic from/to the internet are restricted. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.2 - Enable Firewall Filtering Between VLANs
To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. How to create a network security group with security rules: Internet Gateway:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
Understand and use application security groups: NAT Gateway:
https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
NS-2 Network Security 14.1 - Segment the Network Based on Sensitivity 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Secure cloud native services with network controls Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network. Understand Azure Private Link: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network. AWS PrivateLink: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.4 - Implement and Manage a Firewall on Servers SC-2: APPLICATION PARTITIONING 1.2 https://docs.microsoft.com/azure/private-link/private-link-overview https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html
SC-7: BOUNDARY PROTECTION 1.3 Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform. For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Integrate Azure services with virtual networks for network isolation: Blocking public access to your Amazon S3 storage:
For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service. https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network. When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet.
For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network.
NS-3 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Servers AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Deploy firewall at the edge of enterprise network Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). How to deploy Azure Firewall: Use AWS Network Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.4 - Apply Host-Based Firewalls or Port Filtering 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html
12.3 - Deny Communications with Known Malicious IP Addresses 13.10 Perform Application Layer Filtering CM-7: LEAST FUNCTIONALITY 1.3 At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. If you have a complex network topology, such as a hub/spoke setup, you may need to create custom VPC route tables to ensure the traffic goes through the desired route. For example, you have the option to use a custom route to redirect egress internet traffic through a specific AWS Firewall or a network virtual appliance. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
12.4 - Deny Communication over Unauthorized Ports Virtual network traffic routing: AWS VPC configure custom route tables:
14.1 - Segment the Network Based on Sensitivity https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.2 - Enable Firewall Filtering Between VLANs
NS-4 Network Security 12.6 - Deploy Network-Based IDS Sensors 13.2 Deploy a Host-Based Intrusion Detection Solution SC-7: BOUNDARY PROTECTION 11.4 Deploy intrusion detection/intrusion prevention systems (IDS/IPS) Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution. Use Azure Firewall’s IDPS capability to protect your virtual network to alert on and/or block traffic to and from known malicious IP addresses and domains. Azure Firewall IDPS: Use AWS Network Firewall’s IPS capability to protect your VPC to alert on and/or block traffic to and from known malicious IP addresses and domains. IPS stateful rule groups in AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.7 - Deploy Network-Based Intrusion Prevention Systems 13.3 - Deploy a Network Intrusion Detection Solution SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/firewall/premium-features#idps https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html
13.7 Deploy a Host-Based Intrusion Prevention Solution For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as third-party solution for host-based IDS/IPS, at the VM level in conjunction with the network IDS/IPS. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
13.8 - Deploy a Network Intrusion Prevention Solution Microsoft Defender for Endpoint capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response https://aws.amazon.com/marketplace/search?searchTerms=IPS
Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and Gateway Balancer to direct the traffic for in-line inspection. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-5 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-5: DENIAL OF SERVICE PROTECTION 1.1 Deploy DDOS protection Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. DDoS Protection Basic is automatically enabled to protect the Azure underlying platform infrastructure (e.g., Azure DNS) and requires no configuration from the users. Manage Azure DDoS Protection Standard using the Azure portal: AWS Shield Standard is automatically enabled with standard mitigations, to protect your workload from common network and transport layer (Layer 3 and 4) DDoS attacks AWS Shield Features: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.3 - Deny Communications with Known Malicious IP Addresses SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
1.3 For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. For higher levels of protection of your applications against application layer (Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
6.6
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-6 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-7: BOUNDARY PROTECTION 1.1 Deploy web application firewall Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. How to deploy Azure WAF: Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services, and APIs against application layer attacks at the edge of your network. How AWS WAF works: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.3 - Deny Communications with Known Malicious IP Addresses 1.2 https://docs.microsoft.com/azure/web-application-firewall/overview https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html
12.9 - Deploy Application Layer Filtering Proxy Server 1.3 Set your WAF in "detection" or "prevention mode," depending on your needs and threat landscape. Use AWS Managed Rules for WAF to deploy built-in baseline groups, and customize it to your application needs for the user-case rule groups. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
18.10 - Deploy Web Application Firewalls (WAFs) 6.6 AWS WAF Security Automations:
Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application needs. To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL. https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/welcome.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
AWS Managed Rules for AWS WAF:
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html
NS-7 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Simplify network security configuration When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. Use the following features to simplify the implementation and management of the virtual network, NSG rules, and Azure Firewall rules: Adaptive Network Hardening in Microsoft Defender for Cloud: Use AWS Firewall Manager to centralize the network protection policy management across the following services. AWS Firewall Manager: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-2: APPLICATION PARTITIONING 1.2 - Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks and NSG rules across regions and subscriptions. https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening - AWS WAF policies https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html
SC-7: BOUNDARY PROTECTION 1.3 - Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. - AWS Shield Advanced policies Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager Azure Resource Manager (ARM) template. Azure Firewall Manager: - VPC security group policies https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html
https://docs.microsoft.com/azure/firewall-manager/overview - Network Firewall policies Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
AWS Firewall Manager can automatically analyze your firewall-related policies and create findings for non-compliant resources and for detected attacks and sends them to AWS Security Hub for investigation.
Create an Azure Firewall and a firewall policy - ARM template
https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy
NS-8 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs CM-2: BASELINE CONFIGURATION 4.1 Detect and disable insecure services and protocols Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. Use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet the appropriate security standard. Azure Sentinel insecure protocols workbook: Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to identify the possible insecure services and protocols that do not meet the appropriate security standard. Use GuardDuty with VPC Flow Logs as the data source: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-6: CONFIGURATION SETTINGS A2.1 https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc
CM-7: LEAST FUNCTIONALITY A2.2 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security groups, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. If the logs in the AWS environment can be forwarded to Microsoft Sentinel, you can also use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
A2.3
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through security groups, AWS Network Firewall, or AWS Web Application Firewall to reduce the attack surface. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-9 Network Security nan 12.7 - Ensure Remote Devices Utilize a VPN and are Connecting to CA-3: SYSTEM INTERCONNECTIONS nan Connect on-premises or cloud network privately Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment. For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device and the Azure virtual network. Azure VPN overview: For lightweight site-to-site or point-to-site connectivity, use AWS VPN to create a secure connection (when IPsec overhead is not a concern) between your on-premises site or end-user device to the AWS network. AWS Direct Connect introduction: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
an Enterprise’s AAA Infrastructure AC-17: REMOTE ACCESS https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
AC-4: INFORMATION FLOW ENFORCEMENT For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment. For enterprise-level high performance connections, use AWS Direct Connect to connect AWS VPCs and resources with your on-premises infrastructure in a co-location environment. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
What are the ExpressRoute connectivity models: AWS VPN introduction:
When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models You have the option to use VPC Peering or Transit Gateway to establish connectivity between two or more VPCs within or across regions. Network traffic between peered VPC is private and is kept on the AWS backbone network. When you need to join multiple VPCs to create a large flat subnet, you also have the option to use VPC Sharing. https://docs.aws.amazon.com/vpn/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Virtual network peering: Transit Gateway:
https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
Create and accept VPC peering connections:
https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html
VPC Sharing:
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/amazon-vpc-sharing.html
NS-10 Network Security 7.7 - Use of DNS Filtering Services 4.9 - Configure Trusted DNS Servers on Enterprise Assets SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) nan Ensure Domain Name System (DNS) security Ensure that Domain Name System (DNS) security configuration protects against known risks: Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the service) or a trusted external DNS server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Azure DNS overview: Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is usually assigned to you through DHCP or preconfigured in the service) or a centralized trusted DNS resolver server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Amazon Route 53 DNSSEC configuration: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.2 - Use DNS Filtering Services SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) - Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. https://docs.microsoft.com/azure/dns/dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html
- Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only allow trusted resolution to your client. Use Amazon Route 53 to create a private hosted zone setup where the DNS resolution process does not leave the designated VPCs. Use Amazon Route 53 firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for the following use cases: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. Secure Domain Name System (DNS) Deployment Guide: - Prevent attacks such as DNS exfiltration in your VPC Amazon Route 53 firewall:
Use Microsoft Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: https://csrc.nist.gov/publications/detail/sp/800-81/2/final - Set up allow or deny lists for the domains that your applications can query https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Data exfiltration from your Azure resources using DNS tunneling
- Malware communicating with a command-and-control server Azure Private DNS: Configure Domain Name System Security Extensions (DNSSEC) feature in Amazon Route 53 to secure DNS traffic to protect your domain from DNS spoofing or a man-in-the-middle attack. Amazon Route 53 domain registration:
- Communication with malicious domains such as as phishing and crypto mining https://docs.microsoft.com/azure/dns/private-dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html
- DNS attacks in communication with malicious DNS resolvers Amazon Route 53 also provides a DNS registration service where Route 53 can be used as the authoritative name servers for your domains. The following best practices should be followed to ensure the security of your domain names:
Azure Defender for DNS: - Domain names should be automatically renewed by the Amazon Route 53 service.
You can also use Microsoft Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction - Domain names should have the Transfer Lock feature enabled in order to keep them secure.
- he Sender Policy Framework (SPF) is should be used to stop spammers from spoofing your domain.
Prevent dangling DNS entries and avoid subdomain takeover:
https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Network Security

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders:
NS-1 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Establish network segmentation boundaries Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Azure Virtual Network concepts and best practices: Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach in your AWS network, so resources such as EC2 instances can be deployed into the VPC within a network boundary. To further segment the network, you can create subnets inside VPC for smaller sub-networks. Control traffic to EC2 instances with security groups: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.4 - Apply Host-Based Firewalls or Port Filtering 13.4 - Perform Traffic Filtering Between Network Segments SC-2: APPLICATION PARTITIONING 1.2 Examples of high-risk workload include: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
12.3 - Deny Communications with Known Malicious IP Addresses 4.4 - Implement and Manage a Firewall on Severs SC-7: BOUNDARY PROTECTION 1.3 - An application storing or processing highly sensitive data. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network security configuration to use Adaptive Network Hardening to recommend NSG hardening rules based on threat intelligence and traffic analysis result. For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic by port, protocol, source IP address, or destination IP address. At the VPC subnet level, use Network Access Control List (NACL) as a stateless firewall to have explicit rules for ingress and egress traffic to the subnet. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
12.4 - Deny Communication over Unauthorized Ports - An external network-facing application accessible by the public or users outside of your organization. Add, change, or delete a virtual network subnet: Compare security groups and network ACLs:
14.1 - Segment the Network Based on Sensitivity - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet Note: To control VPC traffic, Internet and NAT Gateway should be configured to ensure the traffic from/to the internet are restricted. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.2 - Enable Firewall Filtering Between VLANs
To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. How to create a network security group with security rules: Internet Gateway:
https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
Understand and use application security groups: NAT Gateway:
https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
NS-2 Network Security 14.1 - Segment the Network Based on Sensitivity 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Secure cloud native services with network controls Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network. Understand Azure Private Link: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network. AWS PrivateLink: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.4 - Implement and Manage a Firewall on Servers SC-2: APPLICATION PARTITIONING 1.2 https://docs.microsoft.com/azure/private-link/private-link-overview https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html
SC-7: BOUNDARY PROTECTION 1.3 Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform. For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
Integrate Azure services with virtual networks for network isolation: Blocking public access to your Amazon S3 storage:
For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service. https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network. When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet.
For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network.
NS-3 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Servers AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Deploy firewall at the edge of enterprise network Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). How to deploy Azure Firewall: Use AWS Network Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.4 - Apply Host-Based Firewalls or Port Filtering 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html
12.3 - Deny Communications with Known Malicious IP Addresses 13.10 Perform Application Layer Filtering CM-7: LEAST FUNCTIONALITY 1.3 At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. If you have a complex network topology, such as a hub/spoke setup, you may need to create custom VPC route tables to ensure the traffic goes through the desired route. For example, you have the option to use a custom route to redirect egress internet traffic through a specific AWS Firewall or a network virtual appliance. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
12.4 - Deny Communication over Unauthorized Ports Virtual network traffic routing: AWS VPC configure custom route tables:
14.1 - Segment the Network Based on Sensitivity https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
14.2 - Enable Firewall Filtering Between VLANs
NS-4 Network Security 12.6 - Deploy Network-Based IDS Sensors 13.2 Deploy a Host-Based Intrusion Detection Solution SC-7: BOUNDARY PROTECTION 11.4 Deploy intrusion detection/intrusion prevention systems (IDS/IPS) Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution. Use Azure Firewall’s IDPS capability to protect your virtual network to alert on and/or block traffic to and from known malicious IP addresses and domains. Azure Firewall IDPS: Use AWS Network Firewall’s IPS capability to protect your VPC to alert on and/or block traffic to and from known malicious IP addresses and domains. IPS stateful rule groups in AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.7 - Deploy Network-Based Intrusion Prevention Systems 13.3 - Deploy a Network Intrusion Detection Solution SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/firewall/premium-features#idps https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html
13.7 Deploy a Host-Based Intrusion Prevention Solution For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as third-party solution for host-based IDS/IPS, at the VM level in conjunction with the network IDS/IPS. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
13.8 - Deploy a Network Intrusion Prevention Solution Microsoft Defender for Endpoint capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response https://aws.amazon.com/marketplace/search?searchTerms=IPS
Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and Gateway Balancer to direct the traffic for in-line inspection. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-5 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-5: DENIAL OF SERVICE PROTECTION 1.1 Deploy DDOS protection Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. DDoS Protection Basic is automatically enabled to protect the Azure underlying platform infrastructure (e.g., Azure DNS) and requires no configuration from the users. Manage Azure DDoS Protection Standard using the Azure portal: AWS Shield Standard is automatically enabled with standard mitigations, to protect your workload from common network and transport layer (Layer 3 and 4) DDoS attacks AWS Shield Features: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.3 - Deny Communications with Known Malicious IP Addresses SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
1.3 For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. For higher levels of protection of your applications against application layer (Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
6.6
Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-6 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-7: BOUNDARY PROTECTION 1.1 Deploy web application firewall Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. How to deploy Azure WAF: Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services, and APIs against application layer attacks at the edge of your network. How AWS WAF works: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
12.3 - Deny Communications with Known Malicious IP Addresses 1.2 https://docs.microsoft.com/azure/web-application-firewall/overview https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html
12.9 - Deploy Application Layer Filtering Proxy Server 1.3 Set your WAF in "detection" or "prevention mode," depending on your needs and threat landscape. Use AWS Managed Rules for WAF to deploy built-in baseline groups, and customize it to your application needs for the user-case rule groups. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
18.10 - Deploy Web Application Firewalls (WAFs) 6.6 AWS WAF Security Automations:
Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application needs. To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL. https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/welcome.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
AWS Managed Rules for AWS WAF:
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html
NS-7 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Simplify network security configuration When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. Use the following features to simplify the implementation and management of the virtual network, NSG rules, and Azure Firewall rules: Adaptive Network Hardening in Microsoft Defender for Cloud: Use AWS Firewall Manager to centralize the network protection policy management across the following services. AWS Firewall Manager: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-2: APPLICATION PARTITIONING 1.2 - Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks and NSG rules across regions and subscriptions. https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening - AWS WAF policies https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html
SC-7: BOUNDARY PROTECTION 1.3 - Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. - AWS Shield Advanced policies Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager Azure Resource Manager (ARM) template. Azure Firewall Manager: - VPC security group policies https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html
https://docs.microsoft.com/azure/firewall-manager/overview - Network Firewall policies Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
AWS Firewall Manager can automatically analyze your firewall-related policies and create findings for non-compliant resources and for detected attacks and sends them to AWS Security Hub for investigation.
Create an Azure Firewall and a firewall policy - ARM template
https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy
NS-8 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs CM-2: BASELINE CONFIGURATION 4.1 Detect and disable insecure services and protocols Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. Use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet the appropriate security standard. Azure Sentinel insecure protocols workbook: Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to identify the possible insecure services and protocols that do not meet the appropriate security standard. Use GuardDuty with VPC Flow Logs as the data source: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-6: CONFIGURATION SETTINGS A2.1 https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc
CM-7: LEAST FUNCTIONALITY A2.2 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security groups, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. If the logs in the AWS environment can be forwarded to Microsoft Sentinel, you can also use Microsoft Sentinel’s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
A2.3
Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through security groups, AWS Network Firewall, or AWS Web Application Firewall to reduce the attack surface. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
NS-9 Network Security nan 12.7 - Ensure Remote Devices Utilize a VPN and are Connecting to CA-3: SYSTEM INTERCONNECTIONS nan Connect on-premises or cloud network privately Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment. For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device and the Azure virtual network. Azure VPN overview: For lightweight site-to-site or point-to-site connectivity, use AWS VPN to create a secure connection (when IPsec overhead is not a concern) between your on-premises site or end-user device to the AWS network. AWS Direct Connect introduction: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
an Enterprise’s AAA Infrastructure AC-17: REMOTE ACCESS https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
AC-4: INFORMATION FLOW ENFORCEMENT For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment. For enterprise-level high performance connections, use AWS Direct Connect to connect AWS VPCs and resources with your on-premises infrastructure in a co-location environment. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
What are the ExpressRoute connectivity models: AWS VPN introduction:
When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models You have the option to use VPC Peering or Transit Gateway to establish connectivity between two or more VPCs within or across regions. Network traffic between peered VPC is private and is kept on the AWS backbone network. When you need to join multiple VPCs to create a large flat subnet, you also have the option to use VPC Sharing. https://docs.aws.amazon.com/vpn/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Virtual network peering: Transit Gateway:
https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html
Create and accept VPC peering connections:
https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html
VPC Sharing:
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/amazon-vpc-sharing.html
NS-10 Network Security 7.7 - Use of DNS Filtering Services 4.9 - Configure Trusted DNS Servers on Enterprise Assets SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) nan Ensure Domain Name System (DNS) security Ensure that Domain Name System (DNS) security configuration protects against known risks: Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the service) or a trusted external DNS server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Azure DNS overview: Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is usually assigned to you through DHCP or preconfigured in the service) or a centralized trusted DNS resolver server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Amazon Route 53 DNSSEC configuration: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
9.2 - Use DNS Filtering Services SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) - Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. https://docs.microsoft.com/azure/dns/dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html
- Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only allow trusted resolution to your client. Use Amazon Route 53 to create a private hosted zone setup where the DNS resolution process does not leave the designated VPCs. Use Amazon Route 53 firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for the following use cases: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
- Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. Secure Domain Name System (DNS) Deployment Guide: - Prevent attacks such as DNS exfiltration in your VPC Amazon Route 53 firewall:
Use Microsoft Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: https://csrc.nist.gov/publications/detail/sp/800-81/2/final - Set up allow or deny lists for the domains that your applications can query https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
- Data exfiltration from your Azure resources using DNS tunneling
- Malware communicating with a command-and-control server Azure Private DNS: Configure Domain Name System Security Extensions (DNSSEC) feature in Amazon Route 53 to secure DNS traffic to protect your domain from DNS spoofing or a man-in-the-middle attack. Amazon Route 53 domain registration:
- Communication with malicious domains such as as phishing and crypto mining https://docs.microsoft.com/azure/dns/private-dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html
- DNS attacks in communication with malicious DNS resolvers Amazon Route 53 also provides a DNS registration service where Route 53 can be used as the authoritative name servers for your domains. The following best practices should be followed to ensure the security of your domain names:
Azure Defender for DNS: - Domain names should be automatically renewed by the Amazon Route 53 service.
You can also use Microsoft Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction - Domain names should have the Transfer Lock feature enabled in order to keep them secure.
- he Sender Policy Framework (SPF) is should be used to stop spammers from spoofing your domain.
Prevent dangling DNS entries and avoid subdomain takeover:
https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover
\ No newline at end of file diff --git a/Azure/Security/MCSB/Posture and Vulnerability Mgmt/index.html b/Azure/Security/MCSB/Posture and Vulnerability Mgmt/index.html index a438ea4..a425ac5 100644 --- a/Azure/Security/MCSB/Posture and Vulnerability Mgmt/index.html +++ b/Azure/Security/MCSB/Posture and Vulnerability Mgmt/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Posture and Vulnerability Mgmt

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PV-1 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 1.1 Define and establish secure configurations Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment. Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources. Illustration of Guardrails implementation in Enterprise Scale Landing Zone: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources. AWS Control Tower: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
11.1 - Maintain Standard Security Configurations for Network Devices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS 2.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy. Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Working with security policies in Microsoft Defender for Cloud: AWS Config rules:
https://docs.microsoft.com/azure/security-center/tutorial-security-policy https://aws.amazon.com/config/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Tutorial: Create and manage policies to enforce compliance: AWS landing zone
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Blueprints:
https://docs.microsoft.com/azure/governance/blueprints/overview
PV-2 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration. Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Understand Azure Policy effects: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources. Remediating Noncompliant AWS Resources by AWS Config Rules: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/governance/policy/concepts/effects https://docs.aws.amazon.com/config/latest/developerguide/remediation.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Create and manage policies to enforce compliance: Detecting unmanaged configuration changes to stacks and resources:
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Get compliance data of Azure resources: AWS Config Comformance Pack:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/
PV-3 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Define and establish secure configurations for compute resources Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template. Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline. Linux OS security configuration baseline: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline. Enable Azure Automation State Configuration: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS 11.5 https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-linux https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration. Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Windows OS security configuration baseline: Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS.
https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-windows Enable Azure Automation State Configuration: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Security configuration recommendation for compute resources:
https://docs.microsoft.com/azure/security-center/recommendations-reference
Azure Automation State Configuration Overview:
https://docs.microsoft.com/azure/automation/automation-dsc-overview
PV-4 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations for compute resources Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources. Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines. How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements. AWS System Manager State Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods : Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
How to create an Azure virtual machine from an ARM template: - Onboard your AWS account into Microsoft Defender for Cloud Connect your AWS accounts to Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template - Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Azure Automation State Configuration overview: For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline. Enable Azure Automation State Configuration:
https://docs.microsoft.com/azure/automation/automation-dsc-overview https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services.
Create a Windows virtual machine in the Azure portal:
https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Container security in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/container-security
Change Tracking and Inventory overview:
https://learn.microsoft.com/azure/automation/change-tracking/overview?tabs=python-2
Guest attestation for confidential VMs:
https://learn.microsoft.com/azure/confidential-computing/guest-attestation-confidential-vms
PV-5 Posture and Vulnerability Management 3.1 - Run Automated Vulnerability Scanning Tools 5.5 - Establish and Maintain an Inventory of Service Accounts RA-3: RISK ASSESSMENT 6.1 Perform vulnerability assessments Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Amazon Inspector: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.3 - Protect Dedicated Assessment Accounts 7.1 - Establish and Maintain a Vulnerability Management Process RA-5: VULNERABILITY SCANNING 6.2 https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html
3.6 - Compare Back-to-back Vulnerability Scans 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets 6.6 Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. Integrated vulnerability scanner for virtual machines: Refer to control ES-1, "Use Endpoint Detection and Response (EDR)", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 11.2 https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management:
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive. https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
SQL vulnerability assessment:
Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Note: Ensure you setup email notifications in Microsoft Defender for Cloud. Exporting Microsoft Defender for Cloud vulnerability scan results:
https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results
PV-6 Posture and Vulnerability Management 3.4 - Deploy Automated Operating System Patch Management Tools 7.2 - Establish and Maintain a Remediation Process RA-3: RISK ASSESSMENT 6.1 Rapidly and automatically remediate vulnerabilities Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems. AWS Systems Manager - Patch Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.5 - Deploy Automated Software Patch Management Tools 7.3 - Perform Automated Operating System Patch Management RA-5: VULNERABILITY SCANNING 6.2 https://docs.microsoft.com/azure/automation/update-management/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated Application Patch Management SI-2: FLAW REMEDIATION 6.5 Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.7 - Remediate Detected Vulnerabilities 11.2 Manage updates and patches for your Azure VMs: Update Management overview:
https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. https://docs.microsoft.com/en-us/azure/automation/update-management/overview Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
PV-7 Posture and Vulnerability Management 20.1 - Establish a Penetration Testing Program 18.1 - Establish and Maintain a Penetration Testing Program CA-8: PENETRATION TESTING 6.6 Conduct regular red team operations Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks. As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Penetration testing in Azure: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings. AWS Customer Support Policy for Penetration Testing: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
20.2 - Conduct Regular External and Internal Penetration Tests 18.2 - Perform Periodic External Penetration Tests RA-5: VULNERABILITY SCANNING 11.2 https://docs.microsoft.com/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/
20.3 - Perform Periodic Red Team Exercises 18.3 - Remediate Penetration Test Findings 11.3 Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications. Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
18.4 - Validate Security Measures Penetration Testing Rules of Engagement:
18.5 - Perform Periodic Internal Penetration Tests https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Microsoft Cloud Red Teaming:
https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf
Technical Guide to Information Security Testing and Assessment:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Posture and Vulnerability Mgmt

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PV-1 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 1.1 Define and establish secure configurations Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment. Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources. Illustration of Guardrails implementation in Enterprise Scale Landing Zone: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources. AWS Control Tower: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
11.1 - Maintain Standard Security Configurations for Network Devices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS 2.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html
Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy. Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Working with security policies in Microsoft Defender for Cloud: AWS Config rules:
https://docs.microsoft.com/azure/security-center/tutorial-security-policy https://aws.amazon.com/config/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Tutorial: Create and manage policies to enforce compliance: AWS landing zone
https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage
Azure Blueprints:
https://docs.microsoft.com/azure/governance/blueprints/overview
PV-2 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration. Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Understand Azure Policy effects: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources. Remediating Noncompliant AWS Resources by AWS Config Rules: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/governance/policy/concepts/effects https://docs.aws.amazon.com/config/latest/developerguide/remediation.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Create and manage policies to enforce compliance: Detecting unmanaged configuration changes to stacks and resources:
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Get compliance data of Azure resources: AWS Config Comformance Pack:
https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/
PV-3 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Define and establish secure configurations for compute resources Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template. Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline. Linux OS security configuration baseline: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline. Enable Azure Automation State Configuration: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS 11.5 https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-linux https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration. Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
Windows OS security configuration baseline: Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS.
https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-windows Enable Azure Automation State Configuration: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Security configuration recommendation for compute resources:
https://docs.microsoft.com/azure/security-center/recommendations-reference
Azure Automation State Configuration Overview:
https://docs.microsoft.com/azure/automation/automation-dsc-overview
PV-4 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations for compute resources Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources. Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines. How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements. AWS System Manager State Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html
11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods : Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
How to create an Azure virtual machine from an ARM template: - Onboard your AWS account into Microsoft Defender for Cloud Connect your AWS accounts to Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/virtual-machines/windows/ps-template - Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Azure Automation State Configuration overview: For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline. Enable Azure Automation State Configuration:
https://docs.microsoft.com/azure/automation/automation-dsc-overview https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines
Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services.
Create a Windows virtual machine in the Azure portal:
https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal
Container security in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/container-security
Change Tracking and Inventory overview:
https://learn.microsoft.com/azure/automation/change-tracking/overview?tabs=python-2
Guest attestation for confidential VMs:
https://learn.microsoft.com/azure/confidential-computing/guest-attestation-confidential-vms
PV-5 Posture and Vulnerability Management 3.1 - Run Automated Vulnerability Scanning Tools 5.5 - Establish and Maintain an Inventory of Service Accounts RA-3: RISK ASSESSMENT 6.1 Perform vulnerability assessments Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Amazon Inspector: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.3 - Protect Dedicated Assessment Accounts 7.1 - Establish and Maintain a Vulnerability Management Process RA-5: VULNERABILITY SCANNING 6.2 https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html
3.6 - Compare Back-to-back Vulnerability Scans 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets 6.6 Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. Integrated vulnerability scanner for virtual machines: Refer to control ES-1, "Use Endpoint Detection and Response (EDR)", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 11.2 https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management:
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive. https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
SQL vulnerability assessment:
Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Note: Ensure you setup email notifications in Microsoft Defender for Cloud. Exporting Microsoft Defender for Cloud vulnerability scan results:
https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results
PV-6 Posture and Vulnerability Management 3.4 - Deploy Automated Operating System Patch Management Tools 7.2 - Establish and Maintain a Remediation Process RA-3: RISK ASSESSMENT 6.1 Rapidly and automatically remediate vulnerabilities Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems. AWS Systems Manager - Patch Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
3.5 - Deploy Automated Software Patch Management Tools 7.3 - Perform Automated Operating System Patch Management RA-5: VULNERABILITY SCANNING 6.2 https://docs.microsoft.com/azure/automation/update-management/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html
3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated Application Patch Management SI-2: FLAW REMEDIATION 6.5 Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
7.7 - Remediate Detected Vulnerabilities 11.2 Manage updates and patches for your Azure VMs: Update Management overview:
https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. https://docs.microsoft.com/en-us/azure/automation/update-management/overview Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
PV-7 Posture and Vulnerability Management 20.1 - Establish a Penetration Testing Program 18.1 - Establish and Maintain a Penetration Testing Program CA-8: PENETRATION TESTING 6.6 Conduct regular red team operations Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks. As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Penetration testing in Azure: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings. AWS Customer Support Policy for Penetration Testing: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
20.2 - Conduct Regular External and Internal Penetration Tests 18.2 - Perform Periodic External Penetration Tests RA-5: VULNERABILITY SCANNING 11.2 https://docs.microsoft.com/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/
20.3 - Perform Periodic Red Team Exercises 18.3 - Remediate Penetration Test Findings 11.3 Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications. Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint
18.4 - Validate Security Measures Penetration Testing Rules of Engagement:
18.5 - Perform Periodic Internal Penetration Tests https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Microsoft Cloud Red Teaming:
https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf
Technical Guide to Information Security Testing and Assessment:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
\ No newline at end of file diff --git a/Azure/Security/MCSB/Privileged Access/index.html b/Azure/Security/MCSB/Privileged Access/index.html index b4ca5be..2f1634e 100644 --- a/Azure/Security/MCSB/Privileged Access/index.html +++ b/Azure/Security/MCSB/Privileged Access/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Privileged Access

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit highly privileged/administrative users Ensure you identify all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. You must secure all roles with direct or indirect administrative access to Azure hosted resources. Administrator role permissions in Azure AD: You must secure all roles with direct or indirect administrative access to AWS hosted resources. AWS Best Practices for Root User: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
14.6 - Protect Information Through Access Control Lists 6.8 - Define and Maintain Role-Based Access Control AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
8.1 Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: The privileged/administrative users need to be secured include: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as well as services that use Azure AD identities. Use Azure Privileged Identity Management security alerts: - Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access).
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts - IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy such as AdministratorAccess can have full access to AWS services and resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. Securing privileged access for hybrid and cloud deployments in Azure AD: If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing the privileged roles in Azure AD. Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned.
In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they can be used to directly or indirectly manage Azure subscriptions.
- Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions.
- Enterprise Administrator: Users assigned with this role can manage (EA) portal users.
- Department Administrator: Users assigned with this role can change account owners within the department.
Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
PA-2 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access for user accounts and permissions Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Azure PIM just-in-time access deployment: Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: IAM Temporary credentials through AWS Security Token Service (AWS STS): Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan - Temporary security credentials have a short-term life, from minutes to hours. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it. - Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Understanding just-in-time (JIT) VM access:
https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-3 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of identities and entitlements Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision. Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval. What are Azure AD access reviews: Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions. IAM Access Advisor: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
6.2 - Establish an Access Revoking Process AC-5: SEPARATION OF DUTIES 7.2 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
AC-6: LEAST PRIVILEGE 8.1 Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures. Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
What is Azure AD entitlement management: AWS Marketplace Identity and Access Management solutions:
https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview https://aws.amazon.com/marketplace/solutions/security/identity-access-management Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Overview of Permissions Management:
https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/overview
PA-4 Privileged Access 4.1 - Maintain Inventory of Administrative Accounts 5.1 - Establish and Maintain an Inventory of Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile user access regularly Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Create an access review of Azure resource roles in Privileged Identity Management (PIM): Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processes, and enterprise management and security tools. IAM Access Analyzer: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
16.6 - Maintain an Inventory of Accounts 5.3 - Disable Dormant Accounts AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
16.8 - Disable Any Unassociated Accounts 5.5 - Establish and Maintain an Inventory of Service Accounts 8.1 Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Disable Dormant Accounts A3.4 How to use Azure AD identity and access reviews: Credential report:
16.9 - Disable Dormant Accounts In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the privileged accounts and access entitlements periodically. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
IAM Access Advisor:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
PA-5 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT nan Set up emergency access Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. Manage emergency access accounts in Azure AD: AWS "root" accounts should not be used for regular administrative tasks. As the "root" account is highly privileged, it should not be assigned to specific individuals. It's use should be limited to only emergency or "break glass” scenarios when normal administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and assigned the appropriate permissions via IAM roles. Best practices to protect your account's root user: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when authorized. You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only used when authorized. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-6 Privileged Access 4.6 - Use Dedicated Workstations For All Administrative Tasks 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work AC-2: ACCOUNT MANAGEMENT nan Use privileged access workstations / channel for administrative tasks Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Understand privileged access workstations: Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a browser session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destination hosts through port forwarding. AWS Systems Manager Session Manager: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
11.6 - Use Dedicated Machines For All Network Administrative Tasks 13.5 Manage Access Control for Remote Assets SC-2 APPLICATION PARTITIONING https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
12.12 - Manage All Devices Remotely Logging into Internal Network SC-7: BOUNDARY PROTECTION You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web browser. You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory, Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Privileged access workstations deployment:
https://docs.microsoft.com/security/compass/privileged-access-deploymenthttps Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
PA-7 Privileged Access 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough administration (least privilege) principle Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. What is Azure role-based access control (Azure RBAC): Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry excessive permissions that should not be assigned to the users. IAM access policies: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.8 - Define and Maintain Role-Based Access Control AC-3: ACCESS ENFORCEMENT 7.2 https://docs.microsoft.com/azure/role-based-access-control/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
AC-6: LEAST PRIVILEGE The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates. You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM resources, including IAM entities (users or roles) and AWS resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
How to configure RBAC in Azure: AWS ABAC:
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
How to use Azure AD identity and access reviews: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
Azure AD Privileged Identity Management - Time-bound assignment:
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
PA-8 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-4: INFORMATION FLOW ENFORCEMENT nan Determine access process for cloud provider support Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft. Understand Customer Lockbox: In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS support to access to your data. Access permissions for AWS Support: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.2 - Establish an Access Revoking Process AC-2: ACCOUNT MANAGEMENT https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
AC-3: ACCESS ENFORCEMENT Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Privileged Access

ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders:
PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit highly privileged/administrative users Ensure you identify all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. You must secure all roles with direct or indirect administrative access to Azure hosted resources. Administrator role permissions in Azure AD: You must secure all roles with direct or indirect administrative access to AWS hosted resources. AWS Best Practices for Root User: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
14.6 - Protect Information Through Access Control Lists 6.8 - Define and Maintain Role-Based Access Control AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
8.1 Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: The privileged/administrative users need to be secured include: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as well as services that use Azure AD identities. Use Azure Privileged Identity Management security alerts: - Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access).
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts - IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy such as AdministratorAccess can have full access to AWS services and resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. Securing privileged access for hybrid and cloud deployments in Azure AD: If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing the privileged roles in Azure AD. Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
- Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure
- Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
- User Access Administrator: Lets you manage user access to Azure resources.
Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned.
In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they can be used to directly or indirectly manage Azure subscriptions.
- Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions.
- Enterprise Administrator: Users assigned with this role can manage (EA) portal users.
- Department Administrator: Users assigned with this role can change account owners within the department.
Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets.
PA-2 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access for user accounts and permissions Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Azure PIM just-in-time access deployment: Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: IAM Temporary credentials through AWS Security Token Service (AWS STS): Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan - Temporary security credentials have a short-term life, from minutes to hours. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it. - Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture
Understanding just-in-time (JIT) VM access:
https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-3 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of identities and entitlements Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision. Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval. What are Azure AD access reviews: Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions. IAM Access Advisor: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
6.2 - Establish an Access Revoking Process AC-5: SEPARATION OF DUTIES 7.2 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
AC-6: LEAST PRIVILEGE 8.1 Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures. Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
What is Azure AD entitlement management: AWS Marketplace Identity and Access Management solutions:
https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview https://aws.amazon.com/marketplace/solutions/security/identity-access-management Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Overview of Permissions Management:
https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/overview
PA-4 Privileged Access 4.1 - Maintain Inventory of Administrative Accounts 5.1 - Establish and Maintain an Inventory of Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile user access regularly Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Create an access review of Azure resource roles in Privileged Identity Management (PIM): Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processes, and enterprise management and security tools. IAM Access Analyzer: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
16.6 - Maintain an Inventory of Accounts 5.3 - Disable Dormant Accounts AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
16.8 - Disable Any Unassociated Accounts 5.5 - Establish and Maintain an Inventory of Service Accounts 8.1 Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
Disable Dormant Accounts A3.4 How to use Azure AD identity and access reviews: Credential report:
16.9 - Disable Dormant Accounts In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the privileged accounts and access entitlements periodically. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
IAM Access Advisor:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html
PA-5 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT nan Set up emergency access Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. Manage emergency access accounts in Azure AD: AWS "root" accounts should not be used for regular administrative tasks. As the "root" account is highly privileged, it should not be assigned to specific individuals. It's use should be limited to only emergency or "break glass” scenarios when normal administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and assigned the appropriate permissions via IAM roles. Best practices to protect your account's root user: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html
Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when authorized. You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only used when authorized. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-framework/organize/cloud-security-operations-center
PA-6 Privileged Access 4.6 - Use Dedicated Workstations For All Administrative Tasks 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work AC-2: ACCOUNT MANAGEMENT nan Use privileged access workstations / channel for administrative tasks Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Understand privileged access workstations: Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a browser session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destination hosts through port forwarding. AWS Systems Manager Session Manager: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
11.6 - Use Dedicated Machines For All Network Administrative Tasks 13.5 Manage Access Control for Remote Assets SC-2 APPLICATION PARTITIONING https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html
12.12 - Manage All Devices Remotely Logging into Internal Network SC-7: BOUNDARY PROTECTION You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web browser. You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory, Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-operations-center
Privileged access workstations deployment:
https://docs.microsoft.com/security/compass/privileged-access-deploymenthttps Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
PA-7 Privileged Access 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough administration (least privilege) principle Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. What is Azure role-based access control (Azure RBAC): Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry excessive permissions that should not be assigned to the users. IAM access policies: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.8 - Define and Maintain Role-Based Access Control AC-3: ACCESS ENFORCEMENT 7.2 https://docs.microsoft.com/azure/role-based-access-control/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
AC-6: LEAST PRIVILEGE The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates. You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM resources, including IAM entities (users or roles) and AWS resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
How to configure RBAC in Azure: AWS ABAC:
Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management
How to use Azure AD identity and access reviews: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview
Azure AD Privileged Identity Management - Time-bound assignment:
https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do
PA-8 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-4: INFORMATION FLOW ENFORCEMENT nan Determine access process for cloud provider support Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft. Understand Customer Lockbox: In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS support to access to your data. Access permissions for AWS Support: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops
6.2 - Establish an Access Revoking Process AC-2: ACCOUNT MANAGEMENT https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html
AC-3: ACCESS ENFORCEMENT Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management
Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys
\ No newline at end of file diff --git a/Azure/Security/MCSB/Readme/index.html b/Azure/Security/MCSB/Readme/index.html index 2134f9f..479d8e3 100644 --- a/Azure/Security/MCSB/Readme/index.html +++ b/Azure/Security/MCSB/Readme/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Readme

Unnamed: 0 Unnamed: 1 Unnamed: 2
nan Microsoft Cloud Security Benchmark v1 nan
nan This spreadsheet is designed to provide you a private preview version of the Microsoft Cloud Security Benchmark v1. For the web version of the content, please refer to ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview nan
a. The control mappings between MCSB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS, NIST or PCI.
b. This document is developed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements and regulations. Customers should seek legal support from their organization on approved customer implementations.
nan nan nan
nan This multi-cloud guidance follows the below principles: nan
1. The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level as Azure's.
2. The security guidance for non-Azure platforms will provide the same level of granularity and same scope in the technical guidance as Azure's.
3. The non-Microsoft cloud service provider’s (CSP) native solution or feature will usually be recommended as the first preference for each control. However, when there is a more mature multi-cloud solution available in Azure, it'll be prioritized as the default recommendation.
4. If neither the CSP's native technology nor Azure solutions are available to satisfy a security principle, third-party solutions will be recommended from the Azure or the other CSP's Marketplace. However, Microsoft Cloud Security Benchmark will not name any specific third-party vendor product or solution.
nan nan nan
nan nan nan
nan Guidance - Column Header Descriptions
nan ID# The Microsoft Cloud Security Benchmark ID.
nan Control Domain The security control domain.
nan Security Principle The technology-agnostic and cloud neutral principle for various security topics in each control domains.
nan Recommendation The control recommendation in summarized format.
nan Azure Guidance The technical guidance for Azure platforms.
nan AWS Guidance The technical guidance for Amazon Web Services platforms.
nan Implementation and additional context The implementation details and other relevant context which links to the Azure or AWS service offering documentation articles.
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

MCSB_v1 - Readme

Unnamed: 0 Unnamed: 1 Unnamed: 2
nan Microsoft Cloud Security Benchmark v1 nan
nan This spreadsheet is designed to provide you a private preview version of the Microsoft Cloud Security Benchmark v1. For the web version of the content, please refer to ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview nan
a. The control mappings between MCSB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS, NIST or PCI.
b. This document is developed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements and regulations. Customers should seek legal support from their organization on approved customer implementations.
nan nan nan
nan This multi-cloud guidance follows the below principles: nan
1. The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level as Azure's.
2. The security guidance for non-Azure platforms will provide the same level of granularity and same scope in the technical guidance as Azure's.
3. The non-Microsoft cloud service provider’s (CSP) native solution or feature will usually be recommended as the first preference for each control. However, when there is a more mature multi-cloud solution available in Azure, it'll be prioritized as the default recommendation.
4. If neither the CSP's native technology nor Azure solutions are available to satisfy a security principle, third-party solutions will be recommended from the Azure or the other CSP's Marketplace. However, Microsoft Cloud Security Benchmark will not name any specific third-party vendor product or solution.
nan nan nan
nan nan nan
nan Guidance - Column Header Descriptions
nan ID# The Microsoft Cloud Security Benchmark ID.
nan Control Domain The security control domain.
nan Security Principle The technology-agnostic and cloud neutral principle for various security topics in each control domains.
nan Recommendation The control recommendation in summarized format.
nan Azure Guidance The technical guidance for Azure platforms.
nan AWS Guidance The technical guidance for Amazon Web Services platforms.
nan Implementation and additional context The implementation details and other relevant context which links to the Azure or AWS service offering documentation articles.
\ No newline at end of file diff --git a/Azure/index.html b/Azure/index.html index 695d950..c64aa0c 100644 --- a/Azure/index.html +++ b/Azure/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
\ No newline at end of file diff --git a/assets/images/social/blog/2024/04/page/2.png b/assets/images/social/blog/2024/04/page/2.png new file mode 100644 index 0000000..0382374 Binary files /dev/null and b/assets/images/social/blog/2024/04/page/2.png differ diff --git a/assets/images/social/blog/category/azure.png b/assets/images/social/blog/category/azure.png new file mode 100644 index 0000000..46f793b Binary files /dev/null and b/assets/images/social/blog/category/azure.png differ diff --git a/assets/images/social/blog/page/4/index.png b/assets/images/social/blog/page/4/index.png new file mode 100644 index 0000000..3893b0e Binary files /dev/null and b/assets/images/social/blog/page/4/index.png differ diff --git a/assets/images/social/blog/posts/2024/20240419_Azure_Network_HUB_Spoke.png b/assets/images/social/blog/posts/2024/20240419_Azure_Network_HUB_Spoke.png new file mode 100644 index 0000000..acb8c46 Binary files /dev/null and b/assets/images/social/blog/posts/2024/20240419_Azure_Network_HUB_Spoke.png differ diff --git a/assets/images/social/blog/posts/2024/20240419_Azure_RBAC.png b/assets/images/social/blog/posts/2024/20240419_Azure_RBAC.png new file mode 100644 index 0000000..c689d99 Binary files /dev/null and b/assets/images/social/blog/posts/2024/20240419_Azure_RBAC.png differ diff --git a/assets/images/social/blog/posts/2024/20240419_Azure_RBAC_report.png b/assets/images/social/blog/posts/2024/20240419_Azure_RBAC_report.png new file mode 100644 index 0000000..b5d2e06 Binary files /dev/null and b/assets/images/social/blog/posts/2024/20240419_Azure_RBAC_report.png differ diff --git a/assets/tables/MCSB/Asset Management.xlsx b/assets/tables/MCSB/Asset Management.xlsx index 40422fa..ad728c8 100644 Binary files a/assets/tables/MCSB/Asset Management.xlsx and b/assets/tables/MCSB/Asset Management.xlsx differ diff --git a/assets/tables/MCSB/Backup and Recovery.xlsx b/assets/tables/MCSB/Backup and Recovery.xlsx index df8e6a3..d7ed1eb 100644 Binary files a/assets/tables/MCSB/Backup and Recovery.xlsx and b/assets/tables/MCSB/Backup and Recovery.xlsx differ diff --git a/assets/tables/MCSB/Data Protection.xlsx b/assets/tables/MCSB/Data Protection.xlsx index ee58dbf..02d2fae 100644 Binary files a/assets/tables/MCSB/Data Protection.xlsx and b/assets/tables/MCSB/Data Protection.xlsx differ diff --git a/assets/tables/MCSB/DevOps Security.xlsx b/assets/tables/MCSB/DevOps Security.xlsx index a79f3f4..8c10a13 100644 Binary files a/assets/tables/MCSB/DevOps Security.xlsx and b/assets/tables/MCSB/DevOps Security.xlsx differ diff --git a/assets/tables/MCSB/Endpoint Security.xlsx b/assets/tables/MCSB/Endpoint Security.xlsx index 20da7f5..d4be97a 100644 Binary files a/assets/tables/MCSB/Endpoint Security.xlsx and b/assets/tables/MCSB/Endpoint Security.xlsx differ diff --git a/assets/tables/MCSB/Governance and Strategy.xlsx b/assets/tables/MCSB/Governance and Strategy.xlsx index 6b149a7..57d778c 100644 Binary files a/assets/tables/MCSB/Governance and Strategy.xlsx and b/assets/tables/MCSB/Governance and Strategy.xlsx differ diff --git a/assets/tables/MCSB/Identity Management.xlsx b/assets/tables/MCSB/Identity Management.xlsx index 1cfe740..88bdef2 100644 Binary files a/assets/tables/MCSB/Identity Management.xlsx and b/assets/tables/MCSB/Identity Management.xlsx differ diff --git a/assets/tables/MCSB/Incident Response.xlsx b/assets/tables/MCSB/Incident Response.xlsx index 20274ff..47b1a85 100644 Binary files a/assets/tables/MCSB/Incident Response.xlsx and b/assets/tables/MCSB/Incident Response.xlsx differ diff --git a/assets/tables/MCSB/Logging and Threat Detection.xlsx b/assets/tables/MCSB/Logging and Threat Detection.xlsx index 5725b86..3d68e50 100644 Binary files a/assets/tables/MCSB/Logging and Threat Detection.xlsx and b/assets/tables/MCSB/Logging and Threat Detection.xlsx differ diff --git a/assets/tables/MCSB/Network Security.xlsx b/assets/tables/MCSB/Network Security.xlsx index 8c17ddf..ee9cfdf 100644 Binary files a/assets/tables/MCSB/Network Security.xlsx and b/assets/tables/MCSB/Network Security.xlsx differ diff --git a/assets/tables/MCSB/Posture and Vulnerability Mgmt.xlsx b/assets/tables/MCSB/Posture and Vulnerability Mgmt.xlsx index b5ddc9f..3757394 100644 Binary files a/assets/tables/MCSB/Posture and Vulnerability Mgmt.xlsx and b/assets/tables/MCSB/Posture and Vulnerability Mgmt.xlsx differ diff --git a/assets/tables/MCSB/Privileged Access.xlsx b/assets/tables/MCSB/Privileged Access.xlsx index c71e6a9..243a467 100644 Binary files a/assets/tables/MCSB/Privileged Access.xlsx and b/assets/tables/MCSB/Privileged Access.xlsx differ diff --git a/assets/tables/MCSB/Readme.xlsx b/assets/tables/MCSB/Readme.xlsx index 74a673d..4dde71b 100644 Binary files a/assets/tables/MCSB/Readme.xlsx and b/assets/tables/MCSB/Readme.xlsx differ diff --git a/blog/2023/10/17/hello-world-from-mkdocs-material/index.html b/blog/2023/10/17/hello-world-from-mkdocs-material/index.html index 248dee3..ee8384a 100644 --- a/blog/2023/10/17/hello-world-from-mkdocs-material/index.html +++ b/blog/2023/10/17/hello-world-from-mkdocs-material/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content
\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content
\ No newline at end of file diff --git a/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/index.html b/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/index.html index 77603f2..2d5adc7 100644 --- a/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/index.html +++ b/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
Skip to content

Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages

A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

Some knowledge:

  • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

  • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

  • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

  • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

Steps to deploy

Create a new repository

Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn’t exactly match your username, it won’t work, so make sure to get it right.

Enable GitHub Pages on your repository

Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

Clone the repository

Go to the folder where you want to store your project, and clone the new repository:

git clone ssh://github.com/username/username.github.io
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages

A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

Some knowledge:

  • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

  • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

  • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

  • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

Steps to deploy

Create a new repository

Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn’t exactly match your username, it won’t work, so make sure to get it right.

Enable GitHub Pages on your repository

Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

Clone the repository

Go to the folder where you want to store your project, and clone the new repository:

git clone ssh://github.com/username/username.github.io
 cd username.github.io
 

Create requirements.txt in root folder for mkdocs, mkdocs-material and plugins

mkdocs==1.5.3
 mkdocs-material==9.4.6
diff --git a/blog/2023/10/21/enhance-your-mkdocksyml/index.html b/blog/2023/10/21/enhance-your-mkdocksyml/index.html
index 8455910..156a683 100644
--- a/blog/2023/10/21/enhance-your-mkdocksyml/index.html
+++ b/blog/2023/10/21/enhance-your-mkdocksyml/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Enhance your mkdocks.yml

In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

Minimal configuration for mkdocs.yml with mkdocs-material

site_name: My Site
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Enhance your mkdocks.yml

In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

Minimal configuration for mkdocs.yml with mkdocs-material

site_name: My Site
 theme: 
   name: material
 #plugins:
diff --git a/blog/2023/10/index.html b/blog/2023/10/index.html
index 335daf7..8572fa5 100644
--- a/blog/2023/10/index.html
+++ b/blog/2023/10/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

2023/10

Enhance your mkdocks.yml

In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

Minimal configuration for mkdocs.yml with mkdocs-material

site_name: My Site
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

2023/10

Enhance your mkdocks.yml

In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

Minimal configuration for mkdocs.yml with mkdocs-material

site_name: My Site
 theme: 
   name: material
 #plugins:
diff --git a/blog/2023/11/03/trunk/index.html b/blog/2023/11/03/trunk/index.html
index 52b328d..8a3ab8b 100644
--- a/blog/2023/11/03/trunk/index.html
+++ b/blog/2023/11/03/trunk/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Trunk

What is Trunk ?

Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

Support for the following languages is currently available:

Installing Trunk

curl https://get.trunk.io -fsSL | bash
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Trunk

What is Trunk ?

Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

Support for the following languages is currently available:

Installing Trunk

curl https://get.trunk.io -fsSL | bash
 
code --install-extension Trunk.io  
 

Trunk checks

Trunk checks cli

Trunk detects checks to enable in function of the files in the current directory, but you can also enable and disable checks manually.

  • trunck check list: list all available checks
  • trunck check enable checkname: enable a check
  • trunck check disable checkname: disable a check
  • trunck check: run all enabled checks

For example, to enable the Terraform check:

trunk check enable terraform 
 1 linter was enabled:
diff --git a/blog/2023/11/04/starting-to-develop-in-c/index.html b/blog/2023/11/04/starting-to-develop-in-c/index.html
index 95bb7fb..d867bfa 100644
--- a/blog/2023/11/04/starting-to-develop-in-c/index.html
+++ b/blog/2023/11/04/starting-to-develop-in-c/index.html
@@ -7,4 +7,4 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Starting to develop in c#

First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

If someone that knows me is reading this post, he/she will be thinking:

  • "What the hell is he doing?"
  • "He is crazy"
  • "He is going to die trying".
  • The end of the world is approaching!!

Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

I repeat, I am not a developer but I'd like to share with you my experience learning C#.

My first Steps

You have a lot of resources for learning on Learn .NET and in c# documentation.

In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

After that, I will follow the free course (New) Foundational C# with Microsoft.

And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

That's all folks!!

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Starting to develop in c#

First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

If someone that knows me is reading this post, he/she will be thinking:

  • "What the hell is he doing?"
  • "He is crazy"
  • "He is going to die trying".
  • The end of the world is approaching!!

Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

I repeat, I am not a developer but I'd like to share with you my experience learning C#.

My first Steps

You have a lot of resources for learning on Learn .NET and in c# documentation.

In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

After that, I will follow the free course (New) Foundational C# with Microsoft.

And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

That's all folks!!

\ No newline at end of file diff --git a/blog/2023/11/15/azure--services/index.html b/blog/2023/11/15/azure--services/index.html index b54bfd9..3505d3f 100644 --- a/blog/2023/11/15/azure--services/index.html +++ b/blog/2023/11/15/azure--services/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Services

I have decided to create a new category on my blog to talk about Azure services.

The main goal of this category is to provide a quick overview of some Azure services and some design considerations.

What is this category due to?

In some cases, it is because I am working with this Service and I think it is a good idea to share my experience with you and write it down for me, in others, it is because I am studying/reviewing an Azure Service and I think it is a good idea. Share my notes with you.

I hope you like it.

I am going to start with Azure Communication Services

That's all folks!, thanks for reading ❤!

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Services

I have decided to create a new category on my blog to talk about Azure services.

The main goal of this category is to provide a quick overview of some Azure services and some design considerations.

What is this category due to?

In some cases, it is because I am working with this Service and I think it is a good idea to share my experience with you and write it down for me, in others, it is because I am studying/reviewing an Azure Service and I think it is a good idea. Share my notes with you.

I hope you like it.

I am going to start with Azure Communication Services

That's all folks!, thanks for reading ❤!

\ No newline at end of file diff --git a/blog/2023/11/18/azure-communication-services/index.html b/blog/2023/11/18/azure-communication-services/index.html index 00834e7..ffdb0be 100644 --- a/blog/2023/11/18/azure-communication-services/index.html +++ b/blog/2023/11/18/azure-communication-services/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Communication Services

What is Azure Communication Services?

Azure Communication Services are cloud-based services with REST APIs and client library SDKs available to help you integrate communication into your applications. You can add communication to your applications without being an expert in underlying technologies such as media encoding or telephony.

Azure Communication Services supports various communication formats:

  • Voice and Video Calling
  • Rich Text Chat
  • SMS
  • Email

And offers the following services:

  • SMS: Send and receive SMS messages from your applications.
  • Phone calling: Enable your applications to make and receive PSTN calls.
  • Voice and video calling: Enable your applications to make and receive voice and video calls.
  • Chat: Enable your applications to send and receive chat messages.
  • Email: Send and receive emails from your applications.
  • Network traversal: Enable your applications to connect to other clients behind firewalls and NATs.
  • Advanced Messaging:
    • WhatsApp(Public Preview): Enable you to send and receive WhatsApp messages using the Azure Communication Services Messaging SDK.
  • Job Router(Public Preview): It's a tool designed to optimize the management of customer interactions across various communication applications.

Some Use Cases:

  • Telemedicine: Enable patients to connect with doctors and nurses through video consultations.
  • Remote education: Enable students to connect with teachers and other students through video classes.
  • Financial Advisory: Enhancing global advisor and client interactions with rich capabilities such as translation for chat.
  • Retail Notifications: Send notifications to customers about their orders via SMS or email.
  • Professional Support: Enable customers to connect with support agents through chat, voice, or video.

Design considerations

You have some data flow diagrams to help you to understand how Azure Communication Services works here

Some aspects to consider:

  • You need to apply throttling patterns to avoid overloading the service, HTTP status code 429 (Too many requests).
  • Plan how to map users from your identity domain to Azure Communication Services identities. You can follow any kind of pattern. For example, you can use 1:1, 1:N, N:1, or M:N
  • Check regional availability. You can see more information about regional availability here.
  • Check the service limits. You can see more information about service limits here.
  • Check security baseline. You can see more information about security baseline here.

Pricing

Azure Communication Services is a pay-as-you-go service. You only pay for what you use, and there are no upfront costs. You can see more information about pricing here.

The bad news are:

  • In some services pricing vary by country.
  • You don't have a free tier, but you have something free.
  • You don't have Azure Reservations or equivalent.

Conclusion

Azure Communication Services is a very interesting service but you need to consider the cost of the service and the regional availability before to use it.

That's it folks!, thanks for reading 😄!.

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Communication Services

What is Azure Communication Services?

Azure Communication Services are cloud-based services with REST APIs and client library SDKs available to help you integrate communication into your applications. You can add communication to your applications without being an expert in underlying technologies such as media encoding or telephony.

Azure Communication Services supports various communication formats:

  • Voice and Video Calling
  • Rich Text Chat
  • SMS
  • Email

And offers the following services:

  • SMS: Send and receive SMS messages from your applications.
  • Phone calling: Enable your applications to make and receive PSTN calls.
  • Voice and video calling: Enable your applications to make and receive voice and video calls.
  • Chat: Enable your applications to send and receive chat messages.
  • Email: Send and receive emails from your applications.
  • Network traversal: Enable your applications to connect to other clients behind firewalls and NATs.
  • Advanced Messaging:
    • WhatsApp(Public Preview): Enable you to send and receive WhatsApp messages using the Azure Communication Services Messaging SDK.
  • Job Router(Public Preview): It's a tool designed to optimize the management of customer interactions across various communication applications.

Some Use Cases:

  • Telemedicine: Enable patients to connect with doctors and nurses through video consultations.
  • Remote education: Enable students to connect with teachers and other students through video classes.
  • Financial Advisory: Enhancing global advisor and client interactions with rich capabilities such as translation for chat.
  • Retail Notifications: Send notifications to customers about their orders via SMS or email.
  • Professional Support: Enable customers to connect with support agents through chat, voice, or video.

Design considerations

You have some data flow diagrams to help you to understand how Azure Communication Services works here

Some aspects to consider:

  • You need to apply throttling patterns to avoid overloading the service, HTTP status code 429 (Too many requests).
  • Plan how to map users from your identity domain to Azure Communication Services identities. You can follow any kind of pattern. For example, you can use 1:1, 1:N, N:1, or M:N
  • Check regional availability. You can see more information about regional availability here.
  • Check the service limits. You can see more information about service limits here.
  • Check security baseline. You can see more information about security baseline here.

Pricing

Azure Communication Services is a pay-as-you-go service. You only pay for what you use, and there are no upfront costs. You can see more information about pricing here.

The bad news are:

  • In some services pricing vary by country.
  • You don't have a free tier, but you have something free.
  • You don't have Azure Reservations or equivalent.

Conclusion

Azure Communication Services is a very interesting service but you need to consider the cost of the service and the regional availability before to use it.

That's it folks!, thanks for reading 😄!.

\ No newline at end of file diff --git a/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/index.html b/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/index.html index eb53e08..b267cec 100644 --- a/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/index.html +++ b/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Well-Architected Framework (WAF) mind maps

Microsoft Well-Architected Framework Pillars Design Principles Mind Map

"Design Principles"

Para cuando lo renderice correctamente materials:

mindmap
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Well-Architected Framework (WAF) mind maps

Microsoft Well-Architected Framework Pillars Design Principles Mind Map

"Design Principles"

Para cuando lo renderice correctamente materials:

mindmap
     root((Pillars))        
         Reliability(Reliability)
             DesignPrinciples(Design Principles)
diff --git a/blog/2023/11/30/azure-updates-rss-feed/index.html b/blog/2023/11/30/azure-updates-rss-feed/index.html
index 64359b9..c171ac5 100644
--- a/blog/2023/11/30/azure-updates-rss-feed/index.html
+++ b/blog/2023/11/30/azure-updates-rss-feed/index.html
@@ -7,4 +7,4 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure updates RSS feed

All the Azure updates in one place.

By category

Custom

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

For example:

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure updates RSS feed

All the Azure updates in one place.

By category

Custom

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

For example:

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

\ No newline at end of file diff --git a/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/index.html b/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/index.html index 86a51ca..de613bd 100644 --- a/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/index.html +++ b/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Comparing Container Apps with other Azure container options

Container option comparisons

Service Primary Use Advantages Disadvantages
Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

Please note that the advantages and disadvantages may vary according to specific use cases.

References

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Comparing Container Apps with other Azure container options

Container option comparisons

Service Primary Use Advantages Disadvantages
Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

Please note that the advantages and disadvantages may vary according to specific use cases.

References

\ No newline at end of file diff --git a/blog/2023/11/index.html b/blog/2023/11/index.html index 3369820..e6de20d 100644 --- a/blog/2023/11/index.html +++ b/blog/2023/11/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

2023/11

Comparing Container Apps with other Azure container options

Container option comparisons

Service Primary Use Advantages Disadvantages
Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

Please note that the advantages and disadvantages may vary according to specific use cases.

References

Azure updates RSS feed

All the Azure updates in one place.

By category

Custom

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

For example:

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

Azure Well-Architected Framework (WAF) mind maps

Microsoft Well-Architected Framework Pillars Design Principles Mind Map

"Design Principles"

Para cuando lo renderice correctamente materials:

mindmap
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

2023/11

Comparing Container Apps with other Azure container options

Container option comparisons

Service Primary Use Advantages Disadvantages
Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

Please note that the advantages and disadvantages may vary according to specific use cases.

References

Azure updates RSS feed

All the Azure updates in one place.

By category

Custom

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

For example:

https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

Azure Well-Architected Framework (WAF) mind maps

Microsoft Well-Architected Framework Pillars Design Principles Mind Map

"Design Principles"

Para cuando lo renderice correctamente materials:

mindmap
     root((Pillars))        
         Reliability(Reliability)
             DesignPrinciples(Design Principles)
diff --git a/blog/2023/12/01/azure-functions/index.html b/blog/2023/12/01/azure-functions/index.html
index 3e7ad29..18625bf 100644
--- a/blog/2023/12/01/azure-functions/index.html
+++ b/blog/2023/12/01/azure-functions/index.html
@@ -7,4 +7,4 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Functions

Introduction

Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

Service Overview

Azure Functions allows developers to run small pieces of code (called "functions") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

Architecture and Components

Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

Deployment and Configuration

Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

Scalability and Performance

Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

Security and Compliance

Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

Monitoring and Logging

Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

Use Cases and Examples

Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

Best Practices and Tips

When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

Conclusion

Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Azure Functions

Introduction

Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

Service Overview

Azure Functions allows developers to run small pieces of code (called "functions") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

Architecture and Components

Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

Deployment and Configuration

Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

Scalability and Performance

Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

Security and Compliance

Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

Monitoring and Logging

Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

Use Cases and Examples

Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

Best Practices and Tips

When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

Conclusion

Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

\ No newline at end of file diff --git a/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/index.html b/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/index.html index 91a41ab..d998c89 100644 --- a/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/index.html +++ b/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Instalar WSL2 en Windows 11 con chocolatey

Introducción

Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

Pasos a seguir

1. Instalar Chocolatey

Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para instalar Chocolatey:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Instalar WSL2 en Windows 11 con chocolatey

Introducción

Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

Pasos a seguir

1. Instalar Chocolatey

Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para instalar Chocolatey:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
 
  1. Espere a que se complete la instalación de Chocolatey.

2. Instalar WSL2

Para instalar WSL2 en Windows 11, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para instalar WSL2:

choco install wsl2
 
3. Espere a que se complete la instalación de WSL2.

3. Configurar WSL2

Para configurar WSL2 en Windows 11, siga los siguientes pasos:

  1. Abra PowerShell como administrador.

  2. Ejecute el siguiente comando para configurar WSL2 como la versión predeterminada:

wsl --set-default-version 2
 
  1. Reinicie su computadora para aplicar los cambios.

4. Instalar una distribución de Linux

Para instalar una distribución de Linux en WSL2, siga los siguientes pasos:

  1. Abra PowerShell.

  2. Busque la distribución de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

wsl --list --online
diff --git "a/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci\303\263n/index.html" "b/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci\303\263n/index.html"
index 77f4743..42bd258 100644
--- "a/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci\303\263n/index.html"
+++ "b/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci\303\263n/index.html"
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Depurar logs de OneDrive para detectar problemas de sincronización

Necesitas WSL2

Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

Introducción

Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

Fix OneDrive sync problems

Pero si no funciona, se puede obtener más información de los logs de OneDrive.

Pasos a seguir

1. Acceder a los logs de OneDrive

Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

  1. Abrir el Explorador de archivos.
  2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
  3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
%localappdata%\Microsoft\OneDrive\logs\Business1
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Depurar logs de OneDrive para detectar problemas de sincronización

Necesitas WSL2

Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

Introducción

Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

Fix OneDrive sync problems

Pero si no funciona, se puede obtener más información de los logs de OneDrive.

Pasos a seguir

1. Acceder a los logs de OneDrive

Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

  1. Abrir el Explorador de archivos.
  2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
  3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
%localappdata%\Microsoft\OneDrive\logs\Business1
 
%localappdata%\Microsoft\OneDrive\logs\Personal
 

Ahora es necesario seleccionar los archivos de log más recientes y copiarlos a un directorio, los archivos pueden tener extensión .odl,.odlgz, .odlsent o .aold, también se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

2. Instalar el visor de logs de OneDrive

Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

pip3 install pycryptodome
 pip3 install construct
diff --git a/blog/2023/12/index.html b/blog/2023/12/index.html
index 1e5206b..55000b8 100644
--- a/blog/2023/12/index.html
+++ b/blog/2023/12/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

2023/12

Depurar logs de OneDrive para detectar problemas de sincronización

Necesitas WSL2

Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

Introducción

Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

Fix OneDrive sync problems

Pero si no funciona, se puede obtener más información de los logs de OneDrive.

Pasos a seguir

1. Acceder a los logs de OneDrive

Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

  1. Abrir el Explorador de archivos.
  2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
  3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
%localappdata%\Microsoft\OneDrive\logs\Business1
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

2023/12

Depurar logs de OneDrive para detectar problemas de sincronización

Necesitas WSL2

Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

Introducción

Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

Fix OneDrive sync problems

Pero si no funciona, se puede obtener más información de los logs de OneDrive.

Pasos a seguir

1. Acceder a los logs de OneDrive

Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

  1. Abrir el Explorador de archivos.
  2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
  3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
%localappdata%\Microsoft\OneDrive\logs\Business1
 
%localappdata%\Microsoft\OneDrive\logs\Personal
 

Ahora es necesario seleccionar los archivos de log más recientes y copiarlos a un directorio, los archivos pueden tener extensión .odl,.odlgz, .odlsent o .aold, también se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

2. Instalar el visor de logs de OneDrive

Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

pip3 install pycryptodome
 pip3 install construct
diff --git a/blog/2024/02/24/azure-policy/index.html b/blog/2024/02/24/azure-policy/index.html
index e8f6401..98a1eb4 100644
--- a/blog/2024/02/24/azure-policy/index.html
+++ b/blog/2024/02/24/azure-policy/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Policy

Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

Azure Policy Overview

Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

Azure Policy helps to address questions like:

  • Are all virtual machines encrypted using Azure Disk Encryption?
  • Are resources deployed only in certain Azure regions?
  • Are specific tags applied to resources for tracking and organization?

Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

Info

It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

Policies

Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

Initiatives

Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

graph TD;
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Policy

Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

Azure Policy Overview

Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

Azure Policy helps to address questions like:

  • Are all virtual machines encrypted using Azure Disk Encryption?
  • Are resources deployed only in certain Azure regions?
  • Are specific tags applied to resources for tracking and organization?

Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

Info

It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

Policies

Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

Initiatives

Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

graph TD;
     A[Azure Policy] -->|Contains| B1[Policy 1]
     A[Azure Policy] -->|Contains| B2[Policy 2]
     A[Azure Policy] -->|Contains| B3[Policy 3]
diff --git a/blog/2024/02/25/azure-policy-defintion-schema/index.html b/blog/2024/02/25/azure-policy-defintion-schema/index.html
index e20fbb8..b9835a7 100644
--- a/blog/2024/02/25/azure-policy-defintion-schema/index.html
+++ b/blog/2024/02/25/azure-policy-defintion-schema/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Policy, defintion schema

This is the schema for the Azure Policy definition:

{
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Azure Policy, defintion schema

This is the schema for the Azure Policy definition:

{
     "properties": {
         "displayName": {
             "type": "string",
diff --git a/blog/2024/02/25/writing-your-first-initiative-with-portal/index.html b/blog/2024/02/25/writing-your-first-initiative-with-portal/index.html
index 7cafc6c..d65e55b 100644
--- a/blog/2024/02/25/writing-your-first-initiative-with-portal/index.html
+++ b/blog/2024/02/25/writing-your-first-initiative-with-portal/index.html
@@ -7,4 +7,4 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Writing Your First Initiative with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first initiative in Azure.

Info

You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.
  3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Initiative Definition

  • Click on Defitinions under the Authoring section.
  • Click on + Initiative definition.

Step 3: Fill Out the Initiative Definition

You will need to fill out several fields:

  • Basics:
  • Initiative location: The location where the initiative is stored.
  • Name: This is a unique name for your initiative.
  • Description: A detailed description of what the initiative does.
  • Category: You can categorize your initiative for easier searching and filtering.
  • Policies:
  • Add policy definition(s): Here you can add the policies that will be part of the initiative.
  • Initiative parameters:
  • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
  • Policy parameters:
  • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

  • Click on Review + create: Review the assignment and click on Create.

Step 4: Assign the Initiative

  • Go to Policy again.
  • Go to Assignments under the Authoring section.
  • Click on + Assign initiative.

You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

  • Click on Review + create: Review the assignment and click on Create.

Conclusion

Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

\ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Writing Your First Initiative with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first initiative in Azure.

Info

You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.
  3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Initiative Definition

  • Click on Defitinions under the Authoring section.
  • Click on + Initiative definition.

Step 3: Fill Out the Initiative Definition

You will need to fill out several fields:

  • Basics:
  • Initiative location: The location where the initiative is stored.
  • Name: This is a unique name for your initiative.
  • Description: A detailed description of what the initiative does.
  • Category: You can categorize your initiative for easier searching and filtering.
  • Policies:
  • Add policy definition(s): Here you can add the policies that will be part of the initiative.
  • Initiative parameters:
  • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
  • Policy parameters:
  • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

  • Click on Review + create: Review the assignment and click on Create.

Step 4: Assign the Initiative

  • Go to Policy again.
  • Go to Assignments under the Authoring section.
  • Click on + Assign initiative.

You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

  • Click on Review + create: Review the assignment and click on Create.

Conclusion

Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

\ No newline at end of file diff --git a/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/index.html b/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/index.html index c40c787..01e84f8 100644 --- a/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/index.html +++ b/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

Writing Your First Policy in Azure with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first policy in Azure.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Policy Definition

  • Click on Definitions under the Authoring section.
  • Click on + Policy definition.

Step 3: Fill Out the Policy Definition

You will need to fill out several fields:

  • Definition location: The location where the policy is stored.
  • Name: This is a unique name for your policy.
  • Description: A detailed description of what the policy does.
  • Category: You can categorize your policy for easier searching and filtering.

The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

{
+    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Writing Your First Policy in Azure with Portal

Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

In this post, we'll walk through the steps of creating your first policy in Azure.

Prerequisites

  1. An active Azure subscription.
  2. Access to Azure portal.

Step 1: Open Azure Policy

  • Login to the Azure Portal.
  • In the left-hand menu, click on All services.
  • In the All services blade, search for Policy.

Step 2: Create a New Policy Definition

  • Click on Definitions under the Authoring section.
  • Click on + Policy definition.

Step 3: Fill Out the Policy Definition

You will need to fill out several fields:

  • Definition location: The location where the policy is stored.
  • Name: This is a unique name for your policy.
  • Description: A detailed description of what the policy does.
  • Category: You can categorize your policy for easier searching and filtering.

The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

{
     "properties": {
         "displayName": "Require a tag and its value",
         "policyType": "Custom",
diff --git a/blog/2024/02/28/manage-azure-policy-github-action/index.html b/blog/2024/02/28/manage-azure-policy-github-action/index.html
index b96bf7c..5abf1c6 100644
--- a/blog/2024/02/28/manage-azure-policy-github-action/index.html
+++ b/blog/2024/02/28/manage-azure-policy-github-action/index.html
@@ -7,7 +7,7 @@
     .gdesc-inner { font-size: 0.75rem; }
     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
-    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

Manage Azure Policy GitHub Action

It's recommended to review:

Overview

The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

Info

This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

Key Features

  1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

  2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

  3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

    |- policies/
    +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

    Manage Azure Policy GitHub Action

    It's recommended to review:

    Overview

    The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

    Info

    This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

    Key Features

    1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

    2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

    3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

      |- policies/
          |- <policy1_name>/
             |- policy.json
             |- assign.<name1>.json
      diff --git a/blog/2024/02/29/enterprise-azure-policy-as-code-epac/index.html b/blog/2024/02/29/enterprise-azure-policy-as-code-epac/index.html
      index 8c22e0c..86b4f47 100644
      --- a/blog/2024/02/29/enterprise-azure-policy-as-code-epac/index.html
      +++ b/blog/2024/02/29/enterprise-azure-policy-as-code-epac/index.html
      @@ -7,4 +7,4 @@
           .gdesc-inner { font-size: 0.75rem; }
           body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
           body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
      -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

      Enterprise Azure Policy as Code (EPAC)

      Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

      Key Features of EPAC

      • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
      • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
      • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
      • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

      Who Should Use EPAC?

      EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

      How Does EPAC Work?

      EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

      Alt text

      The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

      1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

      2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

      3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

      4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
      5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

      The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

      Warning

      EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

      Conclusion

      EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

      References

      \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

      Enterprise Azure Policy as Code (EPAC)

      Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

      Key Features of EPAC

      • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
      • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
      • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
      • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

      Who Should Use EPAC?

      EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

      How Does EPAC Work?

      EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

      Alt text

      The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

      1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

      2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

      3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

      4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
      5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

      The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

      Warning

      EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

      Conclusion

      EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

      References

      \ No newline at end of file diff --git a/blog/2024/02/index.html b/blog/2024/02/index.html index 4f2a4ec..5551c4e 100644 --- a/blog/2024/02/index.html +++ b/blog/2024/02/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

      2024/02

      Enterprise Azure Policy as Code (EPAC)

      Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

      Key Features of EPAC

      • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
      • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
      • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
      • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

      Who Should Use EPAC?

      EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

      How Does EPAC Work?

      EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

      Alt text

      The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

      1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

      2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

      3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

      4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
      5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

      The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

      Warning

      EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

      Conclusion

      EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

      References

      Manage Azure Policy GitHub Action

      It's recommended to review:

      Overview

      The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

      Info

      This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

      Key Features

      1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

      2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

      3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

        |- policies/
        +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

        2024/02

        Enterprise Azure Policy as Code (EPAC)

        Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

        Key Features of EPAC

        • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
        • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
        • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
        • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

        Who Should Use EPAC?

        EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

        How Does EPAC Work?

        EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

        Alt text

        The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

        1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

        2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

        3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

        4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
        5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

        The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

        Warning

        EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

        Conclusion

        EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

        References

        Manage Azure Policy GitHub Action

        It's recommended to review:

        Overview

        The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

        Info

        This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

        Key Features

        1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

        2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

        3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

          |- policies/
              |- <policy1_name>/
                 |- policy.json
                 |- assign.<name1>.json
          diff --git a/blog/2024/03/02/azure-policy-management-best-practices/index.html b/blog/2024/03/02/azure-policy-management-best-practices/index.html
          index c13de45..3e86e9d 100644
          --- a/blog/2024/03/02/azure-policy-management-best-practices/index.html
          +++ b/blog/2024/03/02/azure-policy-management-best-practices/index.html
          @@ -7,4 +7,4 @@
               .gdesc-inner { font-size: 0.75rem; }
               body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
               body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
          -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Azure Policy Management Best Practices

          1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

          2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

          3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

          4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

          5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

          6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

          7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

          8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

          9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

          10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

          11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

          By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Azure Policy Management Best Practices

          1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

          2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

          3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

          4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

          5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

          6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

          7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

          8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

          9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

          10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

          11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

          By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

          \ No newline at end of file diff --git a/blog/2024/03/index.html b/blog/2024/03/index.html index 12419f6..36b252d 100644 --- a/blog/2024/03/index.html +++ b/blog/2024/03/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          2024/03

          Azure Policy Management Best Practices

          1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

          2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

          3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

          4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

          5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

          6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

          7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

          8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

          9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

          10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

          11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

          By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          2024/03

          Azure Policy Management Best Practices

          1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

          2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

          3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

          4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

          5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

          6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

          7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

          8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

          9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

          10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

          11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

          By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

          \ No newline at end of file diff --git a/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/index.html b/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/index.html index afb42d6..b5a3f96 100644 --- a/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/index.html +++ b/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

          Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

          
          +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

          Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

          
           graph LR;
               A[Phase 1: Set Policy] 
               C[Phase 2: The Process of Discovery]
          diff --git a/blog/2024/04/05/microsoft-azure-certifications/index.html b/blog/2024/04/05/microsoft-azure-certifications/index.html
          index b2ea8c7..9298840 100644
          --- a/blog/2024/04/05/microsoft-azure-certifications/index.html
          +++ b/blog/2024/04/05/microsoft-azure-certifications/index.html
          @@ -7,4 +7,4 @@
               .gdesc-inner { font-size: 0.75rem; }
               body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
               body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
          -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Microsoft Azure Certifications

          Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

          Microsoft divide this certifications into different categories, such as:

          • Infrastructure
          • Data and AI
          • Digital app and innovation
          • Modern work
          • Business applications
          • Security

          Inside of each category, you can find different certification levels:

          • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
          • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
          • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

          In the case of role-based certifications, Microsoft offers different levels of certification, such as:

          • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
          • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

          Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

          In the majority of cases, you need associate certifications to get expert certifications.

          Azure Certifications

          Here's a table summarizing the Azure Certifications and their description:

          Certification Exam required Description url
          Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
          Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
          Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
          Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
          DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
          Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
          Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
          Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
          Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
          Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
          Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
          Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
          Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
          Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
          Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
          Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
          Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
          Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
          Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

          You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Microsoft Azure Certifications

          Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

          Microsoft divide this certifications into different categories, such as:

          • Infrastructure
          • Data and AI
          • Digital app and innovation
          • Modern work
          • Business applications
          • Security

          Inside of each category, you can find different certification levels:

          • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
          • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
          • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

          In the case of role-based certifications, Microsoft offers different levels of certification, such as:

          • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
          • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

          Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

          In the majority of cases, you need associate certifications to get expert certifications.

          Azure Certifications

          Here's a table summarizing the Azure Certifications and their description:

          Certification Exam required Description url
          Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
          Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
          Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
          Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
          DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
          Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
          Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
          Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
          Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
          Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
          Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
          Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
          Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
          Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
          Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
          Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
          Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
          Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
          Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

          You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

          \ No newline at end of file diff --git a/blog/2024/04/06/azure-arc/index.html b/blog/2024/04/06/azure-arc/index.html index 01cbc0b..90e90ba 100644 --- a/blog/2024/04/06/azure-arc/index.html +++ b/blog/2024/04/06/azure-arc/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Azure ARC

          Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

          Azure ARC Overview

          Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

          Azure ARC enables you to:

          • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
          • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
          • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

          Azure ARC Components

          Azure ARC consists of the following components:

          • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

          Azure ARC Use Cases

          Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

          • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
          • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
          • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
          • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

          Getting Started with Azure ARC

          To get started with Azure ARC, you need to:

          1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
          2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
          3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

          By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

          Conclusion

          Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

          For more information on Azure ARC, visit the Azure ARC documentation.

          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Azure ARC

          Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

          Azure ARC Overview

          Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

          Azure ARC enables you to:

          • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
          • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
          • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

          Azure ARC Components

          Azure ARC consists of the following components:

          • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
          • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

          Azure ARC Use Cases

          Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

          • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
          • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
          • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
          • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

          Getting Started with Azure ARC

          To get started with Azure ARC, you need to:

          1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
          2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
          3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

          By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

          Conclusion

          Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

          For more information on Azure ARC, visit the Azure ARC documentation.

          \ No newline at end of file diff --git a/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/index.html b/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/index.html index 4b7ec4e..50ccb4c 100644 --- a/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/index.html +++ b/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

          In this demo we will show how to use Azure ARC-enabled servers with managed identity to access to Azure Storage Account.

          Prerequisites

          • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.

          Required permissions

          You'll need the following Azure built-in roles for different aspects of managing connected machines:

          • To onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group where you're managing the servers.
          • To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator role for the resource group.
          • To select a resource group from the drop-down list when using the Generate script method, you'll also need the Reader role for that resource group (or another role that includes Reader access).

          Register Azure resource providers

          To use Azure Arc-enabled servers with managed identity, you need to register the following resource providers:

          az account set --subscription "{Your Subscription Name}"
          +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

          In this demo we will show how to use Azure ARC-enabled servers with managed identity to access to Azure Storage Account.

          Prerequisites

          • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.

          Required permissions

          You'll need the following Azure built-in roles for different aspects of managing connected machines:

          • To onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group where you're managing the servers.
          • To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator role for the resource group.
          • To select a resource group from the drop-down list when using the Generate script method, you'll also need the Reader role for that resource group (or another role that includes Reader access).

          Register Azure resource providers

          To use Azure Arc-enabled servers with managed identity, you need to register the following resource providers:

          az account set --subscription "{Your Subscription Name}"
           az provider register --namespace 'Microsoft.HybridCompute'
           az provider register --namespace 'Microsoft.GuestConfiguration'
           az provider register --namespace 'Microsoft.HybridConnectivity'
          diff --git a/blog/2024/04/17/azure-policy-useful-queries/index.html b/blog/2024/04/17/azure-policy-useful-queries/index.html
          index ca06e25..3500205 100644
          --- a/blog/2024/04/17/azure-policy-useful-queries/index.html
          +++ b/blog/2024/04/17/azure-policy-useful-queries/index.html
          @@ -7,7 +7,7 @@
               .gdesc-inner { font-size: 0.75rem; }
               body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
               body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
          -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Azure Policy useful queries

          Policy assignments and information about each of its respective definitions

          // Policy assignments and information about each of its respective definitions
          +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Azure Policy useful queries

          Policy assignments and information about each of its respective definitions

          // Policy assignments and information about each of its respective definitions
           // Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.
           
           policyResources
          diff --git a/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/index.html b/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/index.html
          index 10a30ac..da2cc87 100644
          --- a/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/index.html
          +++ b/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/index.html
          @@ -1,4 +1,4 @@
          - Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud - Un Rinconcito donde contar lo que quiera         

          Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

          No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

          Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
          Advanced Data Security Microsoft Defender for Cloud Defender para SQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
          Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
          Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
          Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
          Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
          Azure Defender Microsoft Defender for Cloud Defender para contenedores
          Azure Defender Microsoft Defender for Cloud Defender for MariaDB
          Security Center Microsoft Defender for Cloud Defender para App Service
          Security Center Microsoft Defender for Cloud Defender para servidores
          Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender
          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

          No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

          Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
          Advanced Data Security Microsoft Defender for Cloud Defender para SQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
          Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
          Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
          Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
          Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
          Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
          Azure Defender Microsoft Defender for Cloud Defender para contenedores
          Azure Defender Microsoft Defender for Cloud Defender for MariaDB
          Security Center Microsoft Defender for Cloud Defender para App Service
          Security Center Microsoft Defender for Cloud Defender para servidores
          Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender
          \ No newline at end of file diff --git a/blog/2024/04/19/azure-network-hub-and-spoke-topology/index.html b/blog/2024/04/19/azure-network-hub-and-spoke-topology/index.html new file mode 100644 index 0000000..cab604c --- /dev/null +++ b/blog/2024/04/19/azure-network-hub-and-spoke-topology/index.html @@ -0,0 +1,53 @@ + Azure Network, Hub-and-Spoke Topology - Un Rinconcito donde contar lo que quiera

          Azure Network, Hub-and-Spoke Topology

          Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central point of connectivity and control, while the Spokes are isolated networks that connect to the Hub. This topology is common in Azure to simplify the connectivity and management of virtual networks.

          graph TD
          +    HUB(("Central Hub"))
          +    SPOKE1[Spoke1]
          +    SPOKE2[Spoke2]
          +    SPOKE3[Spoke3]
          +    SPOKEN[Spoke...]
          +    HUB --- SPOKE1
          +    HUB --- SPOKE2
          +    HUB --- SPOKE3
          +    HUB --- SPOKEN

          Key Features of the Hub and Spoke Topology

          1. Centralized Connectivity: The Hub centralizes the connectivity between the Spoke networks. This simplifies the administration and maintenance of the network.

          2. Traffic Control: The Hub acts as a traffic control point between the Spoke networks. This allows for centralized application of security and routing policies.

          3. Scalability: The Hub and Spoke topology is highly scalable and can grow to meet the organization's connectivity needs.

          4. Resilience: The Hub and Spoke topology provides redundancy and resilience in case of network failures.

          How to Use the Hub and Spoke Topology in Azure

          To implement the Hub and Spoke topology in Azure, follow these steps:

          # Step 1: Create a virtual network for the Hub
          +az network vnet create --name HubVnet --resource-group MyResourceGroup --location eastus --address-prefix
          +
          +# Step 2: Create virtual networks for the Spokes
          +az network vnet create --name Spoke1Vnet --resource-group MyResourceGroup --location eastus --address-prefix
          +az network vnet create --name Spoke2Vnet --resource-group MyResourceGroup --location eastus --address-prefix
          +az network vnet create --name Spoke3Vnet --resource-group MyResourceGroup --location eastus --address-prefix
          +
          +# Step 3: Connect the Spokes to the Hub
          +az network vnet peering create --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet HubVnet --allow-vnet-access
          +az network vnet peering create --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --remote-vnet HubVnet --allow-vnet-access
          +az network vnet peering create --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --remote-vnet HubVnet --allow-vnet-access
          +
          +# Step 4: Configure routing between the Hub and the Spokes
          +az network vnet peering update --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
          +az network vnet peering update --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
          +az network vnet peering update --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
          +
          +# Step 5: Configure routing in the Hub
          +az network vnet peering update --name HubToSpoke1 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
          +az network vnet peering update --name HubToSpoke2 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
          +az network vnet peering update --name HubToSpoke3 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
          +

          Variant of the Hub and Spoke Topology

          A variant of the Hub and Spoke topology is the Hub and Spoke with peering between spokes that is generally used to allow direct connectivity between the Spoke networks without going through the Hub. This can be useful in scenarios where direct connectivity between the Spoke networks is required, such as data replication or application communication.

          graph TD
          +    HUB(("Central Hub"))
          +    SPOKE1[Spoke1]
          +    SPOKE2[Spoke2]
          +    SPOKE3[Spoke3]
          +    SPOKEN[Spoke...]
          +    HUB --- SPOKE1
          +    HUB --- SPOKE2
          +    HUB --- SPOKE3
          +    HUB --- SPOKEN
          +    SPOKE1 -.- SPOKE2    
          In this case, it would be connecting the Spoke networks to each other via virtual network peering, for example:

          # Connect Spoke1 to Spoke2
          +az network vnet peering create --name Spoke1ToSpoke2 --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet Spoke2Vnet --allow-vnet-access
          +

          Scalability and Performance

          The Hub and Spoke topology in Azure is highly scalable and can handle thousands of virtual networks and subnets. In terms of performance, the Hub and Spoke topology provides efficient and low-latency connectivity between the Spoke networks and the Hub.

          Security and Compliance

          The Hub and Spoke topology in Azure provides centralized control over network security and compliance. Security and routing policies can be applied centrally at the Hub, ensuring consistency and compliance with the organization's network policies.

          Monitoring and Logging

          Use Network Watcher to monitor and diagnose network problems in the Hub and Spoke topology. Network Watcher provides the following tools:

          • Monitoring
            • Topology view shows you the resources in your virtual network and the relationships between them.
            • Connection monitor allows you to monitor connectivity and latency between endpoints within and outside of Azure.
          • Network diagnostic tools
            • IP flow verify helps you detect traffic filtering issues at the virtual machine level.
            • NSG diagnostics helps you detect traffic filtering issues at the virtual machine, virtual machine scale set, or application gateway level.
            • Next hop helps you verify traffic routes and detect routing issues.
            • Connection troubleshoot enables a one-time check of connectivity and latency between a virtual machine and the Bastion host, application gateway, or another virtual machine.
            • Packet capture allows you to capture traffic from your virtual machine.
            • VPN troubleshoot runs multiple diagnostic checks on your gateways and VPN connections to help debug issues.
          • Traffic

          Virtual network flow logs have recently been released which allows for monitoring network traffic in Azure virtual networks.

          Use Cases and Examples

          The Hub and Spoke topology is ideal for organizations that require centralized connectivity and traffic control between multiple virtual networks in Azure. For example, an organization with multiple branches or departments can use the Hub and Spoke topology to securely and efficiently connect their virtual networks in the cloud.

          Best Practices and Tips

          When implementing the Hub and Spoke topology in Azure, it is recommended to follow these best practices:

          • Security: Apply consistent security policies at the Hub and Spokes to ensure network protection.
          • Resilience: Configure redundancy and resilience in the topology to ensure network availability in case of failures.
          • Monitoring: Use monitoring tools like Azure Monitor to monitor network traffic and detect potential performance issues.

          Conclusion

          The Hub and Spoke topology is an effective way to simplify the connectivity and management of virtual networks in Azure. It provides centralized control over network connectivity and traffic, making it easier to implement security and routing policies consistently across the network. By following the recommended best practices and tips, organizations can make the most of the Hub and Spoke topology to meet their cloud connectivity needs.

          References

          \ No newline at end of file diff --git a/blog/2024/04/19/azure-role-based-access-control-rbac/index.html b/blog/2024/04/19/azure-role-based-access-control-rbac/index.html new file mode 100644 index 0000000..d598c19 --- /dev/null +++ b/blog/2024/04/19/azure-role-based-access-control-rbac/index.html @@ -0,0 +1,29 @@ + Azure Role-Based Access Control (RBAC) - Un Rinconcito donde contar lo que quiera

          Azure Role-Based Access Control (RBAC)

          Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azure. This allows administrators to grant only the amount of access that users need to perform their jobs.

          Overview

          In Azure RBAC, you can assign roles to user accounts, groups, service principals, and managed identities at different scopes. The scope could be a management group, subscription, resource group, or a single resource.

          Here are some key terms you should know:

          • Role: A collection of permissions. For example, the "Virtual Machine Contributor" role allows the user to create and manage virtual machines.
          • Scope: The set of resources that the access applies to.
          • Assignment: The act of granting a role to a security principal at a particular scope.

          Built-in Roles

          Azure provides several built-in roles that you can assign to users, groups, service principals, and managed identities. Here are a few examples:

          • Owner: Has full access to all resources including the right to delegate access to others.
          • Contributor: Can create and manage all types of Azure resources but can’t grant access to others.
          • Reader: Can view existing Azure resources.
          {
          +  "Name": "Contributor",
          +  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
          +  "IsCustom": false,
          +  "Description": "Lets you manage everything except access to resources.",
          +  "Actions": [
          +    "*"
          +  ],
          +  "NotActions": [
          +    "Microsoft.Authorization/*/Delete",
          +    "Microsoft.Authorization/*/Write",
          +    "Microsoft.Authorization/elevateAccess/Action"
          +  ],
          +  "DataActions": [],
          +  "NotDataActions": [],
          +  "AssignableScopes": [
          +    "/"
          +  ]
          +}
          +

          Custom Roles

          If the built-in roles don't meet your specific needs, you can create your own custom roles. Just like built-in roles, you can assign permissions to custom roles and then assign those roles to users.

          Conclusion

          Azure RBAC is a powerful tool for managing access to your Azure resources. By understanding its core concepts and how to apply them, you can ensure that users have the appropriate level of access for their job.

          \ No newline at end of file diff --git a/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/index.html b/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/index.html new file mode 100644 index 0000000..c9daed4 --- /dev/null +++ b/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/index.html @@ -0,0 +1,114 @@ + How to create assigment Reports for Azure RBAC - Un Rinconcito donde contar lo que quiera

          How to create assigment Reports for Azure RBAC

          Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resources. With RBAC, you can grant permissions to users, groups, and applications at a certain scope, such as a subscription, resource group, or resource. RBAC uses role assignments to determine what actions a user, group, or application can perform on a resource.

          In this article, we will show you how to create reports for role assignments in Azure using PowerShell and the ImportExcel module. We will generate separate Excel files for role assignments at the subscription and management group levels, including information such as the role, principal, scope, and whether the assignment is inherited.

          This is the PowerShell script that generates the role assignment reports:

          # Parameters setup
          +param (
          +    [Parameter(Mandatory=$false)]
          +    [string]$SubscriptionId,
          +
          +    [Parameter(Mandatory=$false)]
          +    [string]$ManagementGroupName,
          +
          +    [Parameter(Mandatory=$false)]
          +    [bool]$GetSubscriptions = $false,
          +
          +    [Parameter(Mandatory=$false)]
          +    [bool]$GetManagementGroups = $true
          +)
          +
          +
          +# Install the ImportExcel module if not already installed
          +if (!(Get-Module -ListAvailable -Name ImportExcel)) {
          +    Install-Module -Name ImportExcel -Scope CurrentUser
          +}
          +
          +# Define the path to your Excel file for Managing Group role assignments
          +$managementGroupPath = ".\AzRoleAssignmentMg.xlsx"
          +# Define the path to your Excel file for Subscription role assignments
          +$subscriptionPath = ".\AzRoleAssignmentSub.xlsx"
          +
          +# Initialize an empty array to hold all role assignments
          +$subscriptionRoleAssignments = @()
          +$managementGroupRoleAssignments = @()
          +
          +# Get all management groups
          +$managementGroups = Get-AzManagementGroup
          +
          +# Loop through each management group
          +foreach ($mg in $managementGroups) {
          +    # Get role assignments for the current management group
          +    $roleAssignments = Get-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/$($mg.Name)"
          +
          +    # Add these role assignments to the management group role assignments array
          +    $managementGroupRoleAssignments += $roleAssignments
          +
          +    # Add 'GroupName' and 'IsInherited' properties to each role assignment object
          +    $roleAssignments | ForEach-Object { 
          +        $_ | Add-Member -NotePropertyName 'GroupDisplayName' -NotePropertyValue $mg.DisplayName
          +        $_ | Add-Member -NotePropertyName 'GroupName' -NotePropertyValue $mg.Name 
          +        # If the Scope of the role assignment is equal to the Id of the management group,
          +        # then the role assignment is not inherited; otherwise, it is inherited.
          +        if ($_.Scope -eq $mg.Id) {
          +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
          +        } else {
          +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true
          +        }
          +    }
          +
          +    # Export the role assignments to a new sheet in the Excel file
          +    $roleAssignments | Export-Excel -Path $managementGroupPath -WorksheetName $mg.DisplayName -AutoSize -AutoFilter
          +}
          +
          +if ($GetSubscriptions) {   
          +    # Check if SubscriptionId is provided
          +    if ($SubscriptionId) {
          +        # Get role assignments for the specified subscription
          +        $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$SubscriptionId"
          +
          +        # Add these role assignments to the subscription role assignments array
          +        $subscriptionRoleAssignments += $roleAssignments
          +
          +        # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
          +        $roleAssignments | ForEach-Object { 
          +            $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue (Get-AzSubscription -SubscriptionId $SubscriptionId).Name 
          +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
          +        }
          +
          +        # Export the role assignments to a new sheet in the Excel file
          +        $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName (Get-AzSubscription -SubscriptionId $SubscriptionId).Name -AutoSize -AutoFilter
          +    } else {
          +        # Get all subscriptions
          +        $subscriptions = Get-AzSubscription
          +
          +        # Loop through each subscription
          +        foreach ($sub in $subscriptions) {
          +            # Get role assignments for the current subscription
          +            $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$($sub.SubscriptionId)"
          +
          +            # Add these role assignments to the subscription role assignments array
          +            $subscriptionRoleAssignments += $roleAssignments
          +
          +            # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
          +            $roleAssignments | ForEach-Object { 
          +                $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue $sub.Name
          +                 # If the Scope of the role assignment is equal to the subscription Id,
          +                 # then the role assignment is not inherited; otherwise, it is inherited.
          +                if ($_.Scope -eq "/subscriptions/$($sub.Id)") {
          +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
          +                } else {
          +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true                }
          +
          +            }
          +
          +            # Export the role assignments to a new sheet in the Excel file
          +            $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName $sub.Name -AutoSize -AutoFilter
          +        }
          +    }
          +}
          +
          \ No newline at end of file diff --git a/blog/2024/04/22/management-groups/index.html b/blog/2024/04/22/management-groups/index.html index 9e00ed3..c4f21b2 100644 --- a/blog/2024/04/22/management-groups/index.html +++ b/blog/2024/04/22/management-groups/index.html @@ -1,4 +1,4 @@ - Management Groups - Un Rinconcito donde contar lo que quiera

          Management Groups

          What are Management Groups?

          Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They provide a way to manage access, policies, and compliance for multiple subscriptions. Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

          Management Groups Hierarchy

          The management group hierarchy is a level of management groups that represent the different levels of your organization. The hierarchy starts with a single root management group, which represents the Microsoft Entra ID tenant. The root management group is the highest level in the hierarchy. All other management groups are subgroups of the root management group.

          Management group design considerations

          When designing your management group hierarchy, consider the following:

          • How does your organization differentiate services that are managed or run by particular teams?

          • Are there any specific operations that need to be isolated due to business or regulatory compliance requirements?

          • Management groups can be utilized to consolidate policy and initiative assignments through Azure Policy.

          • A management group hierarchy can accommodate up to six nested levels. The tenant root level and the subscription level are not included in this count.

          • Any principal, be it a user or service principal, within a Microsoft Entra tenant has the authority to establish new management groups. This is due to the fact that Azure role-based access control (RBAC) authorization for managing group activities is not activated by default. For additional details, refer to the guide on safeguarding your resource hierarchy.

          • By default, all newly created subscriptions will be assigned to the tenant root management group.

          Management group recommendations

          • Maintain a relatively flat management group hierarchy, ideally with three to four levels maximum. This practice minimizes managerial complexity and overhead.

          • Refrain from mirroring your organizational structure into a deeply nested management group hierarchy. Utilize management groups primarily for policy assignment rather than billing. This strategy aligns with the Azure landing zone conceptual architecture, which applies Azure policies to workloads that need similar security and compliance at the same management group level.

          • Establish management groups under your root-level group representing different types of workloads you will host. These groups should reflect the security, compliance, connectivity, and feature requirements of the workloads. By doing this, you can apply a set of Azure policies at the management group level for all workloads with similar needs.

          • Leverage resource tags for querying and horizontally traversing across the management group hierarchy. Resource tags, enforced or appended via Azure Policy, allow you to group resources for search purposes without relying on a complex management group hierarchy.

          • Set up a top-level sandbox management group. This allows users to immediately experiment with Azure and try out resources not yet permitted in production environments. The sandbox provides isolation from your development, testing, and production settings.

          • Create a platform management group beneath the root management group to support common platform policy and Azure role assignments. This ensures distinct policies can be applied to subscriptions used for your Azure foundation and centralizes billing for common resources in one foundational subscription set.

          • Minimize the number of Azure Policy assignments made at the root management group scope. This reduces the debugging of inherited policies in lower-level management groups.

          • Implement policies to enforce compliance requirements either at the management group or subscription scope to achieve policy-driven governance.

          • Ensure only privileged users have operational access to management groups in the tenant. Enable Azure RBAC authorization in the management group hierarchy settings to fine-tune user privileges. By default, all users are authorized to create their own management groups under the root management group.

          • Set up a default, dedicated management group for new subscriptions. This prevents any subscriptions from being placed under the root management group. This is particularly important if there are users eligible for Microsoft Developer Network (MSDN) or Visual Studio benefits and subscriptions. A sandbox management group could be a suitable candidate for this type of management group. For more information, see Setting - default management group.

          • Avoid creating management groups for production, testing, and development environments. If needed, separate these groups into different subscriptions within the same management group.

          Management Group Structure in the Enterprise Scale Landing Zone

          This is the common structure for the Management Groups in the Enterprise Scale Landing Zone:

              graph TD
          +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Management Groups

          What are Management Groups?

          Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They provide a way to manage access, policies, and compliance for multiple subscriptions. Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. You organize subscriptions into containers called "management groups" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

          Management Groups Hierarchy

          The management group hierarchy is a level of management groups that represent the different levels of your organization. The hierarchy starts with a single root management group, which represents the Microsoft Entra ID tenant. The root management group is the highest level in the hierarchy. All other management groups are subgroups of the root management group.

          Management group design considerations

          When designing your management group hierarchy, consider the following:

          • How does your organization differentiate services that are managed or run by particular teams?

          • Are there any specific operations that need to be isolated due to business or regulatory compliance requirements?

          • Management groups can be utilized to consolidate policy and initiative assignments through Azure Policy.

          • A management group hierarchy can accommodate up to six nested levels. The tenant root level and the subscription level are not included in this count.

          • Any principal, be it a user or service principal, within a Microsoft Entra tenant has the authority to establish new management groups. This is due to the fact that Azure role-based access control (RBAC) authorization for managing group activities is not activated by default. For additional details, refer to the guide on safeguarding your resource hierarchy.

          • By default, all newly created subscriptions will be assigned to the tenant root management group.

          Management group recommendations

          • Maintain a relatively flat management group hierarchy, ideally with three to four levels maximum. This practice minimizes managerial complexity and overhead.

          • Refrain from mirroring your organizational structure into a deeply nested management group hierarchy. Utilize management groups primarily for policy assignment rather than billing. This strategy aligns with the Azure landing zone conceptual architecture, which applies Azure policies to workloads that need similar security and compliance at the same management group level.

          • Establish management groups under your root-level group representing different types of workloads you will host. These groups should reflect the security, compliance, connectivity, and feature requirements of the workloads. By doing this, you can apply a set of Azure policies at the management group level for all workloads with similar needs.

          • Leverage resource tags for querying and horizontally traversing across the management group hierarchy. Resource tags, enforced or appended via Azure Policy, allow you to group resources for search purposes without relying on a complex management group hierarchy.

          • Set up a top-level sandbox management group. This allows users to immediately experiment with Azure and try out resources not yet permitted in production environments. The sandbox provides isolation from your development, testing, and production settings.

          • Create a platform management group beneath the root management group to support common platform policy and Azure role assignments. This ensures distinct policies can be applied to subscriptions used for your Azure foundation and centralizes billing for common resources in one foundational subscription set.

          • Minimize the number of Azure Policy assignments made at the root management group scope. This reduces the debugging of inherited policies in lower-level management groups.

          • Implement policies to enforce compliance requirements either at the management group or subscription scope to achieve policy-driven governance.

          • Ensure only privileged users have operational access to management groups in the tenant. Enable Azure RBAC authorization in the management group hierarchy settings to fine-tune user privileges. By default, all users are authorized to create their own management groups under the root management group.

          • Set up a default, dedicated management group for new subscriptions. This prevents any subscriptions from being placed under the root management group. This is particularly important if there are users eligible for Microsoft Developer Network (MSDN) or Visual Studio benefits and subscriptions. A sandbox management group could be a suitable candidate for this type of management group. For more information, see Setting - default management group.

          • Avoid creating management groups for production, testing, and development environments. If needed, separate these groups into different subscriptions within the same management group.

          Management Group Structure in the Enterprise Scale Landing Zone

          This is the common structure for the Management Groups in the Enterprise Scale Landing Zone:

              graph TD
                   A[Root Management Group] --> B[Intermediary-Management-Group]
                   B --> C[Decommissioned]
                   B --> D[Landing Zones]
          diff --git a/blog/2024/04/23/moving-management-groups-and-subscriptions/index.html b/blog/2024/04/23/moving-management-groups-and-subscriptions/index.html
          index 1e7ee2e..7f7663a 100644
          --- a/blog/2024/04/23/moving-management-groups-and-subscriptions/index.html
          +++ b/blog/2024/04/23/moving-management-groups-and-subscriptions/index.html
          @@ -7,4 +7,4 @@
               .gdesc-inner { font-size: 0.75rem; }
               body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
               body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
          -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

          Moving Management Groups and Subscriptions

          Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a brief guide on how to do it:

          Moving Management Groups

          To move a management group, you need to have the necessary permissions. You must be an owner of the target parent management group and have Management Group Contributor role at the group you want to move.

          Here's the step-by-step process:

          1. Navigate to the Azure portal.
          2. Go to Management groups.
          3. Select the management group you want to move.
          4. Click Details.
          5. Under Parent group, click Change.
          6. Choose the new parent group from the list and click Save.

          Remember, moving a management group will also move all its child resources including other management groups and subscriptions.

          Moving Subscriptions

          You can move a subscription from one management group to another or within the same management group. To do this, you must have the Owner or Contributor role at the target management group and Owner role at the subscription level.

          Follow these steps:

          1. Go to the Azure portal.
          2. Navigate to Management groups.
          3. Select the management group where the subscription currently resides.
          4. Click on Subscriptions.
          5. Find the subscription you want to move and select ..." (More options).
          6. Click Change parent.
          7. In the pop-up window, select the new parent management group and click Save.

          Note

          Moving subscriptions could affect the resources if there are policies or permissions applied at the management group level. It's important to understand the implications before making the move. Also, keep in mind that you cannot move the Root management group or rename it.

          In conclusion, moving management groups and subscriptions allows for better organization and management of your Azure resources. However, it should be done carefully considering the impact on resources and compliance with assigned policies.

          \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          Moving Management Groups and Subscriptions

          Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a brief guide on how to do it:

          Moving Management Groups

          To move a management group, you need to have the necessary permissions. You must be an owner of the target parent management group and have Management Group Contributor role at the group you want to move.

          Here's the step-by-step process:

          1. Navigate to the Azure portal.
          2. Go to Management groups.
          3. Select the management group you want to move.
          4. Click Details.
          5. Under Parent group, click Change.
          6. Choose the new parent group from the list and click Save.

          Remember, moving a management group will also move all its child resources including other management groups and subscriptions.

          Moving Subscriptions

          You can move a subscription from one management group to another or within the same management group. To do this, you must have the Owner or Contributor role at the target management group and Owner role at the subscription level.

          Follow these steps:

          1. Go to the Azure portal.
          2. Navigate to Management groups.
          3. Select the management group where the subscription currently resides.
          4. Click on Subscriptions.
          5. Find the subscription you want to move and select ..." (More options).
          6. Click Change parent.
          7. In the pop-up window, select the new parent management group and click Save.

          Note

          Moving subscriptions could affect the resources if there are policies or permissions applied at the management group level. It's important to understand the implications before making the move. Also, keep in mind that you cannot move the Root management group or rename it.

          In conclusion, moving management groups and subscriptions allows for better organization and management of your Azure resources. However, it should be done carefully considering the impact on resources and compliance with assigned policies.

          \ No newline at end of file diff --git a/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/index.html b/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/index.html index 15c1ce1..57a4237 100644 --- a/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/index.html +++ b/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

          How to create a Management Group diagram with draw.io

          I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

          Export your Management Group structure from Azure Portal or ask for it

          If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

          1. Go to the Azure portal.
          2. Navigate to Management groups.
          3. Click on Export.
          4. Save the CSV file to your local machine.

          If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

          The file has the following columns:

          • id: The unique identifier of the Management Group or subscription.
          • displayName: The name of the Management Group or subscription.
          • itemType: The type of the item (Management Group or subscription).
          • path: The path to the management or subscription group, its parent.
          • accessLevel: Your access level.
          • childSubscriptionCount: The number of child subscriptions at this level.
          • totalSubscriptionCount: The total number of subscriptions.

          Create a CSV to be imported into draw.io

          1. Import the CSV file to excel, rename the sheet to "Export_Portal"
          2. Create a second sheet with the following columns:
            • id: reference to the id in the first sheet
            • displayName: reference to the displayName in the first sheet
            • itemType: reference to the itemType in the first sheet
            • Parent: Use the following formula to get the parent of the current item:
              =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
              +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

              How to create a Management Group diagram with draw.io

              I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

              Export your Management Group structure from Azure Portal or ask for it

              If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

              1. Go to the Azure portal.
              2. Navigate to Management groups.
              3. Click on Export.
              4. Save the CSV file to your local machine.

              If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

              The file has the following columns:

              • id: The unique identifier of the Management Group or subscription.
              • displayName: The name of the Management Group or subscription.
              • itemType: The type of the item (Management Group or subscription).
              • path: The path to the management or subscription group, its parent.
              • accessLevel: Your access level.
              • childSubscriptionCount: The number of child subscriptions at this level.
              • totalSubscriptionCount: The total number of subscriptions.

              Create a CSV to be imported into draw.io

              1. Import the CSV file to excel, rename the sheet to "Export_Portal"
              2. Create a second sheet with the following columns:
                • id: reference to the id in the first sheet
                • displayName: reference to the displayName in the first sheet
                • itemType: reference to the itemType in the first sheet
                • Parent: Use the following formula to get the parent of the current item:
                  =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                   
              3. Export the second sheet to a CSV file.

              Import the CSV file into draw.io

              1. Go to draw.io and create a new diagram.
              2. Click on Arrange > Insert > Advanced > CSV.
              3. Insert the header for the columns: id, displayName, itemType, Parent:

                    #label: %displayName%
                     #stylename: itemType
                     #styles: {"Management Group": "label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];",\
                diff --git a/blog/2024/04/index.html b/blog/2024/04/index.html
                index a675b73..4973b74 100644
                --- a/blog/2024/04/index.html
                +++ b/blog/2024/04/index.html
                @@ -7,7 +7,7 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                2024/04

                How to create a Management Group diagram with draw.io

                I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                Export your Management Group structure from Azure Portal or ask for it

                If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                1. Go to the Azure portal.
                2. Navigate to Management groups.
                3. Click on Export.
                4. Save the CSV file to your local machine.

                If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                The file has the following columns:

                • id: The unique identifier of the Management Group or subscription.
                • displayName: The name of the Management Group or subscription.
                • itemType: The type of the item (Management Group or subscription).
                • path: The path to the management or subscription group, its parent.
                • accessLevel: Your access level.
                • childSubscriptionCount: The number of child subscriptions at this level.
                • totalSubscriptionCount: The total number of subscriptions.

                Create a CSV to be imported into draw.io

                1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                2. Create a second sheet with the following columns:
                  • id: reference to the id in the first sheet
                  • displayName: reference to the displayName in the first sheet
                  • itemType: reference to the itemType in the first sheet
                  • Parent: Use the following formula to get the parent of the current item:
                    =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                    +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    2024/04

                    How to create a Management Group diagram with draw.io

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                    Export your Management Group structure from Azure Portal or ask for it

                    If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Click on Export.
                    4. Save the CSV file to your local machine.

                    If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                    The file has the following columns:

                    • id: The unique identifier of the Management Group or subscription.
                    • displayName: The name of the Management Group or subscription.
                    • itemType: The type of the item (Management Group or subscription).
                    • path: The path to the management or subscription group, its parent.
                    • accessLevel: Your access level.
                    • childSubscriptionCount: The number of child subscriptions at this level.
                    • totalSubscriptionCount: The total number of subscriptions.

                    Create a CSV to be imported into draw.io

                    1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                    2. Create a second sheet with the following columns:
                      • id: reference to the id in the first sheet
                      • displayName: reference to the displayName in the first sheet
                      • itemType: reference to the itemType in the first sheet
                      • Parent: Use the following formula to get the parent of the current item:
                        =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                         
                    3. Export the second sheet to a CSV file.

                    Import the CSV file into draw.io

                    1. Go to draw.io and create a new diagram.
                    2. Click on Arrange > Insert > Advanced > CSV.
                    3. Insert the header for the columns: id, displayName, itemType, Parent:

                          #label: %displayName%
                           #stylename: itemType
                           #styles: {"Management Group": "label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];",\
                      @@ -138,7 +138,173 @@
                               D --> H[Online]
                               E --> I[Connectivity]
                               E --> J[Identity]
                      -        E --> K[Management]

                      😄

                      References

                      • https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
                      • https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                    Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                    Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                    Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                    Azure Defender Microsoft Defender for Cloud Defender para contenedores
                    Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                    Security Center Microsoft Defender for Cloud Defender para App Service
                    Security Center Microsoft Defender for Cloud Defender para servidores
                    Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                    Azure Network, Hub-and-Spoke Topology

                    Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central point of connectivity and control, while the Spokes are isolated networks that connect to the Hub. This topology is common in Azure to simplify the connectivity and management of virtual networks.

                    graph TD
                    +    HUB(("Central Hub"))
                    +    SPOKE1[Spoke1]
                    +    SPOKE2[Spoke2]
                    +    SPOKE3[Spoke3]
                    +    SPOKEN[Spoke...]
                    +    HUB --- SPOKE1
                    +    HUB --- SPOKE2
                    +    HUB --- SPOKE3
                    +    HUB --- SPOKEN

                    Key Features of the Hub and Spoke Topology

                    1. Centralized Connectivity: The Hub centralizes the connectivity between the Spoke networks. This simplifies the administration and maintenance of the network.

                    2. Traffic Control: The Hub acts as a traffic control point between the Spoke networks. This allows for centralized application of security and routing policies.

                    3. Scalability: The Hub and Spoke topology is highly scalable and can grow to meet the organization's connectivity needs.

                    4. Resilience: The Hub and Spoke topology provides redundancy and resilience in case of network failures.

                    How to Use the Hub and Spoke Topology in Azure

                    To implement the Hub and Spoke topology in Azure, follow these steps:

                    # Step 1: Create a virtual network for the Hub
                    +az network vnet create --name HubVnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +
                    +# Step 2: Create virtual networks for the Spokes
                    +az network vnet create --name Spoke1Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +az network vnet create --name Spoke2Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +az network vnet create --name Spoke3Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +
                    +# Step 3: Connect the Spokes to the Hub
                    +az network vnet peering create --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet HubVnet --allow-vnet-access
                    +az network vnet peering create --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --remote-vnet HubVnet --allow-vnet-access
                    +az network vnet peering create --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --remote-vnet HubVnet --allow-vnet-access
                    +
                    +# Step 4: Configure routing between the Hub and the Spokes
                    +az network vnet peering update --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +az network vnet peering update --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +az network vnet peering update --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +
                    +# Step 5: Configure routing in the Hub
                    +az network vnet peering update --name HubToSpoke1 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +az network vnet peering update --name HubToSpoke2 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +az network vnet peering update --name HubToSpoke3 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +

                    Variant of the Hub and Spoke Topology

                    A variant of the Hub and Spoke topology is the Hub and Spoke with peering between spokes that is generally used to allow direct connectivity between the Spoke networks without going through the Hub. This can be useful in scenarios where direct connectivity between the Spoke networks is required, such as data replication or application communication.

                    graph TD
                    +    HUB(("Central Hub"))
                    +    SPOKE1[Spoke1]
                    +    SPOKE2[Spoke2]
                    +    SPOKE3[Spoke3]
                    +    SPOKEN[Spoke...]
                    +    HUB --- SPOKE1
                    +    HUB --- SPOKE2
                    +    HUB --- SPOKE3
                    +    HUB --- SPOKEN
                    +    SPOKE1 -.- SPOKE2    
                    In this case, it would be connecting the Spoke networks to each other via virtual network peering, for example:

                    # Connect Spoke1 to Spoke2
                    +az network vnet peering create --name Spoke1ToSpoke2 --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet Spoke2Vnet --allow-vnet-access
                    +

                    Scalability and Performance

                    The Hub and Spoke topology in Azure is highly scalable and can handle thousands of virtual networks and subnets. In terms of performance, the Hub and Spoke topology provides efficient and low-latency connectivity between the Spoke networks and the Hub.

                    Security and Compliance

                    The Hub and Spoke topology in Azure provides centralized control over network security and compliance. Security and routing policies can be applied centrally at the Hub, ensuring consistency and compliance with the organization's network policies.

                    Monitoring and Logging

                    Use Network Watcher to monitor and diagnose network problems in the Hub and Spoke topology. Network Watcher provides the following tools:

                    • Monitoring
                      • Topology view shows you the resources in your virtual network and the relationships between them.
                      • Connection monitor allows you to monitor connectivity and latency between endpoints within and outside of Azure.
                    • Network diagnostic tools
                      • IP flow verify helps you detect traffic filtering issues at the virtual machine level.
                      • NSG diagnostics helps you detect traffic filtering issues at the virtual machine, virtual machine scale set, or application gateway level.
                      • Next hop helps you verify traffic routes and detect routing issues.
                      • Connection troubleshoot enables a one-time check of connectivity and latency between a virtual machine and the Bastion host, application gateway, or another virtual machine.
                      • Packet capture allows you to capture traffic from your virtual machine.
                      • VPN troubleshoot runs multiple diagnostic checks on your gateways and VPN connections to help debug issues.
                    • Traffic

                    Virtual network flow logs have recently been released which allows for monitoring network traffic in Azure virtual networks.

                    Use Cases and Examples

                    The Hub and Spoke topology is ideal for organizations that require centralized connectivity and traffic control between multiple virtual networks in Azure. For example, an organization with multiple branches or departments can use the Hub and Spoke topology to securely and efficiently connect their virtual networks in the cloud.

                    Best Practices and Tips

                    When implementing the Hub and Spoke topology in Azure, it is recommended to follow these best practices:

                    • Security: Apply consistent security policies at the Hub and Spokes to ensure network protection.
                    • Resilience: Configure redundancy and resilience in the topology to ensure network availability in case of failures.
                    • Monitoring: Use monitoring tools like Azure Monitor to monitor network traffic and detect potential performance issues.

                    Conclusion

                    The Hub and Spoke topology is an effective way to simplify the connectivity and management of virtual networks in Azure. It provides centralized control over network connectivity and traffic, making it easier to implement security and routing policies consistently across the network. By following the recommended best practices and tips, organizations can make the most of the Hub and Spoke topology to meet their cloud connectivity needs.

                    References

                    Azure Role-Based Access Control (RBAC)

                    Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azure. This allows administrators to grant only the amount of access that users need to perform their jobs.

                    Overview

                    In Azure RBAC, you can assign roles to user accounts, groups, service principals, and managed identities at different scopes. The scope could be a management group, subscription, resource group, or a single resource.

                    Here are some key terms you should know:

                    • Role: A collection of permissions. For example, the "Virtual Machine Contributor" role allows the user to create and manage virtual machines.
                    • Scope: The set of resources that the access applies to.
                    • Assignment: The act of granting a role to a security principal at a particular scope.

                    Built-in Roles

                    Azure provides several built-in roles that you can assign to users, groups, service principals, and managed identities. Here are a few examples:

                    • Owner: Has full access to all resources including the right to delegate access to others.
                    • Contributor: Can create and manage all types of Azure resources but can’t grant access to others.
                    • Reader: Can view existing Azure resources.
                    {
                    +  "Name": "Contributor",
                    +  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
                    +  "IsCustom": false,
                    +  "Description": "Lets you manage everything except access to resources.",
                    +  "Actions": [
                    +    "*"
                    +  ],
                    +  "NotActions": [
                    +    "Microsoft.Authorization/*/Delete",
                    +    "Microsoft.Authorization/*/Write",
                    +    "Microsoft.Authorization/elevateAccess/Action"
                    +  ],
                    +  "DataActions": [],
                    +  "NotDataActions": [],
                    +  "AssignableScopes": [
                    +    "/"
                    +  ]
                    +}
                    +

                    Custom Roles

                    If the built-in roles don't meet your specific needs, you can create your own custom roles. Just like built-in roles, you can assign permissions to custom roles and then assign those roles to users.

                    Conclusion

                    Azure RBAC is a powerful tool for managing access to your Azure resources. By understanding its core concepts and how to apply them, you can ensure that users have the appropriate level of access for their job.

                    How to create assigment Reports for Azure RBAC

                    Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resources. With RBAC, you can grant permissions to users, groups, and applications at a certain scope, such as a subscription, resource group, or resource. RBAC uses role assignments to determine what actions a user, group, or application can perform on a resource.

                    In this article, we will show you how to create reports for role assignments in Azure using PowerShell and the ImportExcel module. We will generate separate Excel files for role assignments at the subscription and management group levels, including information such as the role, principal, scope, and whether the assignment is inherited.

                    This is the PowerShell script that generates the role assignment reports:

                    # Parameters setup
                    +param (
                    +    [Parameter(Mandatory=$false)]
                    +    [string]$SubscriptionId,
                    +
                    +    [Parameter(Mandatory=$false)]
                    +    [string]$ManagementGroupName,
                    +
                    +    [Parameter(Mandatory=$false)]
                    +    [bool]$GetSubscriptions = $false,
                    +
                    +    [Parameter(Mandatory=$false)]
                    +    [bool]$GetManagementGroups = $true
                    +)
                    +
                    +
                    +# Install the ImportExcel module if not already installed
                    +if (!(Get-Module -ListAvailable -Name ImportExcel)) {
                    +    Install-Module -Name ImportExcel -Scope CurrentUser
                    +}
                    +
                    +# Define the path to your Excel file for Managing Group role assignments
                    +$managementGroupPath = ".\AzRoleAssignmentMg.xlsx"
                    +# Define the path to your Excel file for Subscription role assignments
                    +$subscriptionPath = ".\AzRoleAssignmentSub.xlsx"
                    +
                    +# Initialize an empty array to hold all role assignments
                    +$subscriptionRoleAssignments = @()
                    +$managementGroupRoleAssignments = @()
                    +
                    +# Get all management groups
                    +$managementGroups = Get-AzManagementGroup
                    +
                    +# Loop through each management group
                    +foreach ($mg in $managementGroups) {
                    +    # Get role assignments for the current management group
                    +    $roleAssignments = Get-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/$($mg.Name)"
                    +
                    +    # Add these role assignments to the management group role assignments array
                    +    $managementGroupRoleAssignments += $roleAssignments
                    +
                    +    # Add 'GroupName' and 'IsInherited' properties to each role assignment object
                    +    $roleAssignments | ForEach-Object { 
                    +        $_ | Add-Member -NotePropertyName 'GroupDisplayName' -NotePropertyValue $mg.DisplayName
                    +        $_ | Add-Member -NotePropertyName 'GroupName' -NotePropertyValue $mg.Name 
                    +        # If the Scope of the role assignment is equal to the Id of the management group,
                    +        # then the role assignment is not inherited; otherwise, it is inherited.
                    +        if ($_.Scope -eq $mg.Id) {
                    +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                    +        } else {
                    +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true
                    +        }
                    +    }
                    +
                    +    # Export the role assignments to a new sheet in the Excel file
                    +    $roleAssignments | Export-Excel -Path $managementGroupPath -WorksheetName $mg.DisplayName -AutoSize -AutoFilter
                    +}
                    +
                    +if ($GetSubscriptions) {   
                    +    # Check if SubscriptionId is provided
                    +    if ($SubscriptionId) {
                    +        # Get role assignments for the specified subscription
                    +        $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$SubscriptionId"
                    +
                    +        # Add these role assignments to the subscription role assignments array
                    +        $subscriptionRoleAssignments += $roleAssignments
                    +
                    +        # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                    +        $roleAssignments | ForEach-Object { 
                    +            $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue (Get-AzSubscription -SubscriptionId $SubscriptionId).Name 
                    +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                    +        }
                    +
                    +        # Export the role assignments to a new sheet in the Excel file
                    +        $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName (Get-AzSubscription -SubscriptionId $SubscriptionId).Name -AutoSize -AutoFilter
                    +    } else {
                    +        # Get all subscriptions
                    +        $subscriptions = Get-AzSubscription
                    +
                    +        # Loop through each subscription
                    +        foreach ($sub in $subscriptions) {
                    +            # Get role assignments for the current subscription
                    +            $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$($sub.SubscriptionId)"
                    +
                    +            # Add these role assignments to the subscription role assignments array
                    +            $subscriptionRoleAssignments += $roleAssignments
                    +
                    +            # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                    +            $roleAssignments | ForEach-Object { 
                    +                $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue $sub.Name
                    +                 # If the Scope of the role assignment is equal to the subscription Id,
                    +                 # then the role assignment is not inherited; otherwise, it is inherited.
                    +                if ($_.Scope -eq "/subscriptions/$($sub.Id)") {
                    +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                    +                } else {
                    +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true                }
                    +
                    +            }
                    +
                    +            # Export the role assignments to a new sheet in the Excel file
                    +            $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName $sub.Name -AutoSize -AutoFilter
                    +        }
                    +    }
                    +}
                    +

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                    Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                    Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                    Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                    Azure Defender Microsoft Defender for Cloud Defender para contenedores
                    Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                    Security Center Microsoft Defender for Cloud Defender para App Service
                    Security Center Microsoft Defender for Cloud Defender para servidores
                    Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                    Azure Policy useful queries

                    Policy assignments and information about each of its respective definitions

                    // Policy assignments and information about each of its respective definitions
                     // Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.
                     
                     policyResources
                    @@ -211,25 +377,4 @@
                     $destination = "https://$storageAccount.blob.core.windows.net/\$web/myFile.txt"
                     azcopy login --identity
                     azcopy copy $source $destination
                    -

                    Now you can check the file in the static website of the storage account.

                    Azure ARC

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                    Azure ARC Overview

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                    Azure ARC enables you to:

                    • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                    • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                    • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

                    Azure ARC Components

                    Azure ARC consists of the following components:

                    • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

                    Azure ARC Use Cases

                    Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                    • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                    • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                    • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

                    Getting Started with Azure ARC

                    To get started with Azure ARC, you need to:

                    1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                    2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                    3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                    By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                    Conclusion

                    Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                    For more information on Azure ARC, visit the Azure ARC documentation.

                    Microsoft Azure Certifications

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                    Microsoft divide this certifications into different categories, such as:

                    • Infrastructure
                    • Data and AI
                    • Digital app and innovation
                    • Modern work
                    • Business applications
                    • Security

                    Inside of each category, you can find different certification levels:

                    • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                    • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                    • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                    In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                    • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                    • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                    Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                    In the majority of cases, you need associate certifications to get expert certifications.

                    Azure Certifications

                    Here's a table summarizing the Azure Certifications and their description:

                    Certification Exam required Description url
                    Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                    Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                    Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                    Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                    DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                    Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                    Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                    Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                    Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                    Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                    Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                    Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                    Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                    Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                    Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                    Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                    Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                    Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                    Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                    You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                    Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                    Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                    
                    -graph LR;
                    -    A[Phase 1: Set Policy] 
                    -    C[Phase 2: The Process of Discovery]
                    -    E[Phase 3: Protect Credentials]
                    -    G[Phase 4: Secure Privileged Access]
                    -    I[Phase 5: Least Privilege]
                    -    K[Phase 6: Control All Applications]
                    -    M[Phase 7: Detect and Respond]
                    -
                    -    A-->C
                    -    C-->E
                    -    E-->G
                    -    G-->I
                    -    I-->K
                    -    K-->M
                    -    M-->A
                    -
                    -    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;
                    -    class A,C,E,G,I,K,M phase;
                    -
                    -

                    Info

                    Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                    Phase 1: Set Policy

                    The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                    • Define clear access control policies.
                    • Establish guidelines for password management and multi-factor authentication.
                    • Regularly review and update the policy to reflect changes in the organization.

                    How to implement this:

                    • Use Azure Policy to define and manage policies for your Azure environment.
                    • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.

                    Phase 2: The Process of Discovery

                    In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                    • Use automated tools to identify all privileged accounts across the organization.
                    • Regularly update the inventory of privileged accounts.
                    • Identify any accounts that are no longer in use and deactivate them.

                    How to implement this:

                    • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

                    Phase 3: Protect Credentials

                    Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                    • Store credentials in a secure vault.
                    • Implement regular password rotation.
                    • Use unique passwords for each account.

                    How to implement this:

                    • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                    • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.

                    Phase 4: Secure Privileged Access

                    Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                    • Limit the number of privileged accounts.
                    • Implement just-in-time access, where access is granted only for the duration of a task.
                    • Use session recording and monitoring for privileged access.

                    How to implement this:

                    • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                    • Implement Microsoft Entra Privileged Identity Management for just-in-time access.

                    Phase 5: Least Privilege

                    The principle of least privilege involves giving users the minimum levels of access — or permissions — they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                    • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Regularly review user roles and access rights.
                    • Implement a process for revoking access when it's no longer needed.

                    How to implement this:

                    • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.

                    Phase 6: Control All Applications

                    In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                    • Implement application control policies that dictate what applications can be run on systems.
                    • Monitor application usage and block unauthorized applications.
                    • Regularly update and patch all applications to reduce vulnerabilities.

                    How to implement this:

                    • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                    • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                    • Implement Microsoft Intune to manage and secure your devices and applications.

                    Phase 7: Detect and Respond

                    The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                    • Set up alerts for unusual activity.
                    • Regularly audit access logs.
                    • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                    How to implement this:

                    • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                    • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                    By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                    Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                    \ No newline at end of file +

                    Now you can check the file in the static website of the storage account.

                Azure ARC

                Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                Azure ARC Overview

                Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                Azure ARC enables you to:

                • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

                Azure ARC Components

                Azure ARC consists of the following components:

                • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

                Azure ARC Use Cases

                Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

                Getting Started with Azure ARC

                To get started with Azure ARC, you need to:

                1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                Conclusion

                Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                For more information on Azure ARC, visit the Azure ARC documentation.

                \ No newline at end of file diff --git a/blog/2024/04/page/2/index.html b/blog/2024/04/page/2/index.html new file mode 100644 index 0000000..21f3d55 --- /dev/null +++ b/blog/2024/04/page/2/index.html @@ -0,0 +1,31 @@ + 2024/04 - Un Rinconcito donde contar lo que quiera

                2024/04

                Microsoft Azure Certifications

                Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                Microsoft divide this certifications into different categories, such as:

                • Infrastructure
                • Data and AI
                • Digital app and innovation
                • Modern work
                • Business applications
                • Security

                Inside of each category, you can find different certification levels:

                • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                In the majority of cases, you need associate certifications to get expert certifications.

                Azure Certifications

                Here's a table summarizing the Azure Certifications and their description:

                Certification Exam required Description url
                Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                
                +graph LR;
                +    A[Phase 1: Set Policy] 
                +    C[Phase 2: The Process of Discovery]
                +    E[Phase 3: Protect Credentials]
                +    G[Phase 4: Secure Privileged Access]
                +    I[Phase 5: Least Privilege]
                +    K[Phase 6: Control All Applications]
                +    M[Phase 7: Detect and Respond]
                +
                +    A-->C
                +    C-->E
                +    E-->G
                +    G-->I
                +    I-->K
                +    K-->M
                +    M-->A
                +
                +    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;
                +    class A,C,E,G,I,K,M phase;
                +
                +

                Info

                Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                Phase 1: Set Policy

                The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                • Define clear access control policies.
                • Establish guidelines for password management and multi-factor authentication.
                • Regularly review and update the policy to reflect changes in the organization.

                How to implement this:

                • Use Azure Policy to define and manage policies for your Azure environment.
                • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.

                Phase 2: The Process of Discovery

                In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                • Use automated tools to identify all privileged accounts across the organization.
                • Regularly update the inventory of privileged accounts.
                • Identify any accounts that are no longer in use and deactivate them.

                How to implement this:

                • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

                Phase 3: Protect Credentials

                Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                • Store credentials in a secure vault.
                • Implement regular password rotation.
                • Use unique passwords for each account.

                How to implement this:

                • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.

                Phase 4: Secure Privileged Access

                Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                • Limit the number of privileged accounts.
                • Implement just-in-time access, where access is granted only for the duration of a task.
                • Use session recording and monitoring for privileged access.

                How to implement this:

                • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                • Implement Microsoft Entra Privileged Identity Management for just-in-time access.

                Phase 5: Least Privilege

                The principle of least privilege involves giving users the minimum levels of access — or permissions — they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                • Regularly review user roles and access rights.
                • Implement a process for revoking access when it's no longer needed.

                How to implement this:

                • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.

                Phase 6: Control All Applications

                In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                • Implement application control policies that dictate what applications can be run on systems.
                • Monitor application usage and block unauthorized applications.
                • Regularly update and patch all applications to reduce vulnerabilities.

                How to implement this:

                • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                • Implement Microsoft Intune to manage and secure your devices and applications.

                Phase 7: Detect and Respond

                The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                • Set up alerts for unusual activity.
                • Regularly audit access logs.
                • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                How to implement this:

                • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                \ No newline at end of file diff --git a/blog/category/azure-frameworks/index.html b/blog/category/azure-frameworks/index.html index 1111771..6fc3609 100644 --- a/blog/category/azure-frameworks/index.html +++ b/blog/category/azure-frameworks/index.html @@ -1,4 +1,4 @@ - Azure Frameworks - Un Rinconcito donde contar lo que quiera

                Azure Frameworks

                Azure Well-Architected Framework (WAF) mind maps

                Microsoft Well-Architected Framework Pillars Design Principles Mind Map

                "Design Principles"

                Para cuando lo renderice correctamente materials:

                mindmap
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Azure Frameworks

                Azure Well-Architected Framework (WAF) mind maps

                Microsoft Well-Architected Framework Pillars Design Principles Mind Map

                "Design Principles"

                Para cuando lo renderice correctamente materials:

                mindmap
                     root((Pillars))        
                         Reliability(Reliability)
                             DesignPrinciples(Design Principles)
                diff --git a/blog/category/azure-services/index.html b/blog/category/azure-services/index.html
                index 32162c7..616a132 100644
                --- a/blog/category/azure-services/index.html
                +++ b/blog/category/azure-services/index.html
                @@ -7,7 +7,7 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Azure Services

                How to create a Management Group diagram with draw.io

                I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                Export your Management Group structure from Azure Portal or ask for it

                If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                1. Go to the Azure portal.
                2. Navigate to Management groups.
                3. Click on Export.
                4. Save the CSV file to your local machine.

                If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                The file has the following columns:

                • id: The unique identifier of the Management Group or subscription.
                • displayName: The name of the Management Group or subscription.
                • itemType: The type of the item (Management Group or subscription).
                • path: The path to the management or subscription group, its parent.
                • accessLevel: Your access level.
                • childSubscriptionCount: The number of child subscriptions at this level.
                • totalSubscriptionCount: The total number of subscriptions.

                Create a CSV to be imported into draw.io

                1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                2. Create a second sheet with the following columns:
                  • id: reference to the id in the first sheet
                  • displayName: reference to the displayName in the first sheet
                  • itemType: reference to the itemType in the first sheet
                  • Parent: Use the following formula to get the parent of the current item:
                    =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                    +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    Azure Services

                    How to create a Management Group diagram with draw.io

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                    Export your Management Group structure from Azure Portal or ask for it

                    If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Click on Export.
                    4. Save the CSV file to your local machine.

                    If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                    The file has the following columns:

                    • id: The unique identifier of the Management Group or subscription.
                    • displayName: The name of the Management Group or subscription.
                    • itemType: The type of the item (Management Group or subscription).
                    • path: The path to the management or subscription group, its parent.
                    • accessLevel: Your access level.
                    • childSubscriptionCount: The number of child subscriptions at this level.
                    • totalSubscriptionCount: The total number of subscriptions.

                    Create a CSV to be imported into draw.io

                    1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                    2. Create a second sheet with the following columns:
                      • id: reference to the id in the first sheet
                      • displayName: reference to the displayName in the first sheet
                      • itemType: reference to the itemType in the first sheet
                      • Parent: Use the following formula to get the parent of the current item:
                        =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                         
                    3. Export the second sheet to a CSV file.

                    Import the CSV file into draw.io

                    1. Go to draw.io and create a new diagram.
                    2. Click on Arrange > Insert > Advanced > CSV.
                    3. Insert the header for the columns: id, displayName, itemType, Parent:

                          #label: %displayName%
                           #stylename: itemType
                           #styles: {"Management Group": "label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];",\
                      @@ -138,7 +138,50 @@
                               D --> H[Online]
                               E --> I[Connectivity]
                               E --> J[Identity]
                      -        E --> K[Management]

                      😄

                      References

                      • https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
                      • https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                    Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                    Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                    Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                    Azure Defender Microsoft Defender for Cloud Defender para contenedores
                    Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                    Security Center Microsoft Defender for Cloud Defender para App Service
                    Security Center Microsoft Defender for Cloud Defender para servidores
                    Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                    Azure Network, Hub-and-Spoke Topology

                    Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central point of connectivity and control, while the Spokes are isolated networks that connect to the Hub. This topology is common in Azure to simplify the connectivity and management of virtual networks.

                    graph TD
                    +    HUB(("Central Hub"))
                    +    SPOKE1[Spoke1]
                    +    SPOKE2[Spoke2]
                    +    SPOKE3[Spoke3]
                    +    SPOKEN[Spoke...]
                    +    HUB --- SPOKE1
                    +    HUB --- SPOKE2
                    +    HUB --- SPOKE3
                    +    HUB --- SPOKEN

                    Key Features of the Hub and Spoke Topology

                    1. Centralized Connectivity: The Hub centralizes the connectivity between the Spoke networks. This simplifies the administration and maintenance of the network.

                    2. Traffic Control: The Hub acts as a traffic control point between the Spoke networks. This allows for centralized application of security and routing policies.

                    3. Scalability: The Hub and Spoke topology is highly scalable and can grow to meet the organization's connectivity needs.

                    4. Resilience: The Hub and Spoke topology provides redundancy and resilience in case of network failures.

                    How to Use the Hub and Spoke Topology in Azure

                    To implement the Hub and Spoke topology in Azure, follow these steps:

                    # Step 1: Create a virtual network for the Hub
                    +az network vnet create --name HubVnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +
                    +# Step 2: Create virtual networks for the Spokes
                    +az network vnet create --name Spoke1Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +az network vnet create --name Spoke2Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +az network vnet create --name Spoke3Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                    +
                    +# Step 3: Connect the Spokes to the Hub
                    +az network vnet peering create --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet HubVnet --allow-vnet-access
                    +az network vnet peering create --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --remote-vnet HubVnet --allow-vnet-access
                    +az network vnet peering create --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --remote-vnet HubVnet --allow-vnet-access
                    +
                    +# Step 4: Configure routing between the Hub and the Spokes
                    +az network vnet peering update --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +az network vnet peering update --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +az network vnet peering update --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                    +
                    +# Step 5: Configure routing in the Hub
                    +az network vnet peering update --name HubToSpoke1 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +az network vnet peering update --name HubToSpoke2 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +az network vnet peering update --name HubToSpoke3 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                    +

                    Variant of the Hub and Spoke Topology

                    A variant of the Hub and Spoke topology is the Hub and Spoke with peering between spokes that is generally used to allow direct connectivity between the Spoke networks without going through the Hub. This can be useful in scenarios where direct connectivity between the Spoke networks is required, such as data replication or application communication.

                    graph TD
                    +    HUB(("Central Hub"))
                    +    SPOKE1[Spoke1]
                    +    SPOKE2[Spoke2]
                    +    SPOKE3[Spoke3]
                    +    SPOKEN[Spoke...]
                    +    HUB --- SPOKE1
                    +    HUB --- SPOKE2
                    +    HUB --- SPOKE3
                    +    HUB --- SPOKEN
                    +    SPOKE1 -.- SPOKE2    
                    In this case, it would be connecting the Spoke networks to each other via virtual network peering, for example:

                    # Connect Spoke1 to Spoke2
                    +az network vnet peering create --name Spoke1ToSpoke2 --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet Spoke2Vnet --allow-vnet-access
                    +

                    Scalability and Performance

                    The Hub and Spoke topology in Azure is highly scalable and can handle thousands of virtual networks and subnets. In terms of performance, the Hub and Spoke topology provides efficient and low-latency connectivity between the Spoke networks and the Hub.

                    Security and Compliance

                    The Hub and Spoke topology in Azure provides centralized control over network security and compliance. Security and routing policies can be applied centrally at the Hub, ensuring consistency and compliance with the organization's network policies.

                    Monitoring and Logging

                    Use Network Watcher to monitor and diagnose network problems in the Hub and Spoke topology. Network Watcher provides the following tools:

                    • Monitoring
                      • Topology view shows you the resources in your virtual network and the relationships between them.
                      • Connection monitor allows you to monitor connectivity and latency between endpoints within and outside of Azure.
                    • Network diagnostic tools
                      • IP flow verify helps you detect traffic filtering issues at the virtual machine level.
                      • NSG diagnostics helps you detect traffic filtering issues at the virtual machine, virtual machine scale set, or application gateway level.
                      • Next hop helps you verify traffic routes and detect routing issues.
                      • Connection troubleshoot enables a one-time check of connectivity and latency between a virtual machine and the Bastion host, application gateway, or another virtual machine.
                      • Packet capture allows you to capture traffic from your virtual machine.
                      • VPN troubleshoot runs multiple diagnostic checks on your gateways and VPN connections to help debug issues.
                    • Traffic

                    Virtual network flow logs have recently been released which allows for monitoring network traffic in Azure virtual networks.

                    Use Cases and Examples

                    The Hub and Spoke topology is ideal for organizations that require centralized connectivity and traffic control between multiple virtual networks in Azure. For example, an organization with multiple branches or departments can use the Hub and Spoke topology to securely and efficiently connect their virtual networks in the cloud.

                    Best Practices and Tips

                    When implementing the Hub and Spoke topology in Azure, it is recommended to follow these best practices:

                    • Security: Apply consistent security policies at the Hub and Spokes to ensure network protection.
                    • Resilience: Configure redundancy and resilience in the topology to ensure network availability in case of failures.
                    • Monitoring: Use monitoring tools like Azure Monitor to monitor network traffic and detect potential performance issues.

                    Conclusion

                    The Hub and Spoke topology is an effective way to simplify the connectivity and management of virtual networks in Azure. It provides centralized control over network connectivity and traffic, making it easier to implement security and routing policies consistently across the network. By following the recommended best practices and tips, organizations can make the most of the Hub and Spoke topology to meet their cloud connectivity needs.

                    References

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                    Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                    Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                    Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                    Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                    Azure Defender Microsoft Defender for Cloud Defender para contenedores
                    Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                    Security Center Microsoft Defender for Cloud Defender para App Service
                    Security Center Microsoft Defender for Cloud Defender para servidores
                    Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                    Azure Policy useful queries

                    Policy assignments and information about each of its respective definitions

                    // Policy assignments and information about each of its respective definitions
                     // Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.
                     
                     policyResources
                    @@ -280,77 +323,4 @@
                                 }
                             }
                     }
                    -

                    Once you've filled out all the fields and written your policy rule, click on Save.

                    Step 4: Assign the Policy

                    • Go back to the Policy service in the Azure portal.
                    • Click on Assignments under the Authoring section.
                    • Click on + Assign Policy.
                    • In Basics, fill out the following fields:
                      • Scope
                        • Scope: Select the scope where you want to assign the policy.
                        • Exclusions: Add any exclusions if needed.
                      • Basics
                        • Policy definition: Select the policy you created.
                        • Assignment name: A unique name for the assignment.
                        • Description: A detailed description of the assignment.
                        • Policy enforcement: Enabled.
                    • In Parameters: Fill out any parameters needed for the policy.
                    • In Non-compliance message: A message to display when a resource is non-compliant.
                    • Click on Review + create: Review the assignment and click on Create.

                    Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                    Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                    Azure Policy, defintion schema

                    This is the schema for the Azure Policy definition:

                    {
                    -    "properties": {
                    -        "displayName": {
                    -            "type": "string",
                    -            "description": "The display name of the policy definition."
                    -        },
                    -        "policyType": {
                    -            "type": "string",
                    -            "description": "The policy type of the policy definition."
                    -        },
                    -        "mode": {
                    -            "type": "string",
                    -            "description": "The mode of the policy definition."
                    -        },
                    -        "description": {
                    -            "type": "string",
                    -            "description": "The description of the policy definition."
                    -        },
                    -        "mode": {
                    -            "type": "string",
                    -            "description": "The mode of the policy definition."
                    -        },
                    -        "metadata": {
                    -            "type": "object",
                    -            "description": "The metadata of the policy definition."
                    -        },
                    -        "parameters": {
                    -            "type": "object",
                    -            "description": "The parameters of the policy definition."
                    -        },
                    -        "policyRule": {
                    -            "type": "object",
                    -            "description": "The policy rule of the policy definition. If/then rule."
                    -        }       
                    -
                    -    }
                    -}
                    -

                    You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                    Full schema is in Azure Policy definition schema.

                    Example

                    Here is an example of a policy definition:

                    {
                    -    "properties": {
                    -        "displayName": "Require a tag and its value",
                    -        "policyType": "Custom",
                    -        "mode": "Indexed",
                    -        "description": "This policy requires a specific tag and its value.",
                    -        "metadata": {
                    -            "category": "Tags"
                    -        },
                    -        "parameters": {
                    -            "tagName": {
                    -                "type": "String",
                    -                "metadata": {
                    -                    "displayName": "Tag Name",
                    -                    "description": "Name of the tag, such as 'environment'"
                    -                }
                    -            },
                    -            "tagValue": {
                    -                "type": "String",
                    -                "metadata": {
                    -                    "displayName": "Tag Value",
                    -                    "description": "Value of the tag, such as 'production'"
                    -                }
                    -            }
                    -        },
                    -        "policyRule": {
                    -            "if": {
                    -                "field": "[concat('tags[', parameters('tagName'), ']')]",
                    -                "exists": "false"
                    -            },
                    -            "then": {
                    -                "effect": "deny"
                    -            }
                    -        }
                    -    }
                    -}
                    -

                    This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

                    How you can see, the most important part of the policy definition is the policy rule.

                    Note

                    The policy rule is where you describe the logic that enforces the policy.

                    Conclusion

                    Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

                    References

                    \ No newline at end of file +

                    Once you've filled out all the fields and written your policy rule, click on Save.

                    Step 4: Assign the Policy

                    • Go back to the Policy service in the Azure portal.
                    • Click on Assignments under the Authoring section.
                    • Click on + Assign Policy.
                    • In Basics, fill out the following fields:
                      • Scope
                        • Scope: Select the scope where you want to assign the policy.
                        • Exclusions: Add any exclusions if needed.
                      • Basics
                        • Policy definition: Select the policy you created.
                        • Assignment name: A unique name for the assignment.
                        • Description: A detailed description of the assignment.
                        • Policy enforcement: Enabled.
                    • In Parameters: Fill out any parameters needed for the policy.
                    • In Non-compliance message: A message to display when a resource is non-compliant.
                    • Click on Review + create: Review the assignment and click on Create.

                    Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                    Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                \ No newline at end of file diff --git a/blog/category/azure-services/page/2/index.html b/blog/category/azure-services/page/2/index.html index 5f69a08..326fed6 100644 --- a/blog/category/azure-services/page/2/index.html +++ b/blog/category/azure-services/page/2/index.html @@ -7,7 +7,80 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Azure Services

                Writing Your First Initiative with Portal

                Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                In this post, we'll walk through the steps of creating your first initiative in Azure.

                Info

                You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

                Prerequisites

                1. An active Azure subscription.
                2. Access to Azure portal.
                3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

                Step 1: Open Azure Policy

                • Login to the Azure Portal.
                • In the left-hand menu, click on All services.
                • In the All services blade, search for Policy.

                Step 2: Create a New Initiative Definition

                • Click on Defitinions under the Authoring section.
                • Click on + Initiative definition.

                Step 3: Fill Out the Initiative Definition

                You will need to fill out several fields:

                • Basics:
                • Initiative location: The location where the initiative is stored.
                • Name: This is a unique name for your initiative.
                • Description: A detailed description of what the initiative does.
                • Category: You can categorize your initiative for easier searching and filtering.
                • Policies:
                • Add policy definition(s): Here you can add the policies that will be part of the initiative.
                • Initiative parameters:
                • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
                • Policy parameters:
                • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

                • Click on Review + create: Review the assignment and click on Create.

                Step 4: Assign the Initiative

                • Go to Policy again.
                • Go to Assignments under the Authoring section.
                • Click on + Assign initiative.

                You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

                • Click on Review + create: Review the assignment and click on Create.

                Conclusion

                Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

                Azure Policy

                Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

                As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

                Azure Policy Overview

                Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

                Azure Policy helps to address questions like:

                • Are all virtual machines encrypted using Azure Disk Encryption?
                • Are resources deployed only in certain Azure regions?
                • Are specific tags applied to resources for tracking and organization?

                Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

                Info

                It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

                Policies

                Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

                Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

                Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

                Initiatives

                Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

                graph TD;
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Azure Services

                Azure Policy, defintion schema

                This is the schema for the Azure Policy definition:

                {
                +    "properties": {
                +        "displayName": {
                +            "type": "string",
                +            "description": "The display name of the policy definition."
                +        },
                +        "policyType": {
                +            "type": "string",
                +            "description": "The policy type of the policy definition."
                +        },
                +        "mode": {
                +            "type": "string",
                +            "description": "The mode of the policy definition."
                +        },
                +        "description": {
                +            "type": "string",
                +            "description": "The description of the policy definition."
                +        },
                +        "mode": {
                +            "type": "string",
                +            "description": "The mode of the policy definition."
                +        },
                +        "metadata": {
                +            "type": "object",
                +            "description": "The metadata of the policy definition."
                +        },
                +        "parameters": {
                +            "type": "object",
                +            "description": "The parameters of the policy definition."
                +        },
                +        "policyRule": {
                +            "type": "object",
                +            "description": "The policy rule of the policy definition. If/then rule."
                +        }       
                +
                +    }
                +}
                +

                You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                Full schema is in Azure Policy definition schema.

                Example

                Here is an example of a policy definition:

                {
                +    "properties": {
                +        "displayName": "Require a tag and its value",
                +        "policyType": "Custom",
                +        "mode": "Indexed",
                +        "description": "This policy requires a specific tag and its value.",
                +        "metadata": {
                +            "category": "Tags"
                +        },
                +        "parameters": {
                +            "tagName": {
                +                "type": "String",
                +                "metadata": {
                +                    "displayName": "Tag Name",
                +                    "description": "Name of the tag, such as 'environment'"
                +                }
                +            },
                +            "tagValue": {
                +                "type": "String",
                +                "metadata": {
                +                    "displayName": "Tag Value",
                +                    "description": "Value of the tag, such as 'production'"
                +                }
                +            }
                +        },
                +        "policyRule": {
                +            "if": {
                +                "field": "[concat('tags[', parameters('tagName'), ']')]",
                +                "exists": "false"
                +            },
                +            "then": {
                +                "effect": "deny"
                +            }
                +        }
                +    }
                +}
                +

                This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

                How you can see, the most important part of the policy definition is the policy rule.

                Note

                The policy rule is where you describe the logic that enforces the policy.

                Conclusion

                Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

                References

                Writing Your First Initiative with Portal

                Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                In this post, we'll walk through the steps of creating your first initiative in Azure.

                Info

                You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

                Prerequisites

                1. An active Azure subscription.
                2. Access to Azure portal.
                3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

                Step 1: Open Azure Policy

                • Login to the Azure Portal.
                • In the left-hand menu, click on All services.
                • In the All services blade, search for Policy.

                Step 2: Create a New Initiative Definition

                • Click on Defitinions under the Authoring section.
                • Click on + Initiative definition.

                Step 3: Fill Out the Initiative Definition

                You will need to fill out several fields:

                • Basics:
                • Initiative location: The location where the initiative is stored.
                • Name: This is a unique name for your initiative.
                • Description: A detailed description of what the initiative does.
                • Category: You can categorize your initiative for easier searching and filtering.
                • Policies:
                • Add policy definition(s): Here you can add the policies that will be part of the initiative.
                • Initiative parameters:
                • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
                • Policy parameters:
                • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

                • Click on Review + create: Review the assignment and click on Create.

                Step 4: Assign the Initiative

                • Go to Policy again.
                • Go to Assignments under the Authoring section.
                • Click on + Assign initiative.

                You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

                • Click on Review + create: Review the assignment and click on Create.

                Conclusion

                Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

                Azure Policy

                Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

                As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

                Azure Policy Overview

                Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

                Azure Policy helps to address questions like:

                • Are all virtual machines encrypted using Azure Disk Encryption?
                • Are resources deployed only in certain Azure regions?
                • Are specific tags applied to resources for tracking and organization?

                Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

                Info

                It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

                Policies

                Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

                Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

                Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

                Initiatives

                Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

                graph TD;
                     A[Azure Policy] -->|Contains| B1[Policy 1]
                     A[Azure Policy] -->|Contains| B2[Policy 2]
                     A[Azure Policy] -->|Contains| B3[Policy 3]
                diff --git a/blog/category/azure-updates/index.html b/blog/category/azure-updates/index.html
                index 23b87c8..d3b534c 100644
                --- a/blog/category/azure-updates/index.html
                +++ b/blog/category/azure-updates/index.html
                @@ -7,4 +7,4 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       
                \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Azure Updates

                Azure updates RSS feed

                All the Azure updates in one place.

                By category

                Custom

                https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

                For example:

                https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

                \ No newline at end of file diff --git a/blog/category/azure/index.html b/blog/category/azure/index.html new file mode 100644 index 0000000..40aa66e --- /dev/null +++ b/blog/category/azure/index.html @@ -0,0 +1,133 @@ + Azure - Un Rinconcito donde contar lo que quiera

                Azure

                Azure Role-Based Access Control (RBAC)

                Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azure. This allows administrators to grant only the amount of access that users need to perform their jobs.

                Overview

                In Azure RBAC, you can assign roles to user accounts, groups, service principals, and managed identities at different scopes. The scope could be a management group, subscription, resource group, or a single resource.

                Here are some key terms you should know:

                • Role: A collection of permissions. For example, the "Virtual Machine Contributor" role allows the user to create and manage virtual machines.
                • Scope: The set of resources that the access applies to.
                • Assignment: The act of granting a role to a security principal at a particular scope.

                Built-in Roles

                Azure provides several built-in roles that you can assign to users, groups, service principals, and managed identities. Here are a few examples:

                • Owner: Has full access to all resources including the right to delegate access to others.
                • Contributor: Can create and manage all types of Azure resources but can’t grant access to others.
                • Reader: Can view existing Azure resources.
                {
                +  "Name": "Contributor",
                +  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
                +  "IsCustom": false,
                +  "Description": "Lets you manage everything except access to resources.",
                +  "Actions": [
                +    "*"
                +  ],
                +  "NotActions": [
                +    "Microsoft.Authorization/*/Delete",
                +    "Microsoft.Authorization/*/Write",
                +    "Microsoft.Authorization/elevateAccess/Action"
                +  ],
                +  "DataActions": [],
                +  "NotDataActions": [],
                +  "AssignableScopes": [
                +    "/"
                +  ]
                +}
                +

                Custom Roles

                If the built-in roles don't meet your specific needs, you can create your own custom roles. Just like built-in roles, you can assign permissions to custom roles and then assign those roles to users.

                Conclusion

                Azure RBAC is a powerful tool for managing access to your Azure resources. By understanding its core concepts and how to apply them, you can ensure that users have the appropriate level of access for their job.

                How to create assigment Reports for Azure RBAC

                Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resources. With RBAC, you can grant permissions to users, groups, and applications at a certain scope, such as a subscription, resource group, or resource. RBAC uses role assignments to determine what actions a user, group, or application can perform on a resource.

                In this article, we will show you how to create reports for role assignments in Azure using PowerShell and the ImportExcel module. We will generate separate Excel files for role assignments at the subscription and management group levels, including information such as the role, principal, scope, and whether the assignment is inherited.

                This is the PowerShell script that generates the role assignment reports:

                # Parameters setup
                +param (
                +    [Parameter(Mandatory=$false)]
                +    [string]$SubscriptionId,
                +
                +    [Parameter(Mandatory=$false)]
                +    [string]$ManagementGroupName,
                +
                +    [Parameter(Mandatory=$false)]
                +    [bool]$GetSubscriptions = $false,
                +
                +    [Parameter(Mandatory=$false)]
                +    [bool]$GetManagementGroups = $true
                +)
                +
                +
                +# Install the ImportExcel module if not already installed
                +if (!(Get-Module -ListAvailable -Name ImportExcel)) {
                +    Install-Module -Name ImportExcel -Scope CurrentUser
                +}
                +
                +# Define the path to your Excel file for Managing Group role assignments
                +$managementGroupPath = ".\AzRoleAssignmentMg.xlsx"
                +# Define the path to your Excel file for Subscription role assignments
                +$subscriptionPath = ".\AzRoleAssignmentSub.xlsx"
                +
                +# Initialize an empty array to hold all role assignments
                +$subscriptionRoleAssignments = @()
                +$managementGroupRoleAssignments = @()
                +
                +# Get all management groups
                +$managementGroups = Get-AzManagementGroup
                +
                +# Loop through each management group
                +foreach ($mg in $managementGroups) {
                +    # Get role assignments for the current management group
                +    $roleAssignments = Get-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/$($mg.Name)"
                +
                +    # Add these role assignments to the management group role assignments array
                +    $managementGroupRoleAssignments += $roleAssignments
                +
                +    # Add 'GroupName' and 'IsInherited' properties to each role assignment object
                +    $roleAssignments | ForEach-Object { 
                +        $_ | Add-Member -NotePropertyName 'GroupDisplayName' -NotePropertyValue $mg.DisplayName
                +        $_ | Add-Member -NotePropertyName 'GroupName' -NotePropertyValue $mg.Name 
                +        # If the Scope of the role assignment is equal to the Id of the management group,
                +        # then the role assignment is not inherited; otherwise, it is inherited.
                +        if ($_.Scope -eq $mg.Id) {
                +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                +        } else {
                +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true
                +        }
                +    }
                +
                +    # Export the role assignments to a new sheet in the Excel file
                +    $roleAssignments | Export-Excel -Path $managementGroupPath -WorksheetName $mg.DisplayName -AutoSize -AutoFilter
                +}
                +
                +if ($GetSubscriptions) {   
                +    # Check if SubscriptionId is provided
                +    if ($SubscriptionId) {
                +        # Get role assignments for the specified subscription
                +        $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$SubscriptionId"
                +
                +        # Add these role assignments to the subscription role assignments array
                +        $subscriptionRoleAssignments += $roleAssignments
                +
                +        # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                +        $roleAssignments | ForEach-Object { 
                +            $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue (Get-AzSubscription -SubscriptionId $SubscriptionId).Name 
                +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                +        }
                +
                +        # Export the role assignments to a new sheet in the Excel file
                +        $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName (Get-AzSubscription -SubscriptionId $SubscriptionId).Name -AutoSize -AutoFilter
                +    } else {
                +        # Get all subscriptions
                +        $subscriptions = Get-AzSubscription
                +
                +        # Loop through each subscription
                +        foreach ($sub in $subscriptions) {
                +            # Get role assignments for the current subscription
                +            $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$($sub.SubscriptionId)"
                +
                +            # Add these role assignments to the subscription role assignments array
                +            $subscriptionRoleAssignments += $roleAssignments
                +
                +            # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                +            $roleAssignments | ForEach-Object { 
                +                $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue $sub.Name
                +                 # If the Scope of the role assignment is equal to the subscription Id,
                +                 # then the role assignment is not inherited; otherwise, it is inherited.
                +                if ($_.Scope -eq "/subscriptions/$($sub.Id)") {
                +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                +                } else {
                +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true                }
                +
                +            }
                +
                +            # Export the role assignments to a new sheet in the Excel file
                +            $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName $sub.Name -AutoSize -AutoFilter
                +        }
                +    }
                +}
                +
                \ No newline at end of file diff --git a/blog/category/development/index.html b/blog/category/development/index.html index 159a206..42eb793 100644 --- a/blog/category/development/index.html +++ b/blog/category/development/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Development

                Starting to develop in c#

                First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

                If someone that knows me is reading this post, he/she will be thinking:

                • "What the hell is he doing?"
                • "He is crazy"
                • "He is going to die trying".
                • The end of the world is approaching!!

                Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

                I repeat, I am not a developer but I'd like to share with you my experience learning C#.

                My first Steps

                You have a lot of resources for learning on Learn .NET and in c# documentation.

                In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

                After that, I will follow the free course (New) Foundational C# with Microsoft.

                And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

                That's all folks!!

                \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Development

                Starting to develop in c#

                First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

                If someone that knows me is reading this post, he/she will be thinking:

                • "What the hell is he doing?"
                • "He is crazy"
                • "He is going to die trying".
                • The end of the world is approaching!!

                Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

                I repeat, I am not a developer but I'd like to share with you my experience learning C#.

                My first Steps

                You have a lot of resources for learning on Learn .NET and in c# documentation.

                In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

                After that, I will follow the free course (New) Foundational C# with Microsoft.

                And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

                That's all folks!!

                \ No newline at end of file diff --git a/blog/category/devops/index.html b/blog/category/devops/index.html index 9b755ce..473ea6a 100644 --- a/blog/category/devops/index.html +++ b/blog/category/devops/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                DevOps

                Trunk

                What is Trunk ?

                Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                Support for the following languages is currently available:

                Installing Trunk

                curl https://get.trunk.io -fsSL | bash
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                DevOps

                Trunk

                What is Trunk ?

                Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                Support for the following languages is currently available:

                Installing Trunk

                curl https://get.trunk.io -fsSL | bash
                 
                code --install-extension Trunk.io  
                 

                Trunk checks

                Trunk checks cli

                Trunk detects checks to enable in function of the files in the current directory, but you can also enable and disable checks manually.

                • trunck check list: list all available checks
                • trunck check enable checkname: enable a check
                • trunck check disable checkname: disable a check
                • trunck check: run all enabled checks

                For example, to enable the Terraform check:

                trunk check enable terraform 
                 1 linter was enabled:
                diff --git a/blog/category/english/index.html b/blog/category/english/index.html
                index f4102d4..fda0404 100644
                --- a/blog/category/english/index.html
                +++ b/blog/category/english/index.html
                @@ -7,7 +7,7 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                English

                Trunk

                What is Trunk ?

                Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                Support for the following languages is currently available:

                Installing Trunk

                curl https://get.trunk.io -fsSL | bash
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                English

                Trunk

                What is Trunk ?

                Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                Support for the following languages is currently available:

                Installing Trunk

                curl https://get.trunk.io -fsSL | bash
                 
                code --install-extension Trunk.io  
                 

                Trunk checks

                Trunk checks cli

                Trunk detects checks to enable in function of the files in the current directory, but you can also enable and disable checks manually.

                • trunck check list: list all available checks
                • trunck check enable checkname: enable a check
                • trunck check disable checkname: disable a check
                • trunck check: run all enabled checks

                For example, to enable the Terraform check:

                trunk check enable terraform 
                 1 linter was enabled:
                diff --git a/blog/category/hello_world/index.html b/blog/category/hello_world/index.html
                index 88339ee..f4b248a 100644
                --- a/blog/category/hello_world/index.html
                +++ b/blog/category/hello_world/index.html
                @@ -7,4 +7,4 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       
                \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
                \ No newline at end of file diff --git a/blog/category/learning/index.html b/blog/category/learning/index.html index 378fda9..3ffff9c 100644 --- a/blog/category/learning/index.html +++ b/blog/category/learning/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Learning

                Microsoft Azure Certifications

                Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                Microsoft divide this certifications into different categories, such as:

                • Infrastructure
                • Data and AI
                • Digital app and innovation
                • Modern work
                • Business applications
                • Security

                Inside of each category, you can find different certification levels:

                • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                In the majority of cases, you need associate certifications to get expert certifications.

                Azure Certifications

                Here's a table summarizing the Azure Certifications and their description:

                Certification Exam required Description url
                Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Learning

                Microsoft Azure Certifications

                Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                Microsoft divide this certifications into different categories, such as:

                • Infrastructure
                • Data and AI
                • Digital app and innovation
                • Modern work
                • Business applications
                • Security

                Inside of each category, you can find different certification levels:

                • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                In the majority of cases, you need associate certifications to get expert certifications.

                Azure Certifications

                Here's a table summarizing the Azure Certifications and their description:

                Certification Exam required Description url
                Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                \ No newline at end of file diff --git a/blog/category/microsoft-365/index.html b/blog/category/microsoft-365/index.html index 0c1504b..3839e25 100644 --- a/blog/category/microsoft-365/index.html +++ b/blog/category/microsoft-365/index.html @@ -7,7 +7,7 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                Microsoft 365

                Depurar logs de OneDrive para detectar problemas de sincronización

                Necesitas WSL2

                Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

                Introducción

                Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

                Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

                Fix OneDrive sync problems

                Pero si no funciona, se puede obtener más información de los logs de OneDrive.

                Pasos a seguir

                1. Acceder a los logs de OneDrive

                Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

                1. Abrir el Explorador de archivos.
                2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
                3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
                %localappdata%\Microsoft\OneDrive\logs\Business1
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Microsoft 365

                Depurar logs de OneDrive para detectar problemas de sincronización

                Necesitas WSL2

                Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

                Introducción

                Llevo unos días con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna razón aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

                Lo primero es seguir la siguiente documentación de Microsoft que puede ser útil para alguien que tenga problemas de sincronización con OneDrive:

                Fix OneDrive sync problems

                Pero si no funciona, se puede obtener más información de los logs de OneDrive.

                Pasos a seguir

                1. Acceder a los logs de OneDrive

                Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

                1. Abrir el Explorador de archivos.
                2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
                3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
                %localappdata%\Microsoft\OneDrive\logs\Business1
                 
                %localappdata%\Microsoft\OneDrive\logs\Personal
                 

                Ahora es necesario seleccionar los archivos de log más recientes y copiarlos a un directorio, los archivos pueden tener extensión .odl,.odlgz, .odlsent o .aold, también se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

                2. Instalar el visor de logs de OneDrive

                Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

                Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

                pip3 install pycryptodome
                 pip3 install construct
                diff --git a/blog/category/security/index.html b/blog/category/security/index.html
                index 0aba924..cded9c5 100644
                --- a/blog/category/security/index.html
                +++ b/blog/category/security/index.html
                @@ -7,7 +7,7 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Security

                Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                
                +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Security

                Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                
                 graph LR;
                     A[Phase 1: Set Policy] 
                     C[Phase 2: The Process of Discovery]
                diff --git a/blog/category/tools/index.html b/blog/category/tools/index.html
                index b350791..210c56e 100644
                --- a/blog/category/tools/index.html
                +++ b/blog/category/tools/index.html
                @@ -7,7 +7,7 @@
                     .gdesc-inner { font-size: 0.75rem; }
                     body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                     body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                Tools

                Enterprise Azure Policy as Code (EPAC)

                Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                Key Features of EPAC

                • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

                Who Should Use EPAC?

                EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                How Does EPAC Work?

                EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                Alt text

                The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                Warning

                EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                Conclusion

                EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                References

                Manage Azure Policy GitHub Action

                It's recommended to review:

                Overview

                The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                Info

                This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                Key Features

                1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                  |- policies/
                  +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                  Tools

                  Enterprise Azure Policy as Code (EPAC)

                  Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                  Key Features of EPAC

                  • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                  • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                  • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                  • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

                  Who Should Use EPAC?

                  EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                  How Does EPAC Work?

                  EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                  Alt text

                  The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                  1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                  2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                  3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                  4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                  5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                  The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                  Warning

                  EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                  Conclusion

                  EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                  References

                  Manage Azure Policy GitHub Action

                  It's recommended to review:

                  Overview

                  The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                  Info

                  This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                  Key Features

                  1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                  2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                  3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                    |- policies/
                        |- <policy1_name>/
                           |- policy.json
                           |- assign.<name1>.json
                    diff --git a/blog/category/windows/index.html b/blog/category/windows/index.html
                    index 5da06e5..72689da 100644
                    --- a/blog/category/windows/index.html
                    +++ b/blog/category/windows/index.html
                    @@ -7,7 +7,7 @@
                         .gdesc-inner { font-size: 0.75rem; }
                         body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                         body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                    -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    Windows

                    Instalar WSL2 en Windows 11 con chocolatey

                    Introducción

                    Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

                    Pasos a seguir

                    1. Instalar Chocolatey

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
                    +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    Windows

                    Instalar WSL2 en Windows 11 con chocolatey

                    Introducción

                    Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

                    Pasos a seguir

                    1. Instalar Chocolatey

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
                     
                    1. Espere a que se complete la instalación de Chocolatey.

                    2. Instalar WSL2

                    Para instalar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar WSL2:

                    choco install wsl2
                     
                    3. Espere a que se complete la instalación de WSL2.

                    3. Configurar WSL2

                    Para configurar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para configurar WSL2 como la versión predeterminada:

                    wsl --set-default-version 2
                     
                    1. Reinicie su computadora para aplicar los cambios.

                    4. Instalar una distribución de Linux

                    Para instalar una distribución de Linux en WSL2, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Busque la distribución de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

                    wsl --list --online
                    diff --git a/blog/index.html b/blog/index.html
                    index a7ac527..e34f23b 100644
                    --- a/blog/index.html
                    +++ b/blog/index.html
                    @@ -7,7 +7,7 @@
                         .gdesc-inner { font-size: 0.75rem; }
                         body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);}
                         body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);}
                    -    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    Blog

                    How to create a Management Group diagram with draw.io

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                    Export your Management Group structure from Azure Portal or ask for it

                    If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Click on Export.
                    4. Save the CSV file to your local machine.

                    If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                    The file has the following columns:

                    • id: The unique identifier of the Management Group or subscription.
                    • displayName: The name of the Management Group or subscription.
                    • itemType: The type of the item (Management Group or subscription).
                    • path: The path to the management or subscription group, its parent.
                    • accessLevel: Your access level.
                    • childSubscriptionCount: The number of child subscriptions at this level.
                    • totalSubscriptionCount: The total number of subscriptions.

                    Create a CSV to be imported into draw.io

                    1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                    2. Create a second sheet with the following columns:
                      • id: reference to the id in the first sheet
                      • displayName: reference to the displayName in the first sheet
                      • itemType: reference to the itemType in the first sheet
                      • Parent: Use the following formula to get the parent of the current item:
                        =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                        +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                        Blog

                        How to create a Management Group diagram with draw.io

                        I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                        Export your Management Group structure from Azure Portal or ask for it

                        If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                        1. Go to the Azure portal.
                        2. Navigate to Management groups.
                        3. Click on Export.
                        4. Save the CSV file to your local machine.

                        If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                        The file has the following columns:

                        • id: The unique identifier of the Management Group or subscription.
                        • displayName: The name of the Management Group or subscription.
                        • itemType: The type of the item (Management Group or subscription).
                        • path: The path to the management or subscription group, its parent.
                        • accessLevel: Your access level.
                        • childSubscriptionCount: The number of child subscriptions at this level.
                        • totalSubscriptionCount: The total number of subscriptions.

                        Create a CSV to be imported into draw.io

                        1. Import the CSV file to excel, rename the sheet to "Export_Portal"
                        2. Create a second sheet with the following columns:
                          • id: reference to the id in the first sheet
                          • displayName: reference to the displayName in the first sheet
                          • itemType: reference to the itemType in the first sheet
                          • Parent: Use the following formula to get the parent of the current item:
                            =IF(ISERROR(FIND(","; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; ","; REPT(" "; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))
                             
                        3. Export the second sheet to a CSV file.

                        Import the CSV file into draw.io

                        1. Go to draw.io and create a new diagram.
                        2. Click on Arrange > Insert > Advanced > CSV.
                        3. Insert the header for the columns: id, displayName, itemType, Parent:

                              #label: %displayName%
                               #stylename: itemType
                               #styles: {"Management Group": "label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];",\
                          @@ -138,7 +138,173 @@
                                   D --> H[Online]
                                   E --> I[Connectivity]
                                   E --> J[Identity]
                          -        E --> K[Management]

                          😄

                          References

                          • https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
                          • https://learn.microsoft.com/en-us/azure/governance/management-groups/overview

                        Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                        No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                        Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                        Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                        Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                        Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                        Azure Defender Microsoft Defender for Cloud Defender para contenedores
                        Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                        Security Center Microsoft Defender for Cloud Defender para App Service
                        Security Center Microsoft Defender for Cloud Defender para servidores
                        Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                        Azure Network, Hub-and-Spoke Topology

                        Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central point of connectivity and control, while the Spokes are isolated networks that connect to the Hub. This topology is common in Azure to simplify the connectivity and management of virtual networks.

                        graph TD
                        +    HUB(("Central Hub"))
                        +    SPOKE1[Spoke1]
                        +    SPOKE2[Spoke2]
                        +    SPOKE3[Spoke3]
                        +    SPOKEN[Spoke...]
                        +    HUB --- SPOKE1
                        +    HUB --- SPOKE2
                        +    HUB --- SPOKE3
                        +    HUB --- SPOKEN

                        Key Features of the Hub and Spoke Topology

                        1. Centralized Connectivity: The Hub centralizes the connectivity between the Spoke networks. This simplifies the administration and maintenance of the network.

                        2. Traffic Control: The Hub acts as a traffic control point between the Spoke networks. This allows for centralized application of security and routing policies.

                        3. Scalability: The Hub and Spoke topology is highly scalable and can grow to meet the organization's connectivity needs.

                        4. Resilience: The Hub and Spoke topology provides redundancy and resilience in case of network failures.

                        How to Use the Hub and Spoke Topology in Azure

                        To implement the Hub and Spoke topology in Azure, follow these steps:

                        # Step 1: Create a virtual network for the Hub
                        +az network vnet create --name HubVnet --resource-group MyResourceGroup --location eastus --address-prefix
                        +
                        +# Step 2: Create virtual networks for the Spokes
                        +az network vnet create --name Spoke1Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                        +az network vnet create --name Spoke2Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                        +az network vnet create --name Spoke3Vnet --resource-group MyResourceGroup --location eastus --address-prefix
                        +
                        +# Step 3: Connect the Spokes to the Hub
                        +az network vnet peering create --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet HubVnet --allow-vnet-access
                        +az network vnet peering create --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --remote-vnet HubVnet --allow-vnet-access
                        +az network vnet peering create --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --remote-vnet HubVnet --allow-vnet-access
                        +
                        +# Step 4: Configure routing between the Hub and the Spokes
                        +az network vnet peering update --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                        +az network vnet peering update --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                        +az network vnet peering update --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --set virtualNetworkGateway:AllowGatewayTransit=true
                        +
                        +# Step 5: Configure routing in the Hub
                        +az network vnet peering update --name HubToSpoke1 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                        +az network vnet peering update --name HubToSpoke2 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                        +az network vnet peering update --name HubToSpoke3 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true
                        +

                        Variant of the Hub and Spoke Topology

                        A variant of the Hub and Spoke topology is the Hub and Spoke with peering between spokes that is generally used to allow direct connectivity between the Spoke networks without going through the Hub. This can be useful in scenarios where direct connectivity between the Spoke networks is required, such as data replication or application communication.

                        graph TD
                        +    HUB(("Central Hub"))
                        +    SPOKE1[Spoke1]
                        +    SPOKE2[Spoke2]
                        +    SPOKE3[Spoke3]
                        +    SPOKEN[Spoke...]
                        +    HUB --- SPOKE1
                        +    HUB --- SPOKE2
                        +    HUB --- SPOKE3
                        +    HUB --- SPOKEN
                        +    SPOKE1 -.- SPOKE2    
                        In this case, it would be connecting the Spoke networks to each other via virtual network peering, for example:

                        # Connect Spoke1 to Spoke2
                        +az network vnet peering create --name Spoke1ToSpoke2 --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet Spoke2Vnet --allow-vnet-access
                        +

                        Scalability and Performance

                        The Hub and Spoke topology in Azure is highly scalable and can handle thousands of virtual networks and subnets. In terms of performance, the Hub and Spoke topology provides efficient and low-latency connectivity between the Spoke networks and the Hub.

                        Security and Compliance

                        The Hub and Spoke topology in Azure provides centralized control over network security and compliance. Security and routing policies can be applied centrally at the Hub, ensuring consistency and compliance with the organization's network policies.

                        Monitoring and Logging

                        Use Network Watcher to monitor and diagnose network problems in the Hub and Spoke topology. Network Watcher provides the following tools:

                        • Monitoring
                          • Topology view shows you the resources in your virtual network and the relationships between them.
                          • Connection monitor allows you to monitor connectivity and latency between endpoints within and outside of Azure.
                        • Network diagnostic tools
                          • IP flow verify helps you detect traffic filtering issues at the virtual machine level.
                          • NSG diagnostics helps you detect traffic filtering issues at the virtual machine, virtual machine scale set, or application gateway level.
                          • Next hop helps you verify traffic routes and detect routing issues.
                          • Connection troubleshoot enables a one-time check of connectivity and latency between a virtual machine and the Bastion host, application gateway, or another virtual machine.
                          • Packet capture allows you to capture traffic from your virtual machine.
                          • VPN troubleshoot runs multiple diagnostic checks on your gateways and VPN connections to help debug issues.
                        • Traffic

                        Virtual network flow logs have recently been released which allows for monitoring network traffic in Azure virtual networks.

                        Use Cases and Examples

                        The Hub and Spoke topology is ideal for organizations that require centralized connectivity and traffic control between multiple virtual networks in Azure. For example, an organization with multiple branches or departments can use the Hub and Spoke topology to securely and efficiently connect their virtual networks in the cloud.

                        Best Practices and Tips

                        When implementing the Hub and Spoke topology in Azure, it is recommended to follow these best practices:

                        • Security: Apply consistent security policies at the Hub and Spokes to ensure network protection.
                        • Resilience: Configure redundancy and resilience in the topology to ensure network availability in case of failures.
                        • Monitoring: Use monitoring tools like Azure Monitor to monitor network traffic and detect potential performance issues.

                        Conclusion

                        The Hub and Spoke topology is an effective way to simplify the connectivity and management of virtual networks in Azure. It provides centralized control over network connectivity and traffic, making it easier to implement security and routing policies consistently across the network. By following the recommended best practices and tips, organizations can make the most of the Hub and Spoke topology to meet their cloud connectivity needs.

                        References

                        Azure Role-Based Access Control (RBAC)

                        Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azure. This allows administrators to grant only the amount of access that users need to perform their jobs.

                        Overview

                        In Azure RBAC, you can assign roles to user accounts, groups, service principals, and managed identities at different scopes. The scope could be a management group, subscription, resource group, or a single resource.

                        Here are some key terms you should know:

                        • Role: A collection of permissions. For example, the "Virtual Machine Contributor" role allows the user to create and manage virtual machines.
                        • Scope: The set of resources that the access applies to.
                        • Assignment: The act of granting a role to a security principal at a particular scope.

                        Built-in Roles

                        Azure provides several built-in roles that you can assign to users, groups, service principals, and managed identities. Here are a few examples:

                        • Owner: Has full access to all resources including the right to delegate access to others.
                        • Contributor: Can create and manage all types of Azure resources but can’t grant access to others.
                        • Reader: Can view existing Azure resources.
                        {
                        +  "Name": "Contributor",
                        +  "Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
                        +  "IsCustom": false,
                        +  "Description": "Lets you manage everything except access to resources.",
                        +  "Actions": [
                        +    "*"
                        +  ],
                        +  "NotActions": [
                        +    "Microsoft.Authorization/*/Delete",
                        +    "Microsoft.Authorization/*/Write",
                        +    "Microsoft.Authorization/elevateAccess/Action"
                        +  ],
                        +  "DataActions": [],
                        +  "NotDataActions": [],
                        +  "AssignableScopes": [
                        +    "/"
                        +  ]
                        +}
                        +

                        Custom Roles

                        If the built-in roles don't meet your specific needs, you can create your own custom roles. Just like built-in roles, you can assign permissions to custom roles and then assign those roles to users.

                        Conclusion

                        Azure RBAC is a powerful tool for managing access to your Azure resources. By understanding its core concepts and how to apply them, you can ensure that users have the appropriate level of access for their job.

                        How to create assigment Reports for Azure RBAC

                        Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resources. With RBAC, you can grant permissions to users, groups, and applications at a certain scope, such as a subscription, resource group, or resource. RBAC uses role assignments to determine what actions a user, group, or application can perform on a resource.

                        In this article, we will show you how to create reports for role assignments in Azure using PowerShell and the ImportExcel module. We will generate separate Excel files for role assignments at the subscription and management group levels, including information such as the role, principal, scope, and whether the assignment is inherited.

                        This is the PowerShell script that generates the role assignment reports:

                        # Parameters setup
                        +param (
                        +    [Parameter(Mandatory=$false)]
                        +    [string]$SubscriptionId,
                        +
                        +    [Parameter(Mandatory=$false)]
                        +    [string]$ManagementGroupName,
                        +
                        +    [Parameter(Mandatory=$false)]
                        +    [bool]$GetSubscriptions = $false,
                        +
                        +    [Parameter(Mandatory=$false)]
                        +    [bool]$GetManagementGroups = $true
                        +)
                        +
                        +
                        +# Install the ImportExcel module if not already installed
                        +if (!(Get-Module -ListAvailable -Name ImportExcel)) {
                        +    Install-Module -Name ImportExcel -Scope CurrentUser
                        +}
                        +
                        +# Define the path to your Excel file for Managing Group role assignments
                        +$managementGroupPath = ".\AzRoleAssignmentMg.xlsx"
                        +# Define the path to your Excel file for Subscription role assignments
                        +$subscriptionPath = ".\AzRoleAssignmentSub.xlsx"
                        +
                        +# Initialize an empty array to hold all role assignments
                        +$subscriptionRoleAssignments = @()
                        +$managementGroupRoleAssignments = @()
                        +
                        +# Get all management groups
                        +$managementGroups = Get-AzManagementGroup
                        +
                        +# Loop through each management group
                        +foreach ($mg in $managementGroups) {
                        +    # Get role assignments for the current management group
                        +    $roleAssignments = Get-AzRoleAssignment -Scope "/providers/Microsoft.Management/managementGroups/$($mg.Name)"
                        +
                        +    # Add these role assignments to the management group role assignments array
                        +    $managementGroupRoleAssignments += $roleAssignments
                        +
                        +    # Add 'GroupName' and 'IsInherited' properties to each role assignment object
                        +    $roleAssignments | ForEach-Object { 
                        +        $_ | Add-Member -NotePropertyName 'GroupDisplayName' -NotePropertyValue $mg.DisplayName
                        +        $_ | Add-Member -NotePropertyName 'GroupName' -NotePropertyValue $mg.Name 
                        +        # If the Scope of the role assignment is equal to the Id of the management group,
                        +        # then the role assignment is not inherited; otherwise, it is inherited.
                        +        if ($_.Scope -eq $mg.Id) {
                        +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                        +        } else {
                        +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true
                        +        }
                        +    }
                        +
                        +    # Export the role assignments to a new sheet in the Excel file
                        +    $roleAssignments | Export-Excel -Path $managementGroupPath -WorksheetName $mg.DisplayName -AutoSize -AutoFilter
                        +}
                        +
                        +if ($GetSubscriptions) {   
                        +    # Check if SubscriptionId is provided
                        +    if ($SubscriptionId) {
                        +        # Get role assignments for the specified subscription
                        +        $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$SubscriptionId"
                        +
                        +        # Add these role assignments to the subscription role assignments array
                        +        $subscriptionRoleAssignments += $roleAssignments
                        +
                        +        # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                        +        $roleAssignments | ForEach-Object { 
                        +            $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue (Get-AzSubscription -SubscriptionId $SubscriptionId).Name 
                        +            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                        +        }
                        +
                        +        # Export the role assignments to a new sheet in the Excel file
                        +        $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName (Get-AzSubscription -SubscriptionId $SubscriptionId).Name -AutoSize -AutoFilter
                        +    } else {
                        +        # Get all subscriptions
                        +        $subscriptions = Get-AzSubscription
                        +
                        +        # Loop through each subscription
                        +        foreach ($sub in $subscriptions) {
                        +            # Get role assignments for the current subscription
                        +            $roleAssignments = Get-AzRoleAssignment -Scope "/subscriptions/$($sub.SubscriptionId)"
                        +
                        +            # Add these role assignments to the subscription role assignments array
                        +            $subscriptionRoleAssignments += $roleAssignments
                        +
                        +            # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object
                        +            $roleAssignments | ForEach-Object { 
                        +                $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue $sub.Name
                        +                 # If the Scope of the role assignment is equal to the subscription Id,
                        +                 # then the role assignment is not inherited; otherwise, it is inherited.
                        +                if ($_.Scope -eq "/subscriptions/$($sub.Id)") {
                        +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false
                        +                } else {
                        +                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true                }
                        +
                        +            }
                        +
                        +            # Export the role assignments to a new sheet in the Excel file
                        +            $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName $sub.Name -AutoSize -AutoFilter
                        +        }
                        +    }
                        +}
                        +

                        Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                        No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuación, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                        Nombre ANTERIOR del nivel de servicio 2 Nombre NUEVO del nivel de servicio 2 Nivel de servicio: nivel de servicio 4 (sin cambios)
                        Advanced Data Security Microsoft Defender for Cloud Defender para SQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para registros de contenedor
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para DNS
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Key Vault
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Kubernetes
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para MySQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para PostgreSQL
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Resource Manager
                        Advanced Threat Protection Microsoft Defender for Cloud Defender para Storage
                        Azure Defender Microsoft Defender for Cloud Administración de superficie expuesta a ataques externos de Defender
                        Azure Defender Microsoft Defender for Cloud Defender para Azure Cosmos DB
                        Azure Defender Microsoft Defender for Cloud Defender para contenedores
                        Azure Defender Microsoft Defender for Cloud Defender for MariaDB
                        Security Center Microsoft Defender for Cloud Defender para App Service
                        Security Center Microsoft Defender for Cloud Defender para servidores
                        Security Center Microsoft Defender for Cloud Administración de la posición de seguridad en la nube de Defender

                        Azure Policy useful queries

                        Policy assignments and information about each of its respective definitions

                        // Policy assignments and information about each of its respective definitions
                         // Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.
                         
                         policyResources
                        @@ -211,25 +377,4 @@
                         $destination = "https://$storageAccount.blob.core.windows.net/\$web/myFile.txt"
                         azcopy login --identity
                         azcopy copy $source $destination
                        -

                        Now you can check the file in the static website of the storage account.

                        Azure ARC

                        Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                        Azure ARC Overview

                        Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                        Azure ARC enables you to:

                        • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                        • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                        • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                        • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

                        Azure ARC Components

                        Azure ARC consists of the following components:

                        • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                        • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                        • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                        • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                        • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

                        Azure ARC Use Cases

                        Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                        • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                        • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                        • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                        • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

                        Getting Started with Azure ARC

                        To get started with Azure ARC, you need to:

                        1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                        2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                        3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                        By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                        Conclusion

                        Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                        For more information on Azure ARC, visit the Azure ARC documentation.

                        Microsoft Azure Certifications

                        Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                        Microsoft divide this certifications into different categories, such as:

                        • Infrastructure
                        • Data and AI
                        • Digital app and innovation
                        • Modern work
                        • Business applications
                        • Security

                        Inside of each category, you can find different certification levels:

                        • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                        • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                        • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                        In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                        • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                        • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                        Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                        In the majority of cases, you need associate certifications to get expert certifications.

                        Azure Certifications

                        Here's a table summarizing the Azure Certifications and their description:

                        Certification Exam required Description url
                        Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                        Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                        Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                        Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                        DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                        Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                        Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                        Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                        Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                        Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                        Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                        Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                        Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                        Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                        Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                        Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                        Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                        Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                        Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                        You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                        Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                        Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                        
                        -graph LR;
                        -    A[Phase 1: Set Policy] 
                        -    C[Phase 2: The Process of Discovery]
                        -    E[Phase 3: Protect Credentials]
                        -    G[Phase 4: Secure Privileged Access]
                        -    I[Phase 5: Least Privilege]
                        -    K[Phase 6: Control All Applications]
                        -    M[Phase 7: Detect and Respond]
                        -
                        -    A-->C
                        -    C-->E
                        -    E-->G
                        -    G-->I
                        -    I-->K
                        -    K-->M
                        -    M-->A
                        -
                        -    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;
                        -    class A,C,E,G,I,K,M phase;
                        -
                        -

                        Info

                        Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                        Phase 1: Set Policy

                        The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                        • Define clear access control policies.
                        • Establish guidelines for password management and multi-factor authentication.
                        • Regularly review and update the policy to reflect changes in the organization.

                        How to implement this:

                        • Use Azure Policy to define and manage policies for your Azure environment.
                        • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.

                        Phase 2: The Process of Discovery

                        In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                        • Use automated tools to identify all privileged accounts across the organization.
                        • Regularly update the inventory of privileged accounts.
                        • Identify any accounts that are no longer in use and deactivate them.

                        How to implement this:

                        • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

                        Phase 3: Protect Credentials

                        Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                        • Store credentials in a secure vault.
                        • Implement regular password rotation.
                        • Use unique passwords for each account.

                        How to implement this:

                        • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                        • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.

                        Phase 4: Secure Privileged Access

                        Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                        • Limit the number of privileged accounts.
                        • Implement just-in-time access, where access is granted only for the duration of a task.
                        • Use session recording and monitoring for privileged access.

                        How to implement this:

                        • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                        • Implement Microsoft Entra Privileged Identity Management for just-in-time access.

                        Phase 5: Least Privilege

                        The principle of least privilege involves giving users the minimum levels of access — or permissions — they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                        • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                        • Regularly review user roles and access rights.
                        • Implement a process for revoking access when it's no longer needed.

                        How to implement this:

                        • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                        • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.

                        Phase 6: Control All Applications

                        In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                        • Implement application control policies that dictate what applications can be run on systems.
                        • Monitor application usage and block unauthorized applications.
                        • Regularly update and patch all applications to reduce vulnerabilities.

                        How to implement this:

                        • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                        • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                        • Implement Microsoft Intune to manage and secure your devices and applications.

                        Phase 7: Detect and Respond

                        The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                        • Set up alerts for unusual activity.
                        • Regularly audit access logs.
                        • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                        How to implement this:

                        • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                        • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                        By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                        Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                        Azure Policy Management Best Practices

                        1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

                        2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

                        3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

                        4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

                        5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

                        6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

                        7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

                        8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

                        9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

                        10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

                        11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

                        By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

                        \ No newline at end of file +

                        Now you can check the file in the static website of the storage account.

                    Azure ARC

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                    Azure ARC Overview

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                    Azure ARC enables you to:

                    • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                    • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                    • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.

                    Azure ARC Components

                    Azure ARC consists of the following components:

                    • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.

                    Azure ARC Use Cases

                    Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                    • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                    • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                    • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.

                    Getting Started with Azure ARC

                    To get started with Azure ARC, you need to:

                    1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                    2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                    3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                    By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                    Conclusion

                    Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                    For more information on Azure ARC, visit the Azure ARC documentation.

                    \ No newline at end of file diff --git a/blog/page/2/index.html b/blog/page/2/index.html index f848aac..4a5becd 100644 --- a/blog/page/2/index.html +++ b/blog/page/2/index.html @@ -7,7 +7,28 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                    Blog

                    Enterprise Azure Policy as Code (EPAC)

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                    Key Features of EPAC

                    • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                    • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                    • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                    • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

                    Who Should Use EPAC?

                    EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                    How Does EPAC Work?

                    EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                    Alt text

                    The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                    1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                    2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                    3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                    4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                    5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                    The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                    Warning

                    EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                    Conclusion

                    EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                    References

                    Manage Azure Policy GitHub Action

                    It's recommended to review:

                    Overview

                    The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                    Info

                    This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                    Key Features

                    1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                    2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                    3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                      |- policies/
                      +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                      Blog

                      Microsoft Azure Certifications

                      Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                      Microsoft divide this certifications into different categories, such as:

                      • Infrastructure
                      • Data and AI
                      • Digital app and innovation
                      • Modern work
                      • Business applications
                      • Security

                      Inside of each category, you can find different certification levels:

                      • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                      • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                      • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                      In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                      • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                      • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                      Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                      In the majority of cases, you need associate certifications to get expert certifications.

                      Azure Certifications

                      Here's a table summarizing the Azure Certifications and their description:

                      Certification Exam required Description url
                      Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator
                      Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer
                      Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer
                      Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator
                      DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer
                      Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer
                      Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer
                      Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator
                      Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer
                      Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer
                      Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist
                      Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst
                      Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect
                      Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads
                      Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop
                      Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer
                      Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals
                      Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals
                      Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                      You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                      Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                      Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                      
                      +graph LR;
                      +    A[Phase 1: Set Policy] 
                      +    C[Phase 2: The Process of Discovery]
                      +    E[Phase 3: Protect Credentials]
                      +    G[Phase 4: Secure Privileged Access]
                      +    I[Phase 5: Least Privilege]
                      +    K[Phase 6: Control All Applications]
                      +    M[Phase 7: Detect and Respond]
                      +
                      +    A-->C
                      +    C-->E
                      +    E-->G
                      +    G-->I
                      +    I-->K
                      +    K-->M
                      +    M-->A
                      +
                      +    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;
                      +    class A,C,E,G,I,K,M phase;
                      +
                      +

                      Info

                      Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                      Phase 1: Set Policy

                      The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                      • Define clear access control policies.
                      • Establish guidelines for password management and multi-factor authentication.
                      • Regularly review and update the policy to reflect changes in the organization.

                      How to implement this:

                      • Use Azure Policy to define and manage policies for your Azure environment.
                      • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.

                      Phase 2: The Process of Discovery

                      In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                      • Use automated tools to identify all privileged accounts across the organization.
                      • Regularly update the inventory of privileged accounts.
                      • Identify any accounts that are no longer in use and deactivate them.

                      How to implement this:

                      • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

                      Phase 3: Protect Credentials

                      Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                      • Store credentials in a secure vault.
                      • Implement regular password rotation.
                      • Use unique passwords for each account.

                      How to implement this:

                      • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                      • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.

                      Phase 4: Secure Privileged Access

                      Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                      • Limit the number of privileged accounts.
                      • Implement just-in-time access, where access is granted only for the duration of a task.
                      • Use session recording and monitoring for privileged access.

                      How to implement this:

                      • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                      • Implement Microsoft Entra Privileged Identity Management for just-in-time access.

                      Phase 5: Least Privilege

                      The principle of least privilege involves giving users the minimum levels of access — or permissions — they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                      • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                      • Regularly review user roles and access rights.
                      • Implement a process for revoking access when it's no longer needed.

                      How to implement this:

                      • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                      • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.

                      Phase 6: Control All Applications

                      In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                      • Implement application control policies that dictate what applications can be run on systems.
                      • Monitor application usage and block unauthorized applications.
                      • Regularly update and patch all applications to reduce vulnerabilities.

                      How to implement this:

                      • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                      • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                      • Implement Microsoft Intune to manage and secure your devices and applications.

                      Phase 7: Detect and Respond

                      The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                      • Set up alerts for unusual activity.
                      • Regularly audit access logs.
                      • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                      How to implement this:

                      • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                      • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                      By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                      Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                      Azure Policy Management Best Practices

                      1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

                      2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

                      3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

                      4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

                      5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

                      6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

                      7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

                      8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

                      9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

                      10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

                      11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

                      By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

                      Enterprise Azure Policy as Code (EPAC)

                      Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                      Key Features of EPAC

                      • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                      • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                      • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                      • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.

                      Who Should Use EPAC?

                      EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                      How Does EPAC Work?

                      EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                      Alt text

                      The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                      1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                      2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                      3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                      4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                      5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                      The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                      Warning

                      EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                      Conclusion

                      EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                      References

                      Manage Azure Policy GitHub Action

                      It's recommended to review:

                      Overview

                      The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                      Info

                      This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                      Key Features

                      1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                      2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                      3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                        |- policies/
                            |- <policy1_name>/
                               |- policy.json
                               |- assign.<name1>.json
                        @@ -262,79 +283,79 @@
                                     }
                                 }
                         }
                        -

                        Once you've filled out all the fields and written your policy rule, click on Save.

                        Step 4: Assign the Policy

                        • Go back to the Policy service in the Azure portal.
                        • Click on Assignments under the Authoring section.
                        • Click on + Assign Policy.
                        • In Basics, fill out the following fields:
                          • Scope
                            • Scope: Select the scope where you want to assign the policy.
                            • Exclusions: Add any exclusions if needed.
                          • Basics
                            • Policy definition: Select the policy you created.
                            • Assignment name: A unique name for the assignment.
                            • Description: A detailed description of the assignment.
                            • Policy enforcement: Enabled.
                        • In Parameters: Fill out any parameters needed for the policy.
                        • In Non-compliance message: A message to display when a resource is non-compliant.
                        • Click on Review + create: Review the assignment and click on Create.

                        Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                        Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                      Azure Policy, defintion schema

                      This is the schema for the Azure Policy definition:

                      {
                      -    "properties": {
                      -        "displayName": {
                      -            "type": "string",
                      -            "description": "The display name of the policy definition."
                      -        },
                      -        "policyType": {
                      -            "type": "string",
                      -            "description": "The policy type of the policy definition."
                      -        },
                      -        "mode": {
                      -            "type": "string",
                      -            "description": "The mode of the policy definition."
                      -        },
                      -        "description": {
                      -            "type": "string",
                      -            "description": "The description of the policy definition."
                      -        },
                      -        "mode": {
                      -            "type": "string",
                      -            "description": "The mode of the policy definition."
                      -        },
                      -        "metadata": {
                      -            "type": "object",
                      -            "description": "The metadata of the policy definition."
                      -        },
                      -        "parameters": {
                      -            "type": "object",
                      -            "description": "The parameters of the policy definition."
                      -        },
                      -        "policyRule": {
                      -            "type": "object",
                      -            "description": "The policy rule of the policy definition. If/then rule."
                      -        }       
                      -
                      -    }
                      -}
                      -

                      You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                      Full schema is in Azure Policy definition schema.

                      Example

                      Here is an example of a policy definition:

                      {
                      -    "properties": {
                      -        "displayName": "Require a tag and its value",
                      -        "policyType": "Custom",
                      -        "mode": "Indexed",
                      -        "description": "This policy requires a specific tag and its value.",
                      -        "metadata": {
                      -            "category": "Tags"
                      -        },
                      -        "parameters": {
                      -            "tagName": {
                      -                "type": "String",
                      -                "metadata": {
                      -                    "displayName": "Tag Name",
                      -                    "description": "Name of the tag, such as 'environment'"
                      -                }
                      -            },
                      -            "tagValue": {
                      -                "type": "String",
                      -                "metadata": {
                      -                    "displayName": "Tag Value",
                      -                    "description": "Value of the tag, such as 'production'"
                      -                }
                      -            }
                      -        },
                      -        "policyRule": {
                      -            "if": {
                      -                "field": "[concat('tags[', parameters('tagName'), ']')]",
                      -                "exists": "false"
                      -            },
                      -            "then": {
                      -                "effect": "deny"
                      -            }
                      -        }
                      -    }
                      -}
                      +

                      Once you've filled out all the fields and written your policy rule, click on Save.

                      Step 4: Assign the Policy

                      • Go back to the Policy service in the Azure portal.
                      • Click on Assignments under the Authoring section.
                      • Click on + Assign Policy.
                      • In Basics, fill out the following fields:
                        • Scope
                          • Scope: Select the scope where you want to assign the policy.
                          • Exclusions: Add any exclusions if needed.
                        • Basics
                          • Policy definition: Select the policy you created.
                          • Assignment name: A unique name for the assignment.
                          • Description: A detailed description of the assignment.
                          • Policy enforcement: Enabled.
                      • In Parameters: Fill out any parameters needed for the policy.
                      • In Non-compliance message: A message to display when a resource is non-compliant.
                      • Click on Review + create: Review the assignment and click on Create.

                      Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                      Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                      Azure Policy, defintion schema

                      This is the schema for the Azure Policy definition:

                      {
                      +    "properties": {
                      +        "displayName": {
                      +            "type": "string",
                      +            "description": "The display name of the policy definition."
                      +        },
                      +        "policyType": {
                      +            "type": "string",
                      +            "description": "The policy type of the policy definition."
                      +        },
                      +        "mode": {
                      +            "type": "string",
                      +            "description": "The mode of the policy definition."
                      +        },
                      +        "description": {
                      +            "type": "string",
                      +            "description": "The description of the policy definition."
                      +        },
                      +        "mode": {
                      +            "type": "string",
                      +            "description": "The mode of the policy definition."
                      +        },
                      +        "metadata": {
                      +            "type": "object",
                      +            "description": "The metadata of the policy definition."
                      +        },
                      +        "parameters": {
                      +            "type": "object",
                      +            "description": "The parameters of the policy definition."
                      +        },
                      +        "policyRule": {
                      +            "type": "object",
                      +            "description": "The policy rule of the policy definition. If/then rule."
                      +        }       
                      +
                      +    }
                      +}
                      +

                      You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                      Full schema is in Azure Policy definition schema.

                      Example

                      Here is an example of a policy definition:

                      {
                      +    "properties": {
                      +        "displayName": "Require a tag and its value",
                      +        "policyType": "Custom",
                      +        "mode": "Indexed",
                      +        "description": "This policy requires a specific tag and its value.",
                      +        "metadata": {
                      +            "category": "Tags"
                      +        },
                      +        "parameters": {
                      +            "tagName": {
                      +                "type": "String",
                      +                "metadata": {
                      +                    "displayName": "Tag Name",
                      +                    "description": "Name of the tag, such as 'environment'"
                      +                }
                      +            },
                      +            "tagValue": {
                      +                "type": "String",
                      +                "metadata": {
                      +                    "displayName": "Tag Value",
                      +                    "description": "Value of the tag, such as 'production'"
                      +                }
                      +            }
                      +        },
                      +        "policyRule": {
                      +            "if": {
                      +                "field": "[concat('tags[', parameters('tagName'), ']')]",
                      +                "exists": "false"
                      +            },
                      +            "then": {
                      +                "effect": "deny"
                      +            }
                      +        }
                      +    }
                      +}
                       

                      This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

                      How you can see, the most important part of the policy definition is the policy rule.

                      Note

                      The policy rule is where you describe the logic that enforces the policy.

                      Conclusion

                      Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

                      References

                      Writing Your First Initiative with Portal

                      Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                      In this post, we'll walk through the steps of creating your first initiative in Azure.

                      Info

                      You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

                      Prerequisites

                      1. An active Azure subscription.
                      2. Access to Azure portal.
                      3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.

                      Step 1: Open Azure Policy

                      • Login to the Azure Portal.
                      • In the left-hand menu, click on All services.
                      • In the All services blade, search for Policy.

                      Step 2: Create a New Initiative Definition

                      • Click on Defitinions under the Authoring section.
                      • Click on + Initiative definition.

                      Step 3: Fill Out the Initiative Definition

                      You will need to fill out several fields:

                      • Basics:
                      • Initiative location: The location where the initiative is stored.
                      • Name: This is a unique name for your initiative.
                      • Description: A detailed description of what the initiative does.
                      • Category: You can categorize your initiative for easier searching and filtering.
                      • Policies:
                      • Add policy definition(s): Here you can add the policies that will be part of the initiative.
                      • Initiative parameters:
                      • Add parameter: Here you can add parameters that will be used in the initiative. Initiative parameters
                      • Policy parameters:
                      • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies. Policy parameters

                      • Click on Review + create: Review the assignment and click on Create.

                      Step 4: Assign the Initiative

                      • Go to Policy again.
                      • Go to Assignments under the Authoring section.
                      • Click on + Assign initiative.

                      You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

                      • Click on Review + create: Review the assignment and click on Create.

                      Conclusion

                      Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

                      Azure Policy

                      Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

                      As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

                      Azure Policy Overview

                      Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

                      Azure Policy helps to address questions like:

                      • Are all virtual machines encrypted using Azure Disk Encryption?
                      • Are resources deployed only in certain Azure regions?
                      • Are specific tags applied to resources for tracking and organization?

                      Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

                      Info

                      It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

                      Policies

                      Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

                      Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

                      Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

                      Initiatives

                      Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

                      graph TD;
                           A[Azure Policy] -->|Contains| B1[Policy 1]
                           A[Azure Policy] -->|Contains| B2[Policy 2]
                      @@ -392,10 +413,4 @@
                       Wrote 872 rows
                       Finished processing files, output is at output/fichero.csv
                       userdemo@DESKTOP:/mnt/c/Users/userdemo/Escritorio$
                      -

                      3. Analizar los logs

                      Una vez que se ha generado el fichero CSV, se puede abrir con Excel o cualquier editor de texto para analizar los logs y detectar problemas de sincronización, busca error o warn para averiguar que puede estar provocando el problema.

                      Solución

                      En mi caso, tras poder leer los logs de OneDrive, he descubierto que OneDrive no podía escribir varios ficheros en disco, luego recordé que el otro día mi equipo no se apagó bien.

                      Tras un chkdsk c: /F /R, fin de la historia, ahora todo funciona, espero que le resulte útil a alguien.

                      Referencias

                      • https://github.com/ydkhatri/OneDrive/tree/main

                    Instalar WSL2 en Windows 11 con chocolatey

                    Introducción

                    Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

                    Pasos a seguir

                    1. Instalar Chocolatey

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
                    -
                    1. Espere a que se complete la instalación de Chocolatey.

                    2. Instalar WSL2

                    Para instalar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar WSL2:

                    choco install wsl2
                    -
                    3. Espere a que se complete la instalación de WSL2.

                    3. Configurar WSL2

                    Para configurar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para configurar WSL2 como la versión predeterminada:

                    wsl --set-default-version 2
                    -
                    1. Reinicie su computadora para aplicar los cambios.

                    4. Instalar una distribución de Linux

                    Para instalar una distribución de Linux en WSL2, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Busque la distribución de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

                    wsl --list --online
                    -
                    1. Ejecute el siguiente comando para instalar la distribución de Linux seleccionada:
                    wsl --install -d <nombre de la distribución>
                    -
                    1. Espere a que se complete la instalación de la distribución de Linux.

                    5. Iniciar WSL2

                    Para iniciar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Ejecute el siguiente comando para iniciar la distribución de Linux instalada:

                    wsl
                    -

                    Referencias

                    Azure Functions

                    Introduction

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

                    Service Overview

                    Azure Functions allows developers to run small pieces of code (called "functions") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

                    Architecture and Components

                    Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

                    Deployment and Configuration

                    Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

                    Scalability and Performance

                    Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

                    Security and Compliance

                    Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

                    Monitoring and Logging

                    Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

                    Use Cases and Examples

                    Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

                    Best Practices and Tips

                    When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

                    If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

                    Conclusion

                    Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

                    Comparing Container Apps with other Azure container options

                    Container option comparisons

                    Service Primary Use Advantages Disadvantages
                    Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
                    Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
                    Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
                    Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
                    Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
                    Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
                    Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

                    Please note that the advantages and disadvantages may vary according to specific use cases.

                    References

                    \ No newline at end of file +

                    3. Analizar los logs

                    Una vez que se ha generado el fichero CSV, se puede abrir con Excel o cualquier editor de texto para analizar los logs y detectar problemas de sincronización, busca error o warn para averiguar que puede estar provocando el problema.

                    Solución

                    En mi caso, tras poder leer los logs de OneDrive, he descubierto que OneDrive no podía escribir varios ficheros en disco, luego recordé que el otro día mi equipo no se apagó bien.

                    Tras un chkdsk c: /F /R, fin de la historia, ahora todo funciona, espero que le resulte útil a alguien.

                    Referencias

                    • https://github.com/ydkhatri/OneDrive/tree/main
                    \ No newline at end of file diff --git a/blog/page/3/index.html b/blog/page/3/index.html index 59280d1..6fe6e84 100644 --- a/blog/page/3/index.html +++ b/blog/page/3/index.html @@ -7,7 +7,13 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                    Blog

                    Azure updates RSS feed

                    All the Azure updates in one place.

                    By category

                    Custom

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

                    For example:

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

                    Azure Well-Architected Framework (WAF) mind maps

                    Microsoft Well-Architected Framework Pillars Design Principles Mind Map

                    "Design Principles"

                    Para cuando lo renderice correctamente materials:

                    mindmap
                    +    body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}       

                    Blog

                    Instalar WSL2 en Windows 11 con chocolatey

                    Introducción

                    Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versión de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparación con WSL1. Este análisis proporciona una guía paso a paso para instalar WSL2 en Windows 11.

                    Pasos a seguir

                    1. Instalar Chocolatey

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalación y gestión de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
                    +
                    1. Espere a que se complete la instalación de Chocolatey.

                    2. Instalar WSL2

                    Para instalar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar WSL2:

                    choco install wsl2
                    +
                    3. Espere a que se complete la instalación de WSL2.

                    3. Configurar WSL2

                    Para configurar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para configurar WSL2 como la versión predeterminada:

                    wsl --set-default-version 2
                    +
                    1. Reinicie su computadora para aplicar los cambios.

                    4. Instalar una distribución de Linux

                    Para instalar una distribución de Linux en WSL2, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Busque la distribución de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

                    wsl --list --online
                    +
                    1. Ejecute el siguiente comando para instalar la distribución de Linux seleccionada:
                    wsl --install -d <nombre de la distribución>
                    +
                    1. Espere a que se complete la instalación de la distribución de Linux.

                    5. Iniciar WSL2

                    Para iniciar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Ejecute el siguiente comando para iniciar la distribución de Linux instalada:

                    wsl
                    +

                    Referencias

                    Azure Functions

                    Introduction

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

                    Service Overview

                    Azure Functions allows developers to run small pieces of code (called "functions") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

                    Architecture and Components

                    Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

                    Deployment and Configuration

                    Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

                    Scalability and Performance

                    Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

                    Security and Compliance

                    Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

                    Monitoring and Logging

                    Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

                    Use Cases and Examples

                    Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

                    Best Practices and Tips

                    When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

                    If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

                    Conclusion

                    Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

                    Comparing Container Apps with other Azure container options

                    Container option comparisons

                    Service Primary Use Advantages Disadvantages
                    Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs.
                    Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications.
                    Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided.
                    Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription.
                    Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers.
                    Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications.
                    Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

                    Please note that the advantages and disadvantages may vary according to specific use cases.

                    References

                    Azure updates RSS feed

                    All the Azure updates in one place.

                    By category

                    Custom

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

                    For example:

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

                    Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages

                    A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

                    I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

                    These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

                    Some knowledge:

                    • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

                    • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

                    • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

                    • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

                    Steps to deploy

                    Create a new repository

                    Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn’t exactly match your username, it won’t work, so make sure to get it right.

                    Enable GitHub Pages on your repository

                    Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

                    Clone the repository

                    Go to the folder where you want to store your project, and clone the new repository:

                    git clone ssh://github.com/username/username.github.io
                    -cd username.github.io
                    -

                    Create requirements.txt in root folder for mkdocs, mkdocs-material and plugins

                    mkdocs==1.5.3
                    -mkdocs-material==9.4.6
                    -mkdocs-rss-plugin==1.8.0
                    -

                    Create a Python Virtual Environment and install requirements.txt

                    In username.github.io$ path:

                    sudo apt update
                    -sudo apt install libcairo2
                    -sudo apt install python3.10-venv
                    -python3 -m venv mysite
                    -source mysite/bin/activate
                    -pip install -r requirements.txt
                    -

                    Initialize your site

                    mkdocs new .
                    -

                    Add configuration to mkdocs.yml in root folder

                    For this post I am going to add the following configuration:

                    • basic configuration
                    • configuration for theme mkdocs-material
                    • some native plugins of mkdocs-material and some ones that I like
                    site_name: My Site 
                    -site_description: A blog about Azure, DevOps and other stuff
                    -site_author: Rafael Fernández
                    -
                    -theme: 
                    -  name: material
                    -  features:
                    -    - navigation.tabs
                    -    - navigation.expand
                    -    - navigation.sections
                    -    - toc.integrate
                    -    - toc.nested
                    -    - toc.smoothscroll
                    -    - footer
                    -
                    -plugins:
                    -  - search  
                    -  - blog
                    -  - tags:
                    -      tags_file: tags.md      
                    -
                    -  - rss:
                    -      match_path: blog/posts/.* 
                    -      date_from_meta:
                    -        as_creation: date
                    -      categories:
                    -        - categories
                    -        - tags
                    -

                    Add a new post

                    In blog/post folder create a new folder with the name of the post and create a new file with the name of the post and the extension .md. For example: welcome.md

                    ---
                    -date: 2023-10-18
                    -categories:
                    -  - Hello
                    -  - World
                    ----
                    -
                    -# "Hello world!!!" from mkdocs-material
                    -
                    -...
                    -

                    Check your site

                    In username.github.io$ path:

                    mkdocs serve
                    -

                    You can check your site in http://127.0.0.1:8000/ and make live changes in your site and see the results in your browser.

                    Publish your site

                    In username.github.io$ path:

                    mkdocs gh-deploy
                    -

                    After a seconds, you can check your site in https://username.github.io/

                    Automate deploy with GitHub Actions

                    name: ci # (1)!
                    -on:
                    -  push:
                    -    branches:      
                    -      - main
                    -permissions:
                    -  contents: write
                    -jobs:
                    -  deploy:
                    -    runs-on: ubuntu-latest
                    -    steps:
                    -      - uses: actions/checkout@v4
                    -      - uses: actions/setup-python@v4
                    -        with:
                    -          python-version: 3.x
                    -      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV # (3)!
                    -      - uses: actions/cache@v3
                    -        with:
                    -          key: mkdocs-material-${{ env.cache_id }}
                    -          path: .cache
                    -          restore-keys: |
                    -            mkdocs-material-
                    -      - run: pip install -r requirements.txt # (4)!
                    -      - run: mkdocs gh-deploy --force
                    -
                    1. You can change the name to your liking.

                    2. At some point, GitHub renamed master to main. If your default branch is named master, you can safely remove main, vice versa.

                    3. Store the cache_id environmental variable to access it later during cache key creation. The name is case-sensitive, so be sure to align it with ${{ env.cache_id }}.

                      • The --utc option makes sure that each workflow runner uses the same time zone.
                      • The %V format assures a cache update once a week.
                      • You can change the format to %F to have daily cache updates.

                      You can read the [manual page] to learn more about the formatting options of the date command.

                    4. Add [MkDocs plugins] or Markdown extensions with pip to requirements.txt to be used during the build.

                    In the next post I will explain how to customize your site with mkdocs-material and some plugins writing mkdocs.yml.

                    That's it folks

                    urls for reference

                    \ No newline at end of file +

                    urls for reference


                    1. And here is the definition. 

                    \ No newline at end of file diff --git a/blog/page/4/index.html b/blog/page/4/index.html new file mode 100644 index 0000000..3c4b4a3 --- /dev/null +++ b/blog/page/4/index.html @@ -0,0 +1,86 @@ + Blog - Un Rinconcito donde contar lo que quiera

                    Blog

                    Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages

                    A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

                    I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

                    These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

                    Some knowledge:

                    • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

                    • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

                    • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

                    • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

                    Steps to deploy

                    Create a new repository

                    Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn’t exactly match your username, it won’t work, so make sure to get it right.

                    Enable GitHub Pages on your repository

                    Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

                    Clone the repository

                    Go to the folder where you want to store your project, and clone the new repository:

                    git clone ssh://github.com/username/username.github.io
                    +cd username.github.io
                    +

                    Create requirements.txt in root folder for mkdocs, mkdocs-material and plugins

                    mkdocs==1.5.3
                    +mkdocs-material==9.4.6
                    +mkdocs-rss-plugin==1.8.0
                    +

                    Create a Python Virtual Environment and install requirements.txt

                    In username.github.io$ path:

                    sudo apt update
                    +sudo apt install libcairo2
                    +sudo apt install python3.10-venv
                    +python3 -m venv mysite
                    +source mysite/bin/activate
                    +pip install -r requirements.txt
                    +

                    Initialize your site

                    mkdocs new .
                    +

                    Add configuration to mkdocs.yml in root folder

                    For this post I am going to add the following configuration:

                    • basic configuration
                    • configuration for theme mkdocs-material
                    • some native plugins of mkdocs-material and some ones that I like
                    site_name: My Site 
                    +site_description: A blog about Azure, DevOps and other stuff
                    +site_author: Rafael Fernández
                    +
                    +theme: 
                    +  name: material
                    +  features:
                    +    - navigation.tabs
                    +    - navigation.expand
                    +    - navigation.sections
                    +    - toc.integrate
                    +    - toc.nested
                    +    - toc.smoothscroll
                    +    - footer
                    +
                    +plugins:
                    +  - search  
                    +  - blog
                    +  - tags:
                    +      tags_file: tags.md      
                    +
                    +  - rss:
                    +      match_path: blog/posts/.* 
                    +      date_from_meta:
                    +        as_creation: date
                    +      categories:
                    +        - categories
                    +        - tags
                    +

                    Add a new post

                    In blog/post folder create a new folder with the name of the post and create a new file with the name of the post and the extension .md. For example: welcome.md

                    ---
                    +date: 2023-10-18
                    +categories:
                    +  - Hello
                    +  - World
                    +---
                    +
                    +# "Hello world!!!" from mkdocs-material
                    +
                    +...
                    +

                    Check your site

                    In username.github.io$ path:

                    mkdocs serve
                    +

                    You can check your site in http://127.0.0.1:8000/ and make live changes in your site and see the results in your browser.

                    Publish your site

                    In username.github.io$ path:

                    mkdocs gh-deploy
                    +

                    After a seconds, you can check your site in https://username.github.io/

                    Automate deploy with GitHub Actions

                    name: ci # (1)!
                    +on:
                    +  push:
                    +    branches:      
                    +      - main
                    +permissions:
                    +  contents: write
                    +jobs:
                    +  deploy:
                    +    runs-on: ubuntu-latest
                    +    steps:
                    +      - uses: actions/checkout@v4
                    +      - uses: actions/setup-python@v4
                    +        with:
                    +          python-version: 3.x
                    +      - run: echo "cache_id=$(date --utc '+%V')" >> $GITHUB_ENV # (3)!
                    +      - uses: actions/cache@v3
                    +        with:
                    +          key: mkdocs-material-${{ env.cache_id }}
                    +          path: .cache
                    +          restore-keys: |
                    +            mkdocs-material-
                    +      - run: pip install -r requirements.txt # (4)!
                    +      - run: mkdocs gh-deploy --force
                    +
                    1. You can change the name to your liking.

                    2. At some point, GitHub renamed master to main. If your default branch is named master, you can safely remove main, vice versa.

                    3. Store the cache_id environmental variable to access it later during cache key creation. The name is case-sensitive, so be sure to align it with ${{ env.cache_id }}.

                      • The --utc option makes sure that each workflow runner uses the same time zone.
                      • The %V format assures a cache update once a week.
                      • You can change the format to %F to have daily cache updates.

                      You can read the [manual page] to learn more about the formatting options of the date command.

                    4. Add [MkDocs plugins] or Markdown extensions with pip to requirements.txt to be used during the build.

                    In the next post I will explain how to customize your site with mkdocs-material and some plugins writing mkdocs.yml.

                    That's it folks

                    urls for reference

                    \ No newline at end of file diff --git a/blog/tags/index.html b/blog/tags/index.html index dff81ef..a5fafa4 100644 --- a/blog/tags/index.html +++ b/blog/tags/index.html @@ -1,4 +1,4 @@ - Posts by Tags - Un Rinconcito donde contar lo que quiera

                    Posts by Tags

                    Following is a list of relevant tags:

                    Azure ARC

                    Azure Communication Services

                    Azure Container Apps

                    Azure Functions

                    Azure Policy

                    Azure Well-Architected Framework

                    Certifications

                    EPAC

                    English

                    General

                    Management Groups

                    Microsoft Defender for Cloud

                    OneDrive for Business

                    PAM

                    Security

                    Trunk

                    Windows Subsystem for Linux 2

                    csharp

                    draw.io

                    mkdocs

                    vscode

                    \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                    Posts by Tags

                    Following is a list of relevant tags:

                    Azure ARC

                    Azure Communication Services

                    Azure Container Apps

                    Azure Functions

                    Azure Network

                    Azure Policy

                    Azure Well-Architected Framework

                    Certifications

                    EPAC

                    English

                    General

                    Hub and Spoke

                    Management Groups

                    Microsoft Defender for Cloud

                    OneDrive for Business

                    PAM

                    Role-Based Access Control

                    Security

                    Trunk

                    Windows Subsystem for Linux 2

                    csharp

                    draw.io

                    mkdocs

                    vscode

                    \ No newline at end of file diff --git a/contributions/index.html b/contributions/index.html index 6580d4d..4629dfd 100644 --- a/contributions/index.html +++ b/contributions/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
                    \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}
                    \ No newline at end of file diff --git a/feed_json_created.json b/feed_json_created.json index 5510477..3e43af6 100644 --- a/feed_json_created.json +++ b/feed_json_created.json @@ -1 +1 @@ -{"version": "https://jsonfeed.org/version/1", "title": "Un Rinconcito donde contar lo que quiera", "home_page_url": "https://rfernandezdo.github.io/", "feed_url": "https://rfernandezdo.github.io/feed_json_created.json", "description": "A blog about Azure, DevOps and other stuff", "icon": null, "authors": [{"name": "Rafael Fern\u00e1ndez"}], "language": "en", "items": [{"id": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "url": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "title": "How to create a Management Group diagram with draw.io", "content_html": "

                    How to create a Management Group diagram with draw.io

                    \n

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240424_Management_Groups_drawio.png", "date_published": "2024-04-24T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups", "draw.io"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "url": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "title": "Moving Management Groups and Subscriptions", "content_html": "

                    Moving Management Groups and Subscriptions

                    \n

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240423_Management_Groups_moving.png", "date_published": "2024-04-23T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "url": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "title": "Management Groups", "content_html": "

                    Management Groups

                    \n

                    What are Management Groups?

                    \n

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240422_Management_Groups.png", "date_published": "2024-04-22T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "title": "Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud", "content_html": "

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    \n

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_MDFC.png", "date_published": "2024-04-17T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Microsoft Defender for Cloud"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "title": "Azure Policy useful queries", "content_html": "

                    Azure Policy useful queries

                    \n

                    Policy assignments and information about each of its respective definitions

                    \n

                    ```kusto\n// Policy assignments and information...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_Policies_queries.png", "date_published": "2024-04-17T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "url": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "title": "How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account", "content_html": "

                    How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

                    \n

                    In this demo we will show how to use Azure ARC-enabled server...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240407_Azure_ARC_demo.png", "date_published": "2024-04-07T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "url": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "title": "Azure ARC", "content_html": "

                    Azure ARC

                    \n

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240406_Azure_ARC.png", "date_published": "2024-04-06T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "url": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "title": "Microsoft Azure Certifications", "content_html": "

                    Microsoft Azure Certifications

                    \n

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240405_Azure_Certificacions.png", "date_published": "2024-04-05T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Certifications", "Learning"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "url": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "title": "Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services", "content_html": "

                    Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                    \n

                    Today, I'd like to share a brief of a recommended strategy fo...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240404_PAM_Strategy.png", "date_published": "2024-04-04T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["PAM", "Security", "Security"]}, {"id": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "url": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "title": "Azure Policy Management Best Practices", "content_html": "

                    Azure Policy Management Best Practices

                    \n
                      \n
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures tha...
                    2. \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240302_Azure_Policies_Best_Practices.png", "date_published": "2024-03-02T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "url": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "title": "Enterprise Azure Policy as Code (EPAC)", "content_html": "

                    Enterprise Azure Policy as Code (EPAC)

                    \n

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240229_Azure_EPAC.png", "date_published": "2024-02-29T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "EPAC", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "url": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "title": "Manage Azure Policy GitHub Action", "content_html": "

                    Manage Azure Policy GitHub Action

                    \n

                    It's recommended to review:

                    \n
                      \n
                    • [Azure Policy]
                    • \n
                    • [Writing Your First Policy in Azure with Portal]
                    • \n
                    • [Writing Your First I...
                    • \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240228_Azure_Policy_Github.png", "date_published": "2024-02-28T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "title": "Writing Your First Policy in Azure with Portal", "content_html": "

                    Writing Your First Policy in Azure with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240226_Azure_Policy_first_policy.png", "date_published": "2024-02-26T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "title": "Azure Policy, defintion schema", "content_html": "

                    Azure Policy, defintion schema

                    \n

                    This is the schema for the Azure Policy definition:

                    \n

                    ``` json\n{\n \"properties\": {\n \"displayName\": {\n \"t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240225_Azure_Policy_schema.png", "date_published": "2024-02-25T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "title": "Writing Your First Initiative with Portal", "content_html": "

                    Writing Your First Initiative with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240227_Azure_Policy_first_initiative.png", "date_published": "2024-02-25T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "url": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "title": "Azure Policy", "content_html": "

                    Azure Policy

                    \n

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240224_Azure_Policy.png", "date_published": "2024-02-24T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/", "url": "https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/", "title": "Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n", "content_html": "

                    Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n

                    \n

                    !!! info \"Necesitas WSL2\"\n Para poder seguir este tutorial necesitas tener instalado...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231205_Depurar_Logs_Onedrive.png", "date_published": "2023-12-05T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Microsoft 365", "OneDrive for Business"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/", "url": "https://rfernandezdo.github.io/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/", "title": "Instalar WSL2 en Windows 11 con chocolatey", "content_html": "

                    Instalar WSL2 en Windows 11 con chocolatey

                    \n

                    Introducci\u00f3n

                    \n

                    Windows Subsystem for Linux (WSL) es una caracter\u00edstica de Windows 11 que permite ejecutar un ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231204_Instalar_WSL2.png", "date_published": "2023-12-04T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Windows", "Windows Subsystem for Linux 2"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "url": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "title": "Azure Functions", "content_html": "

                    Azure Functions

                    \n

                    Introduction

                    \n

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231201_Azure_Functions.png", "date_published": "2023-12-01T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Functions", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "url": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "title": "Comparing Container Apps with other Azure container options", "content_html": "

                    Comparing Container Apps with other Azure container options

                    \n

                    Container option comparisons

                    \n

                    | Service | Primary Use | Advantages | Disadvantages |\n|-----...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231130_Azure_Container_Apps.png", "date_published": "2023-11-30T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Container Apps", "Azure Services"]}]} \ No newline at end of file +{"version": "https://jsonfeed.org/version/1", "title": "Un Rinconcito donde contar lo que quiera", "home_page_url": "https://rfernandezdo.github.io/", "feed_url": "https://rfernandezdo.github.io/feed_json_created.json", "description": "A blog about Azure, DevOps and other stuff", "icon": null, "authors": [{"name": "Rafael Fern\u00e1ndez"}], "language": "en", "items": [{"id": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "url": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "title": "How to create a Management Group diagram with draw.io", "content_html": "

                    How to create a Management Group diagram with draw.io

                    \n

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240424_Management_Groups_drawio.png", "date_published": "2024-04-24T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups", "draw.io"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "url": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "title": "Moving Management Groups and Subscriptions", "content_html": "

                    Moving Management Groups and Subscriptions

                    \n

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240423_Management_Groups_moving.png", "date_published": "2024-04-23T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "url": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "title": "Management Groups", "content_html": "

                    Management Groups

                    \n

                    What are Management Groups?

                    \n

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240422_Management_Groups.png", "date_published": "2024-04-22T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/", "title": "Azure Network, Hub-and-Spoke Topology", "content_html": "

                    Azure Network, Hub-and-Spoke Topology

                    \n

                    Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central p...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_Network_HUB_Spoke.png", "date_published": "2024-04-19T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Network", "Azure Services", "Hub and Spoke"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/", "title": "Azure Role-Based Access Control (RBAC)", "content_html": "

                    Azure Role-Based Access Control (RBAC)

                    \n

                    Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azu...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_RBAC.png", "date_published": "2024-04-19T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure", "Role-Based Access Control"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/", "title": "How to create assigment Reports for Azure RBAC", "content_html": "

                    How to create assigment Reports for Azure RBAC

                    \n

                    Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resour...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_RBAC_report.png", "date_published": "2024-04-19T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure", "Role-Based Access Control"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "title": "Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud", "content_html": "

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    \n

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_MDFC.png", "date_published": "2024-04-17T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Microsoft Defender for Cloud"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "title": "Azure Policy useful queries", "content_html": "

                    Azure Policy useful queries

                    \n

                    Policy assignments and information about each of its respective definitions

                    \n

                    ```kusto\n// Policy assignments and information...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_Policies_queries.png", "date_published": "2024-04-17T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "url": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "title": "How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account", "content_html": "

                    How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

                    \n

                    In this demo we will show how to use Azure ARC-enabled server...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240407_Azure_ARC_demo.png", "date_published": "2024-04-07T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "url": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "title": "Azure ARC", "content_html": "

                    Azure ARC

                    \n

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240406_Azure_ARC.png", "date_published": "2024-04-06T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "url": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "title": "Microsoft Azure Certifications", "content_html": "

                    Microsoft Azure Certifications

                    \n

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240405_Azure_Certificacions.png", "date_published": "2024-04-05T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Certifications", "Learning"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "url": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "title": "Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services", "content_html": "

                    Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                    \n

                    Today, I'd like to share a brief of a recommended strategy fo...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240404_PAM_Strategy.png", "date_published": "2024-04-04T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["PAM", "Security", "Security"]}, {"id": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "url": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "title": "Azure Policy Management Best Practices", "content_html": "

                    Azure Policy Management Best Practices

                    \n
                      \n
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures tha...
                    2. \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240302_Azure_Policies_Best_Practices.png", "date_published": "2024-03-02T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "url": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "title": "Enterprise Azure Policy as Code (EPAC)", "content_html": "

                    Enterprise Azure Policy as Code (EPAC)

                    \n

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240229_Azure_EPAC.png", "date_published": "2024-02-29T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "EPAC", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "url": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "title": "Manage Azure Policy GitHub Action", "content_html": "

                    Manage Azure Policy GitHub Action

                    \n

                    It's recommended to review:

                    \n
                      \n
                    • [Azure Policy]
                    • \n
                    • [Writing Your First Policy in Azure with Portal]
                    • \n
                    • [Writing Your First I...
                    • \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240228_Azure_Policy_Github.png", "date_published": "2024-02-28T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "title": "Writing Your First Policy in Azure with Portal", "content_html": "

                    Writing Your First Policy in Azure with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240226_Azure_Policy_first_policy.png", "date_published": "2024-02-26T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "title": "Azure Policy, defintion schema", "content_html": "

                    Azure Policy, defintion schema

                    \n

                    This is the schema for the Azure Policy definition:

                    \n

                    ``` json\n{\n \"properties\": {\n \"displayName\": {\n \"t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240225_Azure_Policy_schema.png", "date_published": "2024-02-25T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "title": "Writing Your First Initiative with Portal", "content_html": "

                    Writing Your First Initiative with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240227_Azure_Policy_first_initiative.png", "date_published": "2024-02-25T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "url": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "title": "Azure Policy", "content_html": "

                    Azure Policy

                    \n

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240224_Azure_Policy.png", "date_published": "2024-02-24T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/", "url": "https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/", "title": "Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n", "content_html": "

                    Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n

                    \n

                    !!! info \"Necesitas WSL2\"\n Para poder seguir este tutorial necesitas tener instalado...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231205_Depurar_Logs_Onedrive.png", "date_published": "2023-12-05T00:00:00+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Microsoft 365", "OneDrive for Business"]}]} \ No newline at end of file diff --git a/feed_json_updated.json b/feed_json_updated.json index 539102f..d77b57f 100644 --- a/feed_json_updated.json +++ b/feed_json_updated.json @@ -1 +1 @@ -{"version": "https://jsonfeed.org/version/1", "title": "Un Rinconcito donde contar lo que quiera", "home_page_url": "https://rfernandezdo.github.io/", "feed_url": "https://rfernandezdo.github.io/feed_json_updated.json", "description": "A blog about Azure, DevOps and other stuff", "icon": null, "authors": [{"name": "Rafael Fern\u00e1ndez"}], "language": "en", "items": [{"id": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "url": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "title": "How to create a Management Group diagram with draw.io", "content_html": "

                    How to create a Management Group diagram with draw.io

                    \n

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240424_Management_Groups_drawio.png", "date_modified": "2024-04-23T20:35:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups", "draw.io"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "url": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "title": "Management Groups", "content_html": "

                    Management Groups

                    \n

                    What are Management Groups?

                    \n

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240422_Management_Groups.png", "date_modified": "2024-04-23T20:34:51+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "title": "Azure Policy useful queries", "content_html": "

                    Azure Policy useful queries

                    \n

                    Policy assignments and information about each of its respective definitions

                    \n

                    ```kusto\n// Policy assignments and information...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_Policies_queries.png", "date_modified": "2024-04-22T21:53:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "url": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "title": "Moving Management Groups and Subscriptions", "content_html": "

                    Moving Management Groups and Subscriptions

                    \n

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240423_Management_Groups_moving.png", "date_modified": "2024-04-22T21:53:44+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "url": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "title": "Enterprise Azure Policy as Code (EPAC)", "content_html": "

                    Enterprise Azure Policy as Code (EPAC)

                    \n

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240229_Azure_EPAC.png", "date_modified": "2024-04-18T14:33:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "EPAC", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "url": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "title": "How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account", "content_html": "

                    How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

                    \n

                    In this demo we will show how to use Azure ARC-enabled server...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240407_Azure_ARC_demo.png", "date_modified": "2024-04-18T14:33:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "title": "Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud", "content_html": "

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    \n

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_MDFC.png", "date_modified": "2024-04-17T10:15:25+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Microsoft Defender for Cloud"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "url": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "title": "Azure ARC", "content_html": "

                    Azure ARC

                    \n

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240406_Azure_ARC.png", "date_modified": "2024-04-17T10:08:34+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "url": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "title": "Microsoft Azure Certifications", "content_html": "

                    Microsoft Azure Certifications

                    \n

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240405_Azure_Certificacions.png", "date_modified": "2024-04-17T10:04:05+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Certifications", "Learning"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "url": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "title": "Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services", "content_html": "

                    Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                    \n

                    Today, I'd like to share a brief of a recommended strategy fo...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240404_PAM_Strategy.png", "date_modified": "2024-04-17T10:02:07+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["PAM", "Security", "Security"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "url": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "title": "Manage Azure Policy GitHub Action", "content_html": "

                    Manage Azure Policy GitHub Action

                    \n

                    It's recommended to review:

                    \n
                      \n
                    • [Azure Policy]
                    • \n
                    • [Writing Your First Policy in Azure with Portal]
                    • \n
                    • [Writing Your First I...
                    • \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240228_Azure_Policy_Github.png", "date_modified": "2024-04-13T15:46:41+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "title": "Writing Your First Initiative with Portal", "content_html": "

                    Writing Your First Initiative with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240227_Azure_Policy_first_initiative.png", "date_modified": "2024-04-12T18:39:49+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "url": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "title": "Azure Functions", "content_html": "

                    Azure Functions

                    \n

                    Introduction

                    \n

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231201_Azure_Functions.png", "date_modified": "2024-04-12T18:23:43+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Functions", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "url": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "title": "Azure Policy Management Best Practices", "content_html": "

                    Azure Policy Management Best Practices

                    \n
                      \n
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures tha...
                    2. \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240302_Azure_Policies_Best_Practices.png", "date_modified": "2024-04-12T18:23:21+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "url": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "title": "Azure Policy", "content_html": "

                    Azure Policy

                    \n

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240224_Azure_Policy.png", "date_modified": "2024-04-10T21:55:41+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/", "url": "https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/", "title": "Azure Well-Architected Framework (WAF) mind maps", "content_html": "

                    Azure Well-Architected Framework (WAF) mind maps

                    \n

                    Microsoft Well-Architected Framework Pillars Design Principles Mind Map

                    \n

                    ![\"Design Principles\"](assets...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231121_Azure_WAF_mindmaps.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Frameworks", "Azure Well-Architected Framework"]}, {"id": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "url": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "title": "Comparing Container Apps with other Azure container options", "content_html": "

                    Comparing Container Apps with other Azure container options

                    \n

                    Container option comparisons

                    \n

                    | Service | Primary Use | Advantages | Disadvantages |\n|-----...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231130_Azure_Container_Apps.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Container Apps", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/", "title": "Azure Policy, defintion schema", "content_html": "

                    Azure Policy, defintion schema

                    \n

                    This is the schema for the Azure Policy definition:

                    \n

                    ``` json\n{\n \"properties\": {\n \"displayName\": {\n \"t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240225_Azure_Policy_schema.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/", "title": "Writing Your First Policy in Azure with Portal", "content_html": "

                    Writing Your First Policy in Azure with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240226_Azure_Policy_first_policy.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/", "url": "https://rfernandezdo.github.io/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/", "title": "Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages", "content_html": "

                    Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages

                    \n

                    A few time ago I maintained a blog with Wordpress. I was happy with it, but ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231018_1_mkdocs.png", "date_modified": "2024-04-05T19:06:59+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["DevOps", "English", "mkdocs"]}]} \ No newline at end of file +{"version": "https://jsonfeed.org/version/1", "title": "Un Rinconcito donde contar lo que quiera", "home_page_url": "https://rfernandezdo.github.io/", "feed_url": "https://rfernandezdo.github.io/feed_json_updated.json", "description": "A blog about Azure, DevOps and other stuff", "icon": null, "authors": [{"name": "Rafael Fern\u00e1ndez"}], "language": "en", "items": [{"id": "https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/", "title": "How to create assigment Reports for Azure RBAC", "content_html": "

                    How to create assigment Reports for Azure RBAC

                    \n

                    Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resour...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_RBAC_report.png", "date_modified": "2024-04-25T16:07:25.979341+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure", "Role-Based Access Control"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/", "title": "Azure Role-Based Access Control (RBAC)", "content_html": "

                    Azure Role-Based Access Control (RBAC)

                    \n

                    Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azu...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_RBAC.png", "date_modified": "2024-04-25T16:07:25.722470+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure", "Role-Based Access Control"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/", "url": "https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/", "title": "Azure Network, Hub-and-Spoke Topology", "content_html": "

                    Azure Network, Hub-and-Spoke Topology

                    \n

                    Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central p...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240419_Azure_Network_HUB_Spoke.png", "date_modified": "2024-04-25T16:07:25.698836+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Network", "Azure Services", "Hub and Spoke"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "url": "https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/", "title": "How to create a Management Group diagram with draw.io", "content_html": "

                    How to create a Management Group diagram with draw.io

                    \n

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240424_Management_Groups_drawio.png", "date_modified": "2024-04-23T20:35:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups", "draw.io"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "url": "https://rfernandezdo.github.io/blog/2024/04/22/management-groups/", "title": "Management Groups", "content_html": "

                    Management Groups

                    \n

                    What are Management Groups?

                    \n

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240422_Management_Groups.png", "date_modified": "2024-04-23T20:34:51+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/", "title": "Azure Policy useful queries", "content_html": "

                    Azure Policy useful queries

                    \n

                    Policy assignments and information about each of its respective definitions

                    \n

                    ```kusto\n// Policy assignments and information...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_Policies_queries.png", "date_modified": "2024-04-22T21:53:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "url": "https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/", "title": "Moving Management Groups and Subscriptions", "content_html": "

                    Moving Management Groups and Subscriptions

                    \n

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240423_Management_Groups_moving.png", "date_modified": "2024-04-22T21:53:44+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Management Groups"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "url": "https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/", "title": "Enterprise Azure Policy as Code (EPAC)", "content_html": "

                    Enterprise Azure Policy as Code (EPAC)

                    \n

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240229_Azure_EPAC.png", "date_modified": "2024-04-18T14:33:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "EPAC", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "url": "https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/", "title": "How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account", "content_html": "

                    How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account

                    \n

                    In this demo we will show how to use Azure ARC-enabled server...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240407_Azure_ARC_demo.png", "date_modified": "2024-04-18T14:33:54+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "url": "https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/", "title": "Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud", "content_html": "

                    Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud

                    \n

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240417_Azure_MDFC.png", "date_modified": "2024-04-17T10:15:25+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Services", "Microsoft Defender for Cloud"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "url": "https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/", "title": "Azure ARC", "content_html": "

                    Azure ARC

                    \n

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240406_Azure_ARC.png", "date_modified": "2024-04-17T10:08:34+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure ARC", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "url": "https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/", "title": "Microsoft Azure Certifications", "content_html": "

                    Microsoft Azure Certifications

                    \n

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240405_Azure_Certificacions.png", "date_modified": "2024-04-17T10:04:05+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Certifications", "Learning"]}, {"id": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "url": "https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/", "title": "Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services", "content_html": "

                    Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

                    \n

                    Today, I'd like to share a brief of a recommended strategy fo...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240404_PAM_Strategy.png", "date_modified": "2024-04-17T10:02:07+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["PAM", "Security", "Security"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "url": "https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/", "title": "Manage Azure Policy GitHub Action", "content_html": "

                    Manage Azure Policy GitHub Action

                    \n

                    It's recommended to review:

                    \n
                      \n
                    • [Azure Policy]
                    • \n
                    • [Writing Your First Policy in Azure with Portal]
                    • \n
                    • [Writing Your First I...
                    • \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240228_Azure_Policy_Github.png", "date_modified": "2024-04-13T15:46:41+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Tools"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "url": "https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/", "title": "Writing Your First Initiative with Portal", "content_html": "

                    Writing Your First Initiative with Portal

                    \n

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240227_Azure_Policy_first_initiative.png", "date_modified": "2024-04-12T18:39:49+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "url": "https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/", "title": "Azure Functions", "content_html": "

                    Azure Functions

                    \n

                    Introduction

                    \n

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231201_Azure_Functions.png", "date_modified": "2024-04-12T18:23:43+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Functions", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "url": "https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/", "title": "Azure Policy Management Best Practices", "content_html": "

                    Azure Policy Management Best Practices

                    \n
                      \n
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures tha...
                    2. \n
                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240302_Azure_Policies_Best_Practices.png", "date_modified": "2024-04-12T18:23:21+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "url": "https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/", "title": "Azure Policy", "content_html": "

                    Azure Policy

                    \n

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2024/20240224_Azure_Policy.png", "date_modified": "2024-04-10T21:55:41+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Policy", "Azure Services"]}, {"id": "https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/", "url": "https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/", "title": "Azure Well-Architected Framework (WAF) mind maps", "content_html": "

                    Azure Well-Architected Framework (WAF) mind maps

                    \n

                    Microsoft Well-Architected Framework Pillars Design Principles Mind Map

                    \n

                    ![\"Design Principles\"](assets...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231121_Azure_WAF_mindmaps.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Frameworks", "Azure Well-Architected Framework"]}, {"id": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "url": "https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/", "title": "Comparing Container Apps with other Azure container options", "content_html": "

                    Comparing Container Apps with other Azure container options

                    \n

                    Container option comparisons

                    \n

                    | Service | Primary Use | Advantages | Disadvantages |\n|-----...

                    ", "image": "https://rfernandezdo.github.io/assets/images/social/blog/posts/2023/20231130_Azure_Container_Apps.png", "date_modified": "2024-04-09T18:15:06+00:00", "authors": [{"name": "rfernandezdo"}], "tags": ["Azure Container Apps", "Azure Services"]}]} \ No newline at end of file diff --git a/feed_rss_created.xml b/feed_rss_created.xml index 35081f5..86baa46 100644 --- a/feed_rss_created.xml +++ b/feed_rss_created.xml @@ -1 +1 @@ - Un Rinconcito donde contar lo que quieraA blog about Azure, DevOps and other stuffhttps://rfernandezdo.github.io/Rafael Fernándezen Thu, 25 Apr 2024 06:30:54 -0000 Thu, 25 Apr 2024 06:30:54 -0000 1440 MkDocs RSS plugin - v1.12.1 How to create a Management Group diagram with draw.io rfernandezdo Azure Services Management Groups draw.io <h1>How to create a Management Group diagram with draw.io</h1><p>I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...</p>https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Wed, 24 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Moving Management Groups and Subscriptions rfernandezdo Azure Services Management Groups <h1>Moving Management Groups and Subscriptions</h1><p>Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...</p>https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Tue, 23 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Management Groups rfernandezdo Azure Services Management Groups <h1>Management Groups</h1><h2>What are Management Groups?</h2><p>Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...</p>https://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Mon, 22 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud rfernandezdo Azure Services Microsoft Defender for Cloud <h1>Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud</h1><p>No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres ...</p>https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Wed, 17 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Azure Policy useful queries rfernandezdo Azure Policy Azure Services <h1>Azure Policy useful queries</h1><h2>Policy assignments and information about each of its respective definitions</h2><p>```kusto// Policy assignments and information...</p>https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Wed, 17 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account rfernandezdo Azure ARC Azure Services <h1>How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account</h1><p>In this demo we will show how to use Azure ARC-enabled server...</p>https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Sun, 07 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Azure ARC rfernandezdo Azure ARC Azure Services <h1>Azure ARC</h1><p>Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...</p>https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Sat, 06 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Microsoft Azure Certifications rfernandezdo Certifications Learning <h1>Microsoft Azure Certifications</h1><p>Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...</p>https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Fri, 05 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services rfernandezdo PAM Security Security <h1>Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services</h1><p>Today, I'd like to share a brief of a recommended strategy fo...</p>https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Thu, 04 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Azure Policy Management Best Practices rfernandezdo Azure Policy Azure Services <h1>Azure Policy Management Best Practices</h1><ol><li><strong>Version Control</strong>: Store your policy definitions in a version-controlled repository. This practice ensures tha...</li></ol>https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Sat, 02 Mar 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Enterprise Azure Policy as Code (EPAC) rfernandezdo Azure Policy EPAC Tools <h1>Enterprise Azure Policy as Code (EPAC)</h1><p>Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...</p>https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Thu, 29 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Manage Azure Policy GitHub Action rfernandezdo Azure Policy Tools <h1>Manage Azure Policy GitHub Action</h1><p>It's recommended to review:</p><ul><li>[Azure Policy]</li><li>[Writing Your First Policy in Azure with Portal]</li><li>[Writing Your First I...</li></ul>https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Wed, 28 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Writing Your First Policy in Azure with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Policy in Azure with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...</p>https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Mon, 26 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Azure Policy, defintion schema rfernandezdo Azure Policy Azure Services <h1>Azure Policy, defintion schema</h1><p>This is the schema for the Azure Policy definition:</p><p>``` json{ "properties": { "displayName": { "t...</p>https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Sun, 25 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Writing Your First Initiative with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Initiative with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...</p>https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Sun, 25 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Azure Policy rfernandezdo Azure Policy Azure Services <h1>Azure Policy</h1><p>Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...</p>https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Sat, 24 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Depurar logs de OneDrive para detectar problemas de sincronización rfernandezdo Microsoft 365 OneDrive for Business <h1>Depurar logs de OneDrive para detectar problemas de sincronización</h1><p>!!! info "Necesitas WSL2" Para poder seguir este tutorial necesitas tener instalado...</p>https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/ Tue, 05 Dec 2023 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/ Instalar WSL2 en Windows 11 con chocolatey rfernandezdo Windows Windows Subsystem for Linux 2 <h1>Instalar WSL2 en Windows 11 con chocolatey</h1><h2>Introducción</h2><p>Windows Subsystem for Linux (WSL) es una característica de Windows 11 que permite ejecutar un ...</p>https://rfernandezdo.github.io/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/ Mon, 04 Dec 2023 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/ Azure Functions rfernandezdo Azure Functions Azure Services <h1>Azure Functions</h1><h2>Introduction</h2><p>Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...</p>https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Fri, 01 Dec 2023 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Comparing Container Apps with other Azure container options rfernandezdo Azure Container Apps Azure Services <h1>Comparing Container Apps with other Azure container options</h1><h2>Container option comparisons</h2><p>| Service | Primary Use | Advantages | Disadvantages ||-----...</p>https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ Thu, 30 Nov 2023 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ \ No newline at end of file + Un Rinconcito donde contar lo que quieraA blog about Azure, DevOps and other stuffhttps://rfernandezdo.github.io/Rafael Fernándezen Thu, 25 Apr 2024 16:07:13 -0000 Thu, 25 Apr 2024 16:07:13 -0000 1440 MkDocs RSS plugin - v1.12.1 How to create a Management Group diagram with draw.io rfernandezdo Azure Services Management Groups draw.io <h1>How to create a Management Group diagram with draw.io</h1><p>I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...</p>https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Wed, 24 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Moving Management Groups and Subscriptions rfernandezdo Azure Services Management Groups <h1>Moving Management Groups and Subscriptions</h1><p>Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...</p>https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Tue, 23 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Management Groups rfernandezdo Azure Services Management Groups <h1>Management Groups</h1><h2>What are Management Groups?</h2><p>Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...</p>https://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Mon, 22 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Azure Network, Hub-and-Spoke Topology rfernandezdo Azure Network Azure Services Hub and Spoke <h1>Azure Network, Hub-and-Spoke Topology</h1><p>Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central p...</p>https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/ Fri, 19 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/ Azure Role-Based Access Control (RBAC) rfernandezdo Azure Role-Based Access Control <h1>Azure Role-Based Access Control (RBAC)</h1><p>Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azu...</p>https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/ Fri, 19 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/ How to create assigment Reports for Azure RBAC rfernandezdo Azure Role-Based Access Control <h1>How to create assigment Reports for Azure RBAC</h1><p>Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resour...</p>https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/ Fri, 19 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/ Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud rfernandezdo Azure Services Microsoft Defender for Cloud <h1>Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud</h1><p>No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres ...</p>https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Wed, 17 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Azure Policy useful queries rfernandezdo Azure Policy Azure Services <h1>Azure Policy useful queries</h1><h2>Policy assignments and information about each of its respective definitions</h2><p>```kusto// Policy assignments and information...</p>https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Wed, 17 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account rfernandezdo Azure ARC Azure Services <h1>How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account</h1><p>In this demo we will show how to use Azure ARC-enabled server...</p>https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Sun, 07 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Azure ARC rfernandezdo Azure ARC Azure Services <h1>Azure ARC</h1><p>Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...</p>https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Sat, 06 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Microsoft Azure Certifications rfernandezdo Certifications Learning <h1>Microsoft Azure Certifications</h1><p>Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...</p>https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Fri, 05 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services rfernandezdo PAM Security Security <h1>Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services</h1><p>Today, I'd like to share a brief of a recommended strategy fo...</p>https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Thu, 04 Apr 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Azure Policy Management Best Practices rfernandezdo Azure Policy Azure Services <h1>Azure Policy Management Best Practices</h1><ol><li><strong>Version Control</strong>: Store your policy definitions in a version-controlled repository. This practice ensures tha...</li></ol>https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Sat, 02 Mar 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Enterprise Azure Policy as Code (EPAC) rfernandezdo Azure Policy EPAC Tools <h1>Enterprise Azure Policy as Code (EPAC)</h1><p>Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...</p>https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Thu, 29 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Manage Azure Policy GitHub Action rfernandezdo Azure Policy Tools <h1>Manage Azure Policy GitHub Action</h1><p>It's recommended to review:</p><ul><li>[Azure Policy]</li><li>[Writing Your First Policy in Azure with Portal]</li><li>[Writing Your First I...</li></ul>https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Wed, 28 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Writing Your First Policy in Azure with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Policy in Azure with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...</p>https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Mon, 26 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Azure Policy, defintion schema rfernandezdo Azure Policy Azure Services <h1>Azure Policy, defintion schema</h1><p>This is the schema for the Azure Policy definition:</p><p>``` json{ "properties": { "displayName": { "t...</p>https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Sun, 25 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Writing Your First Initiative with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Initiative with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...</p>https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Sun, 25 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Azure Policy rfernandezdo Azure Policy Azure Services <h1>Azure Policy</h1><p>Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...</p>https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Sat, 24 Feb 2024 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Depurar logs de OneDrive para detectar problemas de sincronización rfernandezdo Microsoft 365 OneDrive for Business <h1>Depurar logs de OneDrive para detectar problemas de sincronización</h1><p>!!! info "Necesitas WSL2" Para poder seguir este tutorial necesitas tener instalado...</p>https://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/ Tue, 05 Dec 2023 00:00:00 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/ \ No newline at end of file diff --git a/feed_rss_updated.xml b/feed_rss_updated.xml index aefe925..9a1d8c7 100644 --- a/feed_rss_updated.xml +++ b/feed_rss_updated.xml @@ -1 +1 @@ - Un Rinconcito donde contar lo que quieraA blog about Azure, DevOps and other stuffhttps://rfernandezdo.github.io/Rafael Fernándezen Thu, 25 Apr 2024 06:30:54 -0000 Thu, 25 Apr 2024 06:30:54 -0000 1440 MkDocs RSS plugin - v1.12.1 How to create a Management Group diagram with draw.io rfernandezdo Azure Services Management Groups draw.io <h1>How to create a Management Group diagram with draw.io</h1><p>I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...</p>https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Tue, 23 Apr 2024 20:35:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Management Groups rfernandezdo Azure Services Management Groups <h1>Management Groups</h1><h2>What are Management Groups?</h2><p>Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...</p>https://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Tue, 23 Apr 2024 20:34:51 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Azure Policy useful queries rfernandezdo Azure Policy Azure Services <h1>Azure Policy useful queries</h1><h2>Policy assignments and information about each of its respective definitions</h2><p>```kusto// Policy assignments and information...</p>https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Mon, 22 Apr 2024 21:53:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Moving Management Groups and Subscriptions rfernandezdo Azure Services Management Groups <h1>Moving Management Groups and Subscriptions</h1><p>Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...</p>https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Mon, 22 Apr 2024 21:53:44 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Enterprise Azure Policy as Code (EPAC) rfernandezdo Azure Policy EPAC Tools <h1>Enterprise Azure Policy as Code (EPAC)</h1><p>Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...</p>https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Thu, 18 Apr 2024 14:33:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account rfernandezdo Azure ARC Azure Services <h1>How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account</h1><p>In this demo we will show how to use Azure ARC-enabled server...</p>https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Thu, 18 Apr 2024 14:33:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud rfernandezdo Azure Services Microsoft Defender for Cloud <h1>Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud</h1><p>No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres ...</p>https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Wed, 17 Apr 2024 10:15:25 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Azure ARC rfernandezdo Azure ARC Azure Services <h1>Azure ARC</h1><p>Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...</p>https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Wed, 17 Apr 2024 10:08:34 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Microsoft Azure Certifications rfernandezdo Certifications Learning <h1>Microsoft Azure Certifications</h1><p>Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...</p>https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Wed, 17 Apr 2024 10:04:05 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services rfernandezdo PAM Security Security <h1>Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services</h1><p>Today, I'd like to share a brief of a recommended strategy fo...</p>https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Wed, 17 Apr 2024 10:02:07 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Manage Azure Policy GitHub Action rfernandezdo Azure Policy Tools <h1>Manage Azure Policy GitHub Action</h1><p>It's recommended to review:</p><ul><li>[Azure Policy]</li><li>[Writing Your First Policy in Azure with Portal]</li><li>[Writing Your First I...</li></ul>https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Sat, 13 Apr 2024 15:46:41 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Writing Your First Initiative with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Initiative with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...</p>https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Fri, 12 Apr 2024 18:39:49 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Azure Functions rfernandezdo Azure Functions Azure Services <h1>Azure Functions</h1><h2>Introduction</h2><p>Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...</p>https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Fri, 12 Apr 2024 18:23:43 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Azure Policy Management Best Practices rfernandezdo Azure Policy Azure Services <h1>Azure Policy Management Best Practices</h1><ol><li><strong>Version Control</strong>: Store your policy definitions in a version-controlled repository. This practice ensures tha...</li></ol>https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Fri, 12 Apr 2024 18:23:21 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Azure Policy rfernandezdo Azure Policy Azure Services <h1>Azure Policy</h1><p>Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...</p>https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Wed, 10 Apr 2024 21:55:41 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Azure Well-Architected Framework (WAF) mind maps rfernandezdo Azure Frameworks Azure Well-Architected Framework <h1>Azure Well-Architected Framework (WAF) mind maps</h1><h2>Microsoft Well-Architected Framework Pillars Design Principles Mind Map</h2><p>!["Design Principles"](assets...</p>https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/ Comparing Container Apps with other Azure container options rfernandezdo Azure Container Apps Azure Services <h1>Comparing Container Apps with other Azure container options</h1><h2>Container option comparisons</h2><p>| Service | Primary Use | Advantages | Disadvantages ||-----...</p>https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ Azure Policy, defintion schema rfernandezdo Azure Policy Azure Services <h1>Azure Policy, defintion schema</h1><p>This is the schema for the Azure Policy definition:</p><p>``` json{ "properties": { "displayName": { "t...</p>https://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/azure-policy-defintion-schema/ Writing Your First Policy in Azure with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Policy in Azure with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enfor...</p>https://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/ Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages rfernandezdo DevOps English mkdocs <h1>Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages</h1><p>A few time ago I maintained a blog with Wordpress. I was happy with it, but ...</p>https://rfernandezdo.github.io/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/ Fri, 05 Apr 2024 19:06:59 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/ \ No newline at end of file + Un Rinconcito donde contar lo que quieraA blog about Azure, DevOps and other stuffhttps://rfernandezdo.github.io/Rafael Fernándezen Thu, 25 Apr 2024 16:07:13 -0000 Thu, 25 Apr 2024 16:07:13 -0000 1440 MkDocs RSS plugin - v1.12.1 How to create assigment Reports for Azure RBAC rfernandezdo Azure Role-Based Access Control <h1>How to create assigment Reports for Azure RBAC</h1><p>Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resour...</p>https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/ Thu, 25 Apr 2024 16:07:25 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/ Azure Role-Based Access Control (RBAC) rfernandezdo Azure Role-Based Access Control <h1>Azure Role-Based Access Control (RBAC)</h1><p>Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azu...</p>https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/ Thu, 25 Apr 2024 16:07:25 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/ Azure Network, Hub-and-Spoke Topology rfernandezdo Azure Network Azure Services Hub and Spoke <h1>Azure Network, Hub-and-Spoke Topology</h1><p>Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central p...</p>https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/ Thu, 25 Apr 2024 16:07:25 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/ How to create a Management Group diagram with draw.io rfernandezdo Azure Services Management Groups draw.io <h1>How to create a Management Group diagram with draw.io</h1><p>I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did so...</p>https://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Tue, 23 Apr 2024 20:35:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/ Management Groups rfernandezdo Azure Services Management Groups <h1>Management Groups</h1><h2>What are Management Groups?</h2><p>Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They...</p>https://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Tue, 23 Apr 2024 20:34:51 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/22/management-groups/ Azure Policy useful queries rfernandezdo Azure Policy Azure Services <h1>Azure Policy useful queries</h1><h2>Policy assignments and information about each of its respective definitions</h2><p>```kusto// Policy assignments and information...</p>https://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Mon, 22 Apr 2024 21:53:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/azure-policy-useful-queries/ Moving Management Groups and Subscriptions rfernandezdo Azure Services Management Groups <h1>Moving Management Groups and Subscriptions</h1><p>Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a b...</p>https://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Mon, 22 Apr 2024 21:53:44 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/23/moving-management-groups-and-subscriptions/ Enterprise Azure Policy as Code (EPAC) rfernandezdo Azure Policy EPAC Tools <h1>Enterprise Azure Policy as Code (EPAC)</h1><p>Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as cod...</p>https://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ Thu, 18 Apr 2024 14:33:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/29/enterprise-azure-policy-as-code-epac/ How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account rfernandezdo Azure ARC Azure Services <h1>How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account</h1><p>In this demo we will show how to use Azure ARC-enabled server...</p>https://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Thu, 18 Apr 2024 14:33:54 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/ Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud rfernandezdo Azure Services Microsoft Defender for Cloud <h1>Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud</h1><p>No es nuevo pero me gustaría recordar que Microsoft ha cambiado los nombres ...</p>https://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Wed, 17 Apr 2024 10:15:25 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/ Azure ARC rfernandezdo Azure ARC Azure Services <h1>Azure ARC</h1><p>Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, ...</p>https://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Wed, 17 Apr 2024 10:08:34 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/06/azure-arc/ Microsoft Azure Certifications rfernandezdo Certifications Learning <h1>Microsoft Azure Certifications</h1><p>Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft t...</p>https://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Wed, 17 Apr 2024 10:04:05 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/05/microsoft-azure-certifications/ Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services rfernandezdo PAM Security Security <h1>Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services</h1><p>Today, I'd like to share a brief of a recommended strategy fo...</p>https://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Wed, 17 Apr 2024 10:02:07 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/ Manage Azure Policy GitHub Action rfernandezdo Azure Policy Tools <h1>Manage Azure Policy GitHub Action</h1><p>It's recommended to review:</p><ul><li>[Azure Policy]</li><li>[Writing Your First Policy in Azure with Portal]</li><li>[Writing Your First I...</li></ul>https://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Sat, 13 Apr 2024 15:46:41 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/28/manage-azure-policy-github-action/ Writing Your First Initiative with Portal rfernandezdo Azure Policy Azure Services <h1>Writing Your First Initiative with Portal</h1><p>Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce di...</p>https://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Fri, 12 Apr 2024 18:39:49 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/25/writing-your-first-initiative-with-portal/ Azure Functions rfernandezdo Azure Functions Azure Services <h1>Azure Functions</h1><h2>Introduction</h2><p>Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive...</p>https://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Fri, 12 Apr 2024 18:23:43 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/12/01/azure-functions/ Azure Policy Management Best Practices rfernandezdo Azure Policy Azure Services <h1>Azure Policy Management Best Practices</h1><ol><li><strong>Version Control</strong>: Store your policy definitions in a version-controlled repository. This practice ensures tha...</li></ol>https://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Fri, 12 Apr 2024 18:23:21 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/03/02/azure-policy-management-best-practices/ Azure Policy rfernandezdo Azure Policy Azure Services <h1>Azure Policy</h1><p>Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regul...</p>https://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Wed, 10 Apr 2024 21:55:41 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2024/02/24/azure-policy/ Azure Well-Architected Framework (WAF) mind maps rfernandezdo Azure Frameworks Azure Well-Architected Framework <h1>Azure Well-Architected Framework (WAF) mind maps</h1><h2>Microsoft Well-Architected Framework Pillars Design Principles Mind Map</h2><p>!["Design Principles"](assets...</p>https://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/ Comparing Container Apps with other Azure container options rfernandezdo Azure Container Apps Azure Services <h1>Comparing Container Apps with other Azure container options</h1><h2>Container option comparisons</h2><p>| Service | Primary Use | Advantages | Disadvantages ||-----...</p>https://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ Tue, 09 Apr 2024 18:15:06 +0000Un Rinconcito donde contar lo que quierahttps://rfernandezdo.github.io/blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/ \ No newline at end of file diff --git a/index.html b/index.html index 8c118e6..1b2dca8 100644 --- a/index.html +++ b/index.html @@ -7,4 +7,4 @@ .gdesc-inner { font-size: 0.75rem; } body[data-md-color-scheme="slate"] .gdesc-inner { background: var(--md-default-bg-color);} body[data-md-color-scheme="slate"] .gslide-title { color: var(--md-default-fg-color);} - body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                    Thats me

                    Me

                    Quien soy?

                    ¡Hola a todos!

                    Soy Rafa , y este es mi pequeño rincón en la web.

                    Como profesional apasionado de la informática, me encanta explorar nuevas tecnologías, enfrentar nuevos desafíos y compartir mis experiencias con otros.

                    Como soy bastante malo presentándome, le he pedido a chatgpt que me ayude a hacerlo en base a los comentarios de algunos de mis compañeros de trabajo en Linkedin, este es el resultado:

                    Un Líder y Mentor Excepcional

                    ¡Hola a todos!

                    Hoy quiero compartir con ustedes mi experiencia trabajando con un profesional de increible talento, Rafael.

                    Tuve la suerte de trabajar con él en Bravent durante más de seis meses. Durante ese tiempo, Rafael fue no solo mi jefe directo, sino también mi mentor dentro de la empresa. No puedo decir ni una cosa mala sobre él; es un excelente líder, uno de los pocos que he encontrado en mi vida laboral, que nunca te pide algo que él mismo no pueda hacer.

                    Rafael siempre está dispuesto a echar una mano si ve que estás desbordado o perdido. Como mentor, aplica siempre el principio de “no le des un pez, enséñale a pescar”. Me ayudó a reconducir todas las situaciones en las que me encontré con un callejón sin salida, apuntando en la dirección en la que tenía que seguir avanzando.

                    A nivel técnico, Rafael es excepcional. Más allá de su conocimiento, sorprende por su capacidad para aprender en un tiempo mínimo lo necesario para resolver cualquier tipo de problema. Trabajar con él es tremendamente fácil, ya que nunca tiene una mala palabra ni un mal gesto y genera un ambiente de trabajo increíblemente positivo.

                    Rafael demuestra un profundo conocimiento no solo técnico en las áreas que le competen, sino también de planificación, análisis y gestión. He tenido la gran suerte de trabajar con él y sin duda es una de las personas que me gustaría que formara parte de cualquier equipo en el que me encuentre ahora o en el futuro.

                    Rafael es un maestro en las artes informáticas y un verdadero profesional. En su trabajo no deja nada al azar, todo lo estudia detenidamente y suele tomar muy buenas decisiones. Además, Rafael es un profesional altamente calificado. Tiene una actitud amigable y resuelve rápidamente cualquier pregunta que tengas, explicándote siempre la solución. Si tienes algún problema, él es la persona adecuada a quien pedir ayuda.

                    Espero que este testimonio brinde una visión clara del increíble profesional y persona que es Rafael. Estoy seguro de que aquellos que tengan la oportunidad de trabajar con él se beneficiarán enormemente de su liderazgo, conocimientos técnicos y actitud positiva.

                    Who am I?

                    Hello everyone!

                    I'm Rafa, and this is my little corner on the web.

                    As a passionate IT professional, I love exploring new technologies, facing new challenges, and sharing my experiences with others.

                    Since I'm pretty bad at introducing myself, I've asked chatgpt to help me do it based on comments from some of my coworkers on Linkedin, this is the result:

                    An Exceptional Leader and Mentor

                    Hello everyone!

                    Today I want to share with you my experience working with an incredibly talented professional, Rafael.

                    I was lucky enough to work with him at Bravent for over six months. During that time, Rafael was not only my direct boss, but also my mentor within the company. I can't say a single bad thing about him; He is an excellent leader, one of the few I have encountered in my working life, who never asks you for something that he cannot do himself.

                    Rafael is always willing to lend a hand if he sees that you are overwhelmed or lost. As a mentor, he always applies the principle of “don't give him a fish, teach him to fish.” He helped me redirect all the situations in which I found myself at a dead end, pointing in the direction in which I had to continue moving forward.

                    On a technical level, Rafael is exceptional. Beyond his knowledge, he is surprised by his ability to learn in a minimum amount of time what is necessary to solve any type of problem. Working with him is tremendously easy, since he never has a bad word or a bad gesture and generates an incredibly positive work environment.

                    Rafael demonstrates deep knowledge not only of technical knowledge in the areas in which he is responsible, but also of planning, analysis and management. I have had the great fortune to work with him and he is undoubtedly one of the people I would like to be part of any team I am on now or in the future.

                    Rafael is a master of computer arts and a true professional. In his work he leaves nothing to chance, he studies everything carefully and he usually makes very good decisions. Furthermore, Rafael is a highly qualified professional. He has a friendly attitude and quickly resolves any questions you have, always explaining the solution. If you have a problem, he is the right person to ask for help.

                    I hope this testimony provides a clear vision of the incredible professional and person that Rafael is. I am confident that those who have the opportunity to work with him will benefit greatly from his leadership, technical knowledge and positive attitude.

                    \ No newline at end of file + body[data-md-color-scheme="slate"] .gslide-desc { color: var(--md-default-fg-color);}

                    Thats me

                    Me

                    Quien soy?

                    ¡Hola a todos!

                    Soy Rafa , y este es mi pequeño rincón en la web.

                    Como profesional apasionado de la informática, me encanta explorar nuevas tecnologías, enfrentar nuevos desafíos y compartir mis experiencias con otros.

                    Como soy bastante malo presentándome, le he pedido a chatgpt que me ayude a hacerlo en base a los comentarios de algunos de mis compañeros de trabajo en Linkedin, este es el resultado:

                    Un Líder y Mentor Excepcional

                    ¡Hola a todos!

                    Hoy quiero compartir con ustedes mi experiencia trabajando con un profesional de increible talento, Rafael.

                    Tuve la suerte de trabajar con él en Bravent durante más de seis meses. Durante ese tiempo, Rafael fue no solo mi jefe directo, sino también mi mentor dentro de la empresa. No puedo decir ni una cosa mala sobre él; es un excelente líder, uno de los pocos que he encontrado en mi vida laboral, que nunca te pide algo que él mismo no pueda hacer.

                    Rafael siempre está dispuesto a echar una mano si ve que estás desbordado o perdido. Como mentor, aplica siempre el principio de “no le des un pez, enséñale a pescar”. Me ayudó a reconducir todas las situaciones en las que me encontré con un callejón sin salida, apuntando en la dirección en la que tenía que seguir avanzando.

                    A nivel técnico, Rafael es excepcional. Más allá de su conocimiento, sorprende por su capacidad para aprender en un tiempo mínimo lo necesario para resolver cualquier tipo de problema. Trabajar con él es tremendamente fácil, ya que nunca tiene una mala palabra ni un mal gesto y genera un ambiente de trabajo increíblemente positivo.

                    Rafael demuestra un profundo conocimiento no solo técnico en las áreas que le competen, sino también de planificación, análisis y gestión. He tenido la gran suerte de trabajar con él y sin duda es una de las personas que me gustaría que formara parte de cualquier equipo en el que me encuentre ahora o en el futuro.

                    Rafael es un maestro en las artes informáticas y un verdadero profesional. En su trabajo no deja nada al azar, todo lo estudia detenidamente y suele tomar muy buenas decisiones. Además, Rafael es un profesional altamente calificado. Tiene una actitud amigable y resuelve rápidamente cualquier pregunta que tengas, explicándote siempre la solución. Si tienes algún problema, él es la persona adecuada a quien pedir ayuda.

                    Espero que este testimonio brinde una visión clara del increíble profesional y persona que es Rafael. Estoy seguro de que aquellos que tengan la oportunidad de trabajar con él se beneficiarán enormemente de su liderazgo, conocimientos técnicos y actitud positiva.

                    Who am I?

                    Hello everyone!

                    I'm Rafa, and this is my little corner on the web.

                    As a passionate IT professional, I love exploring new technologies, facing new challenges, and sharing my experiences with others.

                    Since I'm pretty bad at introducing myself, I've asked chatgpt to help me do it based on comments from some of my coworkers on Linkedin, this is the result:

                    An Exceptional Leader and Mentor

                    Hello everyone!

                    Today I want to share with you my experience working with an incredibly talented professional, Rafael.

                    I was lucky enough to work with him at Bravent for over six months. During that time, Rafael was not only my direct boss, but also my mentor within the company. I can't say a single bad thing about him; He is an excellent leader, one of the few I have encountered in my working life, who never asks you for something that he cannot do himself.

                    Rafael is always willing to lend a hand if he sees that you are overwhelmed or lost. As a mentor, he always applies the principle of “don't give him a fish, teach him to fish.” He helped me redirect all the situations in which I found myself at a dead end, pointing in the direction in which I had to continue moving forward.

                    On a technical level, Rafael is exceptional. Beyond his knowledge, he is surprised by his ability to learn in a minimum amount of time what is necessary to solve any type of problem. Working with him is tremendously easy, since he never has a bad word or a bad gesture and generates an incredibly positive work environment.

                    Rafael demonstrates deep knowledge not only of technical knowledge in the areas in which he is responsible, but also of planning, analysis and management. I have had the great fortune to work with him and he is undoubtedly one of the people I would like to be part of any team I am on now or in the future.

                    Rafael is a master of computer arts and a true professional. In his work he leaves nothing to chance, he studies everything carefully and he usually makes very good decisions. Furthermore, Rafael is a highly qualified professional. He has a friendly attitude and quickly resolves any questions you have, always explaining the solution. If you have a problem, he is the right person to ask for help.

                    I hope this testimony provides a clear vision of the incredible professional and person that Rafael is. I am confident that those who have the opportunity to work with him will benefit greatly from his leadership, technical knowledge and positive attitude.

                    \ No newline at end of file diff --git a/search/search_index.json b/search/search_index.json index 021b420..81bae0b 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Thats me","text":""},{"location":"#quien-soy","title":"Quien soy?","text":"

                    \u00a1Hola a todos!

                    Soy Rafa , y este es mi peque\u00f1o rinc\u00f3n en la web.

                    Como profesional apasionado de la inform\u00e1tica, me encanta explorar nuevas tecnolog\u00edas, enfrentar nuevos desaf\u00edos y compartir mis experiencias con otros.

                    Como soy bastante malo present\u00e1ndome, le he pedido a chatgpt que me ayude a hacerlo en base a los comentarios de algunos de mis compa\u00f1eros de trabajo en Linkedin, este es el resultado:

                    "},{"location":"#un-lider-y-mentor-excepcional","title":"Un L\u00edder y Mentor Excepcional","text":"

                    \u00a1Hola a todos!

                    Hoy quiero compartir con ustedes mi experiencia trabajando con un profesional de increible talento, Rafael.

                    Tuve la suerte de trabajar con \u00e9l en Bravent durante m\u00e1s de seis meses. Durante ese tiempo, Rafael fue no solo mi jefe directo, sino tambi\u00e9n mi mentor dentro de la empresa. No puedo decir ni una cosa mala sobre \u00e9l; es un excelente l\u00edder, uno de los pocos que he encontrado en mi vida laboral, que nunca te pide algo que \u00e9l mismo no pueda hacer.

                    Rafael siempre est\u00e1 dispuesto a echar una mano si ve que est\u00e1s desbordado o perdido. Como mentor, aplica siempre el principio de \u201cno le des un pez, ens\u00e9\u00f1ale a pescar\u201d. Me ayud\u00f3 a reconducir todas las situaciones en las que me encontr\u00e9 con un callej\u00f3n sin salida, apuntando en la direcci\u00f3n en la que ten\u00eda que seguir avanzando.

                    A nivel t\u00e9cnico, Rafael es excepcional. M\u00e1s all\u00e1 de su conocimiento, sorprende por su capacidad para aprender en un tiempo m\u00ednimo lo necesario para resolver cualquier tipo de problema. Trabajar con \u00e9l es tremendamente f\u00e1cil, ya que nunca tiene una mala palabra ni un mal gesto y genera un ambiente de trabajo incre\u00edblemente positivo.

                    Rafael demuestra un profundo conocimiento no solo t\u00e9cnico en las \u00e1reas que le competen, sino tambi\u00e9n de planificaci\u00f3n, an\u00e1lisis y gesti\u00f3n. He tenido la gran suerte de trabajar con \u00e9l y sin duda es una de las personas que me gustar\u00eda que formara parte de cualquier equipo en el que me encuentre ahora o en el futuro.

                    Rafael es un maestro en las artes inform\u00e1ticas y un verdadero profesional. En su trabajo no deja nada al azar, todo lo estudia detenidamente y suele tomar muy buenas decisiones. Adem\u00e1s, Rafael es un profesional altamente calificado. Tiene una actitud amigable y resuelve r\u00e1pidamente cualquier pregunta que tengas, explic\u00e1ndote siempre la soluci\u00f3n. Si tienes alg\u00fan problema, \u00e9l es la persona adecuada a quien pedir ayuda.

                    Espero que este testimonio brinde una visi\u00f3n clara del incre\u00edble profesional y persona que es Rafael. Estoy seguro de que aquellos que tengan la oportunidad de trabajar con \u00e9l se beneficiar\u00e1n enormemente de su liderazgo, conocimientos t\u00e9cnicos y actitud positiva.

                    "},{"location":"#who-am-i","title":"Who am I?","text":"

                    Hello everyone!

                    I'm Rafa, and this is my little corner on the web.

                    As a passionate IT professional, I love exploring new technologies, facing new challenges, and sharing my experiences with others.

                    Since I'm pretty bad at introducing myself, I've asked chatgpt to help me do it based on comments from some of my coworkers on Linkedin, this is the result:

                    "},{"location":"#an-exceptional-leader-and-mentor","title":"An Exceptional Leader and Mentor","text":"

                    Hello everyone!

                    Today I want to share with you my experience working with an incredibly talented professional, Rafael.

                    I was lucky enough to work with him at Bravent for over six months. During that time, Rafael was not only my direct boss, but also my mentor within the company. I can't say a single bad thing about him; He is an excellent leader, one of the few I have encountered in my working life, who never asks you for something that he cannot do himself.

                    Rafael is always willing to lend a hand if he sees that you are overwhelmed or lost. As a mentor, he always applies the principle of \u201cdon't give him a fish, teach him to fish.\u201d He helped me redirect all the situations in which I found myself at a dead end, pointing in the direction in which I had to continue moving forward.

                    On a technical level, Rafael is exceptional. Beyond his knowledge, he is surprised by his ability to learn in a minimum amount of time what is necessary to solve any type of problem. Working with him is tremendously easy, since he never has a bad word or a bad gesture and generates an incredibly positive work environment.

                    Rafael demonstrates deep knowledge not only of technical knowledge in the areas in which he is responsible, but also of planning, analysis and management. I have had the great fortune to work with him and he is undoubtedly one of the people I would like to be part of any team I am on now or in the future.

                    Rafael is a master of computer arts and a true professional. In his work he leaves nothing to chance, he studies everything carefully and he usually makes very good decisions. Furthermore, Rafael is a highly qualified professional. He has a friendly attitude and quickly resolves any questions you have, always explaining the solution. If you have a problem, he is the right person to ask for help.

                    I hope this testimony provides a clear vision of the incredible professional and person that Rafael is. I am confident that those who have the opportunity to work with him will benefit greatly from his leadership, technical knowledge and positive attitude.

                    "},{"location":"contributions/","title":"Contributions","text":"

                    Better or worse, here I am adding my contributions in case one day I have to compile them to be MVP (a real pain):

                    Generally, I try to contribute to the community in the following ways:

                    • Post/shares in Linkedin
                    • Post in my blog
                    • Some contributions to github projects azure related(see below)
                    "},{"location":"contributions/#2024","title":"2024","text":"
                    • Organizer of Azure Global Seville 2024 and collaborator in Global Azure Spain 2024, Zaragoza.
                    "},{"location":"contributions/#2023","title":"2023","text":"
                    • Creator of Azure Certified World Community, a community by and for Azure Certified Experts.
                    • Microsoft Azure Documentation

                      • Added comparative table to Containers
                      • Add mind maps to WAF pillars
                    • mingrammer

                      • Update azure icons to v12 mingrammer
                    • Cloud Adoption Framework for Azure - Terraform module

                      • First version of the module to support azurerm_linux_function_app
                      • Feature/add ddos protection plan id var non global to ddos
                    • Microsoft Cloud Adoption Framework for Azure, run aznamingtool in podman
                    "},{"location":"contributions/#2022","title":"2022","text":"
                    • Cloud Adoption Framework for Azure - Terraform module

                      • Adding support for Digital Twins
                      • Submodule Eventgrid
                      • System Identity option added to identity in function app
                    • Global Azure Zaragoza 2022

                      • Enterprise Scale Zone \u2013 Empieza bien
                      • Enterprise Scale Zone \u2013 CAF Landing zones for Terraform
                    • Microsoft Azure Documentation

                      • Example added for Azure IP reserves in subnet
                    • Azure-Samples

                      • Update example KeyVault-Rotation-StorageAccountKey-PowerShell
                    • Azure Naming Calculator for early stage of the Cloud Adoption Framework for Azure

                    "},{"location":"Azure/Security/MCSB/Asset%20Management/","title":"MCSB_v1 - Asset Management","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: AM-1 Asset Management 1.1 - Utilize an Active Discovery Tool 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Track asset inventory and their risks Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets. The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in Azure (Name, Description, and Category). How to create queries with Azure Resource Graph Explorer: Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resource inventories. AWS Systems Manager Inventory: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 1.2 - Use a Passive Asset Discovery Tool 1.5 - Use a Passive Asset Discovery Tool PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html 1.4 - Maintain Detailed Asset Inventory 2.1 - Establish and Maintain a Software Inventory Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name, Description, and Category). Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management 1.5 - Maintain Asset Inventory Information 2.4 - Utilize Automated Software Inventory Tools Microsoft Defender for Cloud asset inventory management: AWS Resource Groups and Tags: 2.1 - Maintain Inventory of Authorized Software Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions. https://docs.microsoft.com/azure/security-center/asset-inventory Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html Note: Additional permissions might be required to get visibility into workloads and services. For more information about tagging assets, see the resource naming and tagging decision guide: Note: Additional permissions might be required to get visibility into workloads and services. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json Overview of Security Reader Role: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader AM-2 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved services Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. Configure and manage Azure Policy: Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to trigger alerts when a non-approved service is detected. AWS Resource Groups: Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management 2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html 2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal AM-3 Asset Management 1.4 - Maintain Detailed Asset Inventory 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Ensure security of asset lifecycle management Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. Delete Azure resource group and resource: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. How do I check for active resources that I no longer need on my AWS account? Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 1.5 - Maintain Asset Inventory Information 2.1 - Establish and Maintain a Software Inventory CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources/ 2.1 - Maintain Inventory of Authorized Software Identify and remove Azure resources when they are no longer needed. Identify and remove AWS resources when they are no longer needed. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 2.4 - Track Software Inventory Information How do I terminate active resources that I no longer need on my AWS account? https://aws.amazon.com/premiumsupport/knowledge-center/terminate-resources-account-closure/ Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management AM-4 Asset Management 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-3: ACCESS ENFORCEMENT nan Limit access to asset management Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring \"Block access\" for the \"Microsoft Azure Management\" App. How to configure Conditional Access to block access to Azure Resources Manager: Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-based policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for your resources. AWS services that work with IAM: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control their permissions and access to Azure resources. For example, a user with only the 'Reader' Azure RBAC role can view all resources, but is not allowed to make any changes. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Lock your resources to protect your infrastructure: Use Resource Locks to prevent either deletions or modifications to resources. Resource Locks may also be administered through Azure Blueprints. https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json Protect new resources with Azure Blueprints resource locks: https://learn.microsoft.com/azure/governance/blueprints/tutorials/protect-new-resources AM-5 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved applications in virtual machine Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software can executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Microsoft Defender for Cloud adaptive application controls: Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config rules to ensure that non-authorized software is blocked from executing on EC2 instances. Preventing blacklisted applications with AWS Systems Manager and AWS Config: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/security-center/security-center-adaptive-application https://aws.amazon.com/blogs/mt/preventing-blacklisted-applications-with-aws-systems-manager-and-aws-config/ 2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts CM-10: SOFTWARE USAGE RESTRICTIONS Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time information are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to a Log Analytics workspace. You can also use a third-party solution to discover and identify unapproved software. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-11: USER-INSTALLED SOFTWARE Understand Azure Automation Change Tracking and Inventory: Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. https://docs.microsoft.com/azure/automation/change-tracking Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management You can also use a third-party solution to discover and identify unapproved software. How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6"},{"location":"Azure/Security/MCSB/Backup%20and%20Recovery/","title":"MCSB_v1 - Backup and Recovery","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: BR-1 Backup and recovery 10.1 - Ensure Regular Automated Backups 11.2 - Perform Automated Backups CP-2: CONTINGENCY PLAN nan Ensure regular automated backups Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. How to enable Azure Backup: For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency and retention period. AWS Backup supported resources and third-party applications: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards CP-4: CONTINGENCY PLAN TESTING https://docs.microsoft.com/azure/backup/ https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html CP-9: INFORMATION SYSTEM BACKUP For resources or services not supported by Azure Backup, use the native backup capability provided by the resource or service. For example, Azure Key Vault provides a native backup capability. For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resource creation. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Auto-Enable Backup on VM Creation using Azure Policy: Amazon S3 versioning: For resources/services that are neither supported by Azure Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint - If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow you to preserve, retrieve, and restore every version of every object stored in your Azure Storage. - If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve, and restore every version of every object stored in your S3 bucket. - Service configuration settings can usually be exported to Azure Resource Manager templates. - Service configuration settings can usually be exported to CloudFormation templates. AWS CloudFormation best practices: Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html BR-2 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-6: ALTERNATE STORAGE SITE 3.4 Protect backup and recovery data Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. Overview of security features in Azure Backup: Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and restore points. Example controls include: Security in AWS Backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/security-overview - Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point. https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. - Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Encryption of backup data using customer-managed keys: - Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. Security Best Practices for Amazon S3: Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-region restoration to ensure backup data is restorable when there is a disaster in primary region. You can also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures. https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk - Use AWS Backup Vault Lock for immutable storage of critical data. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation - Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control. Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls. Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore BR-3 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-9: INFORMATION SYSTEM BACKUP nan Monitor backups Ensure all business-critical protectable resources are compliant with the defined backup policy and standard. Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported resources, Backup Center helps you centrally govern your backup estate. Govern your backup estate using Backup Center: AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following: AWS Backup Monitoring: Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation https://docs.microsoft.com/azure/backup/backup-center-govern-environment - Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance. https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html Ensure critical backup operations (delete, change retention, updates to backup config) are monitored, audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, and audit triggered user actions on vaults. - Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Monitor and operate backups using Backup center: - Use CloudWatch to track metrics, create alarms, and view dashboards. Monitoring AWS Backup events using EventBridge: Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. https://docs.microsoft.com/azure/backup/backup-center-monitor-operate - Use EventBridge to view and monitor AWS Backup events. https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html - Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, and copy events. Monitoring and reporting solutions for Azure Backup: Monitoring AWS Backup metrics with CloudWatch: https://docs.microsoft.com/azure/backup/monitoring-and-alerts-overview https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html Using Amazon SNS to track AWS Backup events: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html Audit backups and create reports with AWS Backup Audit Manager: https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html BR-4 Backup and recovery 10.3 - Test Data on Backup Media 11.5 - Test Data Recovery CP-4: CONTINGENCY PLAN TESTING nan Regularly test backup Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. How to recover files from Azure Virtual Machine backup: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. Restoring a backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation How to restore Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security"},{"location":"Azure/Security/MCSB/Data%20Protection/","title":"MCSB_v1 - Data Protection","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: AWS Foundational Security Best Practices controls AWS Config Rule (WIP) Azure Policy CIS AWS Foundations Benchmark 1.4.0 Customer Security Stakeholders: DP-1 Data Protection 13.1 - Maintain an Inventory of Sensitive Information 3.2 - Establish and Maintain a Data Inventory RA-2: SECURITY CATEGORIZATION A3.2 Discover, classify, and label sensitive data Establish and maintain an inventory of the sensitive data, based on the defined sensitive data scope. Use tools to discover, classify and label the in- scope sensitive data. Use tools such as Microsoft Purview, which combines the former Azure Purview and Microsoft 365 compliance solutions, and Azure SQL Data Discovery and Classification to centrally scan, classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations. Data classification overview: Replicate your data from various sources to a S3 storage bucket and use AWS Macie to scan, classify and label the sensitive data stored in the bucket. AWS Macie can detect sensitive data such as security credentials, financial information, PHI and PII data, or other data pattern based on the custom data identifier rules. Data Classification Process: nan nan [Preview]: Sensitive data in your SQL databases should be classified 2.3.1 Ensure that encryption is enabled for RDS Instances Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.5 - Utilize an Active Discovery Tool to Identify Sensitive Data 3.7 - Establish and Maintain a Data Classification Scheme SC-28: PROTECTION OF INFORMATION AT REST https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification https://docs.aws.amazon.com/whitepapers/latest/data-classification/data-classification-process.html (Automated) 3.13 - Deploy a Data Loss Prevention Solution You may also use the Azure Purview multi-cloud scanning connector to scan, classify and label the sensitive data residing in a S3 storage bucket. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security Labeling in the Microsoft Purview Data Map: AWS Marketplace - DLP Solution: https://docs.microsoft.com/azure/purview/create-sensitivity-label Note: You can also use third-party enterprise solutions from AWS marketplace for the purpose of data discovery classification and labeling https://aws.amazon.com/marketplace/search/results?searchTerms=DLP Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Tag sensitive information using Azure Information Protection: https://docs.microsoft.com/azure/information-protection/what-is-information-protection How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification Microsoft Purview data sources: https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources DP-2 Data Protection 13.3 - Monitor and Block Unauthorized Network Traffic 3.13 - Deploy a Data Loss Prevention Solution AC-4: INFORMATION FLOW ENFORCEMENT A3.2 Monitor anomalies and threats targeting sensitive data Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Enable Azure Defender for SQL: Use AWS Macie to monitor the data that has been classified and labeled, and use GuardDuty to detect anomalous activities on some resources (S3, EC2 or Kubernetes or IAM resources). Findings and alerts can be triaged, analyzed, and tracked using EventBridge and forwarded to Microsoft Sentinel or Security Hub for incident aggregation and tracking. GuardDuty S3 finding types: nan nan Azure Defender for open-source relational databases should be enabled nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security 14.7 - Enforce Access Control to Data through Automated Tools SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html Azure Defender for Storage should be enabled Use Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. You may also connect your AWS accounts to Microsoft Defender for Cloud for compliance checks, container security, and endpoint security capabilities. Azure Defender for SQL servers on machines should be enabled Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Enable Azure Defender for Storage: Amazon S3 protection in Amazon GuardDuty: Azure Defender for Azure SQL Database servers should be enabled Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from AWS Marketplace. https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Enable Microsoft Defender for Azure Cosmos DB: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections?tabs=azure-portal Enable Microsoft Defender for open-source relational databases and respond to alerts: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage DP-3 Data Protection 14.4 - Encrypt All Sensitive Information in Transit 3.10 - Encrypt Sensitive Data In Transit SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.5 Encrypt sensitive data in transit Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Double encryption for Azure data in transit: Enforce secure transfer in services such as Amazon S3, RDS and CloudFront, where a native data in transit encryption feature is built in. TLS security policies in Elastic Load Balancer: CloudFront distributions should require encryption in transit nan Kubernetes clusters should be accessible only over HTTPS 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 3.6 https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls-security-policies Classic Load Balancer listeners should be configured with HTTPS or TLS termination Only secure connections to your Azure Cache for Redis should be enabled 4.1 Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. Enforce HTTPS for web application workloads and services by ensuring that any clients connecting to your Azure resources use transport layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Enforce HTTPS (such as in AWS Elastic Load Balancer) for workload web application and services (either on the server side or client side, or on both) by ensuring that any clients connecting to your AWS resources use TLS v1.2 or later. Application load balancers should be configured to drop HTTP headers FTPS only should be required in your Function App Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Understand encryption in transit with Azure: AWS Transfer SFTP and FTPS: Application Load Balancer should be configured to redirect all HTTP requests to HTTPS Secure transfer to storage accounts should be enabled For remote management of Azure virtual machines, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use the SFTP/FTPS service in Azure Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service. https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit For remote management of EC2 instances, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use AWS Transfer SFTP or FTPS service instead of a regular FTP service. https://aws.amazon.com/aws-transfer-family/getting-started/?pg=ln&cp=bn Connections to Elasticsearch domains should be encrypted using TLS 1.2 FTPS should be required in your Web App Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops S3 buckets should require requests to use Secure Socket Layer Windows web servers should be configured to use secure communication protocols Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side. Information on TLS Security: Note: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported Amazon EC2 instance types. TLS v1.2 or later is enabled on most AWS services by default. And some services such as AWS Load Balancer can enforce TLS v1.2 or later on the server side. Function App should only be accessible over HTTPS Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security https://docs.microsoft.com/security/engineering/solving-tls1-problem Latest TLS version should be used in your API App FTPS only should be required in your API App Enforce secure transfer in Azure storage: Web Application should only be accessible over HTTPS https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account API App should only be accessible over HTTPS Enforce SSL connection should be enabled for PostgreSQL database servers Enforce SSL connection should be enabled for MySQL database servers Latest TLS version should be used in your Web App Latest TLS version should be used in your Function App DP-4 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-28: PROTECTION OF INFORMATION AT REST 3.4 Enable data at rest encryption by default To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. These service-managed keys are generated on the customer\u2019s behalf and automatically rotated every two years. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Many AWS services have data at rest encryption enabled by default at the infrastructure/platform layer using an AWS-managed customer master key. These AWS-managed customer master keys are generated on the customer's behalf and rotated automatically every three years. AWS Protecting Data at Rest: API Gateway REST API cache data should be encrypted at rest nan Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.1.1 Ensure all S3 buckets employ encryption-at-rest (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 3.5 https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html CloudTrail should have encryption at rest enabled Transparent Data Encryption on SQL databases should be enabled 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs at the storage level, file level, or database level. Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Where technically feasible and not enabled by default, you can enable data at rest encryption in the AWS services, or in your VMs at the storage level, file level, or database level DynamoDB Accelerator (DAX) clusters should be encrypted at rest Automation account variables should be encrypted 2.2.1 Ensure EBS volume encryption is enabled (Manual) Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Attached EBS volumes should be encrypted at rest Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 2.3.1 Ensure that encryption is enabled for RDS Instances Encryption model and key management table: EBS default encryption should be enabled (Automated) Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/security/fundamentals/encryption-models Amazon EFS should be configured to encrypt file data at rest using AWS KMS Elasticsearch domains should have encryption at-rest enabled Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security Amazon Elasticsearch Service domains should encrypt data sent between nodes RDS DB instances should have encryption at rest enabled RDS cluster snapshots and database snapshots should be encrypted at rest S3 buckets should have server-side encryption enabled SNS topics should be encrypted at rest using AWS KMS AWS WAF Classic global web ACL logging should be enabled Amazon SQS queues should be encrypted at rest DynamoDB Accelerator (DAX) clusters should be encrypted at rest DP-5 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 Use customer-managed key option in data at rest encryption when required If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. Azure also provides an encryption option using keys managed by yourself (customer-managed keys) for most services. Encryption model and key management table: AWS also provides an encryption option using keys managed by yourself (customer-managed customer master key stored in AWS Key Management Service) for certain services. AWS Services Integrated with AWS KMS: nan nan SQL managed instances should use customer-managed keys to encrypt data at rest nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture SC-28: PROTECTION OF INFORMATION AT REST 3.5 https://docs.microsoft.com/azure/security/fundamentals/encryption-models https://aws.amazon.com/kms/features/ SQL servers should use customer-managed keys to encrypt data at rest 3.6 Azure Key Vault Standard, Premium, and Managed HSM are natively integrated with many Azure Services for customer-managed key use cases. You may use Azure Key Vault to generate your key or bring your own keys. AWS Key Management Service (KMS) is natively integrated with many AWS services for customer-managed customer master key use cases. You may either use AWS Key Management Service (KMS) to generate your master keys or bring your own keys. PostgreSQL servers should use customer-managed keys to encrypt data at rest Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services AWS-managed and Customer-managed CMKs: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest However, using the customer-managed key option requires additional operational effort to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. However, using the customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt Container registries should be encrypted with a customer-managed key Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Cognitive Services accounts should enable data encryption with a customer-managed key Storage accounts should use customer-managed key for encryption Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security MySQL servers should use customer-managed keys to encrypt data at rest Azure Machine Learning workspaces should be encrypted with a customer-managed key DP-6 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure key management process Document and implement an enterprise cryptographic key management standard, processes, and procedures to control your key lifecycle. When there is a need to use customer-managed key in the services, use a secured key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule and when there is a key retirement or compromise. Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or compromise. Require a certain cryptographic type and minimum key size when generating keys. Azure Key Vault overview: Use AWS Key Management Service (KMS) to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in KMS and your service based on the defined schedule and when there is a key retirement or compromise. AWS-managed and Customer-managed CMKs: IAM users' access keys should be rotated every 90 days or less nan Key Vault keys should have an expiration date nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/general/overview https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html Secrets Manager secrets should have automatic rotation enabled Key Vault secrets should have an expiration date SC-28: PROTECTION OF INFORMATION AT REST When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the best practices: When there is a need to use customer-managed customer master key in the workload services or applications, ensure you follow the best practices: Secrets Manager secrets configured with automatic rotation should rotate successfully Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault. Azure data encryption at rest--Key Hierarchy: - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your KMS. Importing key material in AWS KMS keys: Secrets Manager secrets should be rotated within a specified number of days - Ensure keys are registered with Azure Key Vault and implemented via key IDs in each service or application. https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#key-hierarchy - Ensure keys are registered with KMS and implement via IAM policies in each service or application. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault). Follow the recommended guideline to perform the key generation and key transfer. BYOK(Bring Your Own Key) specification: To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into KMS or Cloud HSM). Follow the recommended guideline to perform the key generation and key transfer. Secure transfer of keys into to CloudHSM: Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security https://docs.microsoft.com/azure/key-vault/keys/byok-specification https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-import-keys-openssl/ Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance/validation level. Note: AWS KMS uses shared HSM infrastructure in the backend. Use AWS KMS Custom Key Store backed by AWS CloudHSM when you need to manage your own key store and dedicated HSMs (e.g. regulatory compliance requirement for higher level of key security) to generate and store your encryption keys. - Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1 Creating a custom key store backed by CloudHSM: - HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2 Note: Refer to the below for the FIPS 140-2 level for FIPS compliance level in AWS KMS and CloudHSM https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html - HSM-protected keys in Managed HSM: FIPS 140-2 Level 3 - AWS KMS default: FIPS 140-2 Level 2 validated Azure Key Vault Premium uses a shared HSM infrastructure in the backend. Azure Key Vault Managed HSM uses dedicated, confidential service endpoints with a dedicated HSM for when you need a higher level of key security. - AWS KMS using CloudHSM: FIPS 140-2 Level 3 (for certain services) validated - AWS CloudHSM: FIPS 140-2 Level 3 validated Note: For secrets management(credentials, password, API keys etc.), use AWS Secrets Manager. DP-7 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure certificate management process Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and supported Azure services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use a manual rotation in Azure Key Vault. Get started with Key Vault certificates: Use AWS Certificate Manager (ACM) to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in ACM and supported AWS services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use manual rotation in ACM. In the meantime, you should always track your certificate renewal status to ensure the certificate validity. AWS Certificate Manager - Check a certificate's renewal status: [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates nan [Preview]: Certificates should have the specified maximum validity period nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios https://docs.aws.amazon.com/acm/latest/userguide/check-certificate-renewal-status.html SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificates in Azure Key Vault. The following Certificate Authorities (CAs) are the partnered providers that are currently integrated with Azure Key Vault. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, create public-signed certificates (signed by the Amazon Certificate Authority) in ACM and deploy it programmatically in services such as CloudFront, Load Balancers, API Gateway etc. You also can use ACM to establish your private certificate authority (CA) to sign the private certificates. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. Certificate Access Control in Azure Key Vault: - GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control Note: Use only an approved CA and ensure that known bad CA root/intermediate certificates issued by these CAs are disabled. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Note: Use only approved CA and ensure that known bad root/intermediate certificates issued by these CAs are disabled. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security DP-8 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Ensure security of key and certificate repository Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: Azure Key Vault overview: For cryptographic keys security, secure your keys by hardening your AWS Key Management Service (KMS) service through the following controls: Security best practice for AWS Key Management Service: IAM customer managed policies should not allow decryption actions on all KMS keys nan Key vaults should have purge protection enabled nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT - Implement access control using RBAC policies in Azure Key Vault Managed HSM at the key level to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. For Azure Key Vault Standard and Premium, create unique vaults for different applications to ensure the least privilege and separation of duties principles are followed. https://docs.microsoft.com/azure/key-vault/general/overview - Implement access control using key policies (key-level access control) in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Azure Defender for Key Vault should be enabled SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES - Turn on Azure Key Vault logging to ensure critical management plane and data plane activities are logged. - Use detective controls such as CloudTrails to log and track the usage of keys in KMS and alert you on critical actions. AWS KMS keys should not be unintentionally deleted Key vaults should have soft delete enabled Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure minimal exposure of the service Azure Key Vault security best practices: - Never store keys in plaintext format outside of KMS. Security in AWS Certificate Manager: [Preview]: Azure Key Vault should disable public network access - Use managed identity to access keys stored in Azure Key Vault in your workload applications. https://docs.microsoft.com/azure/key-vault/general/best-practices - When keys need to be deleted, consider disabling keys in KMS instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. https://docs.aws.amazon.com/acm/latest/userguide/security.html [Preview]: Private endpoint should be configured for Key Vault Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. Resource logs in Key Vault should be enabled - Backup your keys and certificates using Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.When keys need to be deleted, consider disabling keys instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. Use managed identity to access Azure Key Vault: - For bring your own key (BYOK) uses cases, generate keys in an on-premise HSM and import them to maximize the lifetime and portability of the keys. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security - For bring your own key (BYOK) use cases, generate keys in an on-premises HSM and import them to maximize the lifetime and portability of the keys. https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad - Never store keys in plaintext format outside of the Azure Key Vault. Keys in all key vault services are not exportable by default. For certificates security, secure your certificates by hardening your AWS Certificate Manager (ACM) service through the following controls: - Use HSM-backed key types (RSA-HSM) in Azure Key Vault Premium and Azure Managed HSM for the hardware protection and the strongest FIPS levels. Overview of Microsoft Defender for Key Vault: - Implement access control using resource-level policies in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties is in place for user accounts: user accounts who generate certificates are separate from the user accounts who only require read-only access to certificates. https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction - Use detective controls such as CloudTrails to log and track the usage of the certificates in ACM, and alert you on critical actions. Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. - Follow the KMS security guidance to secure your private key (generated for certificate request) used for service certificate integration."},{"location":"Azure/Security/MCSB/DevOps%20Security/","title":"MCSB_v1 - DevOps Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Azure Implementation and additional context AWS Guidance AWS Implementation and additional context Customer Security Stakeholders: DS-1 DevOps Security nan 16.10 - Apply Secure Design Principles in Application Architectures SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 Conduct threat modeling Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure your threat modeling serves the following purposes: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Threat Modeling Overview: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Microsoft Threat Modeling Tool: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards 16.14 - Conduct Threat Modeling 12.2 https://www.microsoft.com/securityengineering/sdl/threatmodeling https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool Secure your applications and services in the production run-time stage. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and deployment. The threat modeling at least should include the following aspects: Application threat analysis (including STRIDE + questionnaire based method): How to approach threat modeling for AWS: Define the security requirements of the application. Ensure these requirements are adequately addressed in the threat modeling. Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Analyze application components, data connections and their relationship. Ensure this analysis also includes the upstream and downstream connections outside of your application scope. List the potential threats and attack vectors that your application components, data connections and upstream and downstream services may be exposed to. Azure Template - Microsoft Security Threat Model Stencil: Application threat analysis (including STRIDE + questionnaire based method): Identify the applicable security controls that can be used to mitigate the threats enumerated and identify any controls gaps (e.g., security vulnerabilities) that may require additional treatment plans. https://github.com/AzureArchitecture/threat-model-templates https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Enumerate and design the controls that can mitigate the vulnerabilities identified. DS-2 DevOps Security 18.3 - Verify That Acquired Software is Still Supported 16.4 - Establish and Manage an Inventory of Third-Party Software Components SA-12: SUPPLY CHAIN PROTECTION 6.3 Ensure software supply chain security Ensure your enterprise\u2019s SDLC (Software Development Lifecycle) or process include a set of security controls to govern the in-house and third-party software components (including both proprietary and open-source software) where your applications have dependencies. Define gating criteria to prevent vulnerable or malicious components being integrated and deployed into the environment. For the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub\u2019s native feature:- Use Dependency Graph to scan, inventory and identify all your project\u2019s dependencies and related vulnerabilities through Advisory Database. GitHub Dependency Graph: If you use AWS CI/CD platforms such as CodeCommit or CodePipeline, ensure the software supply chain security using CodeGuru Reviewer to scan the source code (for Java and Python) through the CI/CD workflows. Platforms such as CodeCommit and CodePipeline also supports third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities. GitHub Dependency Graph: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 18.4 - Only Use Up-to-Date And Trusted Third-Party Components 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph 18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.11 - Leverage Vetted Modules or Services for Application Security Components The software supply chain security controls should at least include the following aspects: - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. If you manage your source code through the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub\u2019s native feature: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. GitHub Dependabot: - Use Dependency Graph to scan, inventory and identify all your project\u2019s dependencies and related vulnerabilities through Advisory Database. GitHub Dependabot: Properly manage a Software Bill of Materials (SBOM) by identifying the upstream dependencies required for the service/resource development, build, integration and deployment phase. - Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates Inventory and track the in-house and third-party software components for known vulnerability when there is a fix available in the upstream. For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. Assess the vulnerabilities and malware in the software components using static and dynamic application testing for unknown vulnerabilities. Identify vulnerable container images in your CI/CD workflows: - If applicable, use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. DevOps in AWS: Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may include source code local or upstream fix, feature exclusion and/or applying compensating controls if the direct mitigation is not available. https://docs.microsoft.com/azure/security-center/defender-for-container-registries-cicd https://aws.amazon.com/devops/ If closed source third-party components are used in your production environment, you may have limited visibility to its security posture. You should consider additional controls such as access control, network isolation and endpoint security to minimize the impact if there is a malicious activity or vulnerability associated with the component. Azure DevOps Marketplace \u2013 supply chain security: Software Bill of Materials: https://marketplace.visualstudio.com/search?term=tag%3ASupply%20Chain%20Security&target=VSTS https://www.cisa.gov/sbom DS-3 DevOps Security 18.11 - Use Standard Hardening Configuration Templates for Databases 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure CM-2: BASELINE CONFIGURATION 2.2 Secure DevOps infrastructure Ensure the DevOps infrastructure and pipeline follow security best practices across environments including your build, test, and production stages. This typically includes the security controls for following scope: As part of applying the Microsoft Cloud Security Benchmark to your DevOps infrastructure security controls, prioritize the following controls: DevSecOps controls overview \u2013 secure pipelines: As part of applying the Microsoft Cloud Security Benchmark to the security controls of your DevOps infrastructure, such as GitHub, CodeCommit, CodeArtifact, CodePipeline, CodeBuild and CodeDeploy, prioritize the following controls: AWS Well-architected Framework - security pillar: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops CM-6: CONFIGURATION SETTINGS 6.3 - Protect artifacts and the underlying environment to ensure the CI/CD pipelines don\u2019t become avenues to insert malicious code. For example, review your CI/CD pipeline to identify any misconfiguration in core areas of Azure DevOps such as Organization, Projects, Users, Pipelines (Build & Release), Connections, and Build Agent to identify any misconfigurations such as open access, weak authentication, insecure connection setup and so on. For GitHub, use similar controls to secure the Organization permission levels. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls - Refer to this guidance and the AWS Well-architected Framework security pillar to secure your DevOps environments in AWS. https://wa.aws.amazon.com/wat.pillar.security.en.html AC-2: ACCOUNT MANAGEMENT 7.1 - Artifact repositories that store source code, built packages and images, project artifacts and business data. - Ensure your DevOps infrastructure is deployed consistently across development projects. Track compliance of your DevOps infrastructure at scale by using Microsoft Defender for Cloud (such as Compliance Dashboard, Azure Policy, Cloud Posture Management) or your own compliance monitoring tools. - Protect artifacts and the underlying supporting infrastructure to ensure the CI/CD pipelines don\u2019t become avenues to insert malicious code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management AC-3: ACCESS ENFORCEMENT - Servers, services, and tooling that host CI/CD pipelines. - Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. Secure your GitHub organization: - Ensure your DevOps infrastructure is deployed and sustained consistently across development projects. Track compliance of your DevOps infrastructure at scale by using AWS Config or your own compliance check solution. AC-6: LEAST PRIVILEGE - CI/CD pipeline configuration. - Avoid providing permanent \u201cstanding\u201d privileged access to the human accounts such as developers or testers by using features such as Azure managed identifies and just-in-time access. https://docs.github.com/en/code-security/getting-started/securing-your-organization - Use CodeArtifact to securely store and share software packages used for application development. You can use CodeArtifact with popular build tools and package managers such as Maven, Gradle, npm, yarn, pip, and twine. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in a key store or Azure Key Vault. - Configure identity/role permissions and permission policies in AWS IAM, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Azure DevOps pipeline \u2013 Microsoft hosted agent security considerations: - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store or AWS KMS Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture https://docs.microsoft.com/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#security - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Use AWS Inspector for vulnerability scanning for vulnerabilities in EC2 or containerized environment as the build environment. Note: Refer to the Logging and Threat Detection, DS-7, and the Posture and Vulnerability Management sections to use services such as Azure Monitor and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure. Note: Refer to the Logging and Threat Detection, DS-7, and the and Posture and Vulnerability Management sections to use services such as AWS CloudTrail, CloudWatch and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure. DS-4 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate static application security testing into DevOps pipeline Ensure static application security testing (SAST) fuzzy testing, interactive testing, mobile application testing, are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production. Integrate SAST into your pipeline (e.g., in your infrastructure as code template) so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate the below tools and third-party SAST tools into the workflow. GitHub CodeQL: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.5 - GitHub CodeQL for source code analysis. https://codeql.github.com/docs/ https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/ - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. If using AWS CodeCommit, use AWS CodeGuru Reviewer for Python and Java source code analysis. AWS Codepipeline can also support integration of third-part SAST tools into the code deployment pipeline. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Azure DevOps Credential Scanner (Microsoft Security DevOps extension) and GitHub native secret scanning for credential scan in the source code. BinSkim Binary Analyzer: https://github.com/microsoft/binskim If using GitHub, the below tools and third-party SAST tools can be integrated into the workflow. - GitHub CodeQL for source code analysis. Azure DevOps Credential Scan: - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. https://secdevtools.azurewebsites.net/helpcredscan.html - GitHub native secret scanning for credential scan in the source code. - AWS CodeGuru Reviewer for Python and Java source code analysis. GitHub secret scanning: https://docs.github.com/en/code-security/secret-security/about-secret-scanning DS-5 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate dynamic application security testing into DevOps pipeline Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production. Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. DAST tools in Azure DevOps marketplace: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in AWS CodePipeline or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.5 https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/ Azure DevOps Pipeline or GitHub supports the integration of third-party DAST tools into the CI/CD workflow. AWS CodePipeline or GitHub supports integration of third-party DAST tools into the CI/CD workflow. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management DS-6 DevOps Security 5.2 - Deploy System Configuration Management Tools 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets CM-2: BASELINE CONFIGURATION 6.1 Enforce security of workload throughout DevOps lifecycle Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Microsoft Cloud Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: Guidance for Azure VMs: Shared Image Gallery overview: Use Amazon Elastic Container Registry to share and control access to your images by different users and roles within your organization. And Use AWS IAM to ensure that only authorized users can access your custom images. AWS ECR image scanning: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 5.3 - Securely Store Master Images 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets CM-6: CONFIGURATION SETTINGS 6.2 - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html 5.4 - Deploy System Configuration Management Tools 7.7 - Remediate Detected Vulnerabilities AC-2: ACCOUNT MANAGEMENT 6.3 - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configuration baselines through custom images, Azure Resource Manager templates, and/or Azure Policy guest configuration. Define the secure configuration baselines for the EC2 AMI images to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configurations baselines through custom AMI images, CloudFormation templates, and/or AWS Config Rules. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems 16.1 - Establish and Maintain a Secure Application Development Process AC-3: ACCESS ENFORCEMENT - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations AWS Inspector: 18.1 - Establish Secure Coding Practices 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure AC-6: LEAST PRIVILEGE - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. Guidance for Azure container services: Use AWS Inspector for vulnerability scanning of VM's and Containerized environments, securing them from malicious manipulation. https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Use Azure Container Registry (ACR) to create your private container registry where granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. Security considerations for Azure Container: - Use Defender for Containers for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to integrate the container image scans as part of your CI/CD workflows. https://docs.microsoft.com/azure/container-instances/container-instances-image-security For AWS serverless services, use AWS CodePipeline in conjunction with AWS AppConfig to adopt similar controls to ensure security controls \"shift left\" to the stage prior to deployment. AWS AppConfig: https://docs.aws.amazon.com/appconfig/latest/userguide/getting-started-with-appconfig.html For Azure serverless services, adopt similar controls to ensure security controls \"shift-left\" to the stage prior to deployment. Azure Defender for container registries: https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction DS-7 DevOps Security 6.2 - Activate audit logging 8.2 Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging and monitoring in DevOps Ensure your logging and monitoring scope includes non-production environments and CI/CD workflow elements used in DevOps (and any other development processes). The vulnerabilities and threats targeting these environments can introduce significant risks to your production environment if they are not monitored properly. The events from the CI/CD build, test and deployment workflow should also be monitored to identify any deviations in the CI/CD workflow jobs. Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such as Azure DevOps and GitHub) used throughout the DevOps process. Azure DevOps - audit streaming: Enable and configure AWS CloudTrail for audit logging capabilities in non-production and CI/CD tooling environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) used throughout the DevOps process. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 6.3 - Enable Detailed Logging 8.5 Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 6.5 - Central Log Management 8.9 Centralize Audit Logs AU-12: AUDIT GENERATION 10.3 Follow Microsoft Cloud Security Benchmark \u2013 Logging and Threat Detection as the guideline to implement your logging and monitoring controls for workload. The events generated from Azure DevOps and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. The events generated from the AWS CI/CD environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.6 - Deploy SIEM or Log Analytic tool 8.11 Conduct Audit Log Reviews SI-4: INFORMATION SYSTEM MONITORING 10.6 GitHub logging: GitHub Logging: 6.7 - Regularly Review Logs Ingest the above logs and events into Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Ingest the above logs and events into AWS CloudWatch, Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation 6.8 - Regularly Tune SIEM"},{"location":"Azure/Security/MCSB/Endpoint%20Security/","title":"MCSB_v1 - Endpoint Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: ES-1 Endpoint security 9.4 - Apply Host-Based Firewalls or Port Filtering 13.7 - Deploy a Host-Based Intrusion Prevention Solution SC-3: SECURITY FUNCTION ISOLATION 11.5 Use Endpoint Detection and Response (EDR) Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for servers introduction: Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats. Protect your endpoints with Defender for Cloud's integrated EDR solution: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows SI-3: MALICIOUS CODE PROTECTION Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel. Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence SI-16 MEMORY PROTECTION Microsoft Defender for Endpoint overview: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Microsoft Defender for Cloud feature coverage for machines: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows Connector for Defender for servers integration into SIEM: https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows ES-2 Endpoint security 8.1 - Utilize Centrally Managed Anti-malware Software 10.1 - Deploy and Maintain Anti-Malware Software SC-3: SECURITY FUNCTION ISOLATION 5.1 Use modern anti-malware software Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning. Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations. Supported endpoint protection solutions: Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- SI-3: MALICIOUS CODE PROTECTION Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Microsoft Defender supported endpoint protection solutions: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence SI-16 MEMORY PROTECTION How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?tabs=features-windows#supported-endpoint-protection-solutions- For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. https://docs.microsoft.com/azure/security/fundamentals/antimalware For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Endpoint protection recommendations in Microsoft Defender for Clouds: Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment. https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management ES-3 Endpoint security 8.2 - Ensure Anti-Malware Software and Signatures are Updated 10.2 - Configure Automatic Anti-Malware Signature Updates SI-2: FLAW REMEDIATION 5.2 Ensure anti-malware software and signatures are updated Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. How to deploy Microsoft Antimalware for Cloud Services and virtual machine: With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. Connect your AWS accounts to Microsoft Defender for Cloud: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-3: MALICIOUS CODE PROTECTION 5.3 https://docs.microsoft.com/azure/security/fundamentals/antimalware https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Endpoint protection assessment and recommendations in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management"},{"location":"Azure/Security/MCSB/Governance%20and%20Strategy/","title":"MCSB_v1 - Governance and Strategy","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle General Guidance Implementation and additional context Customer Security Stakeholders: GS-1 Governance and Strategy 17.2 - Deliver Training to Fill the Skills Gap 14.9 - Conduct Role-Specific Security Awareness and Skills Training PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and accountabilities N/A Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. Azure Security Best Practice 1 \u2013 People: Educate Teams on Cloud Security Journey: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions PM-10: SECURITY AUTHORIZATION PROCESS https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey PM-13: INFORMATION SECURITY WORKFORCE AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology: AT-3: ROLE-BASED SECURITY TRAINING https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud GS-2 Governance and Strategy 2.10 - Physically or Logically Segregate High Risk Applications 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.2 Define and implement enterprise segmentation/separation of duties strategy N/A Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 14.1 - Segment the Network Based on Sensitivity SC-7: BOUNDARY PROTECTION 6.4 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect SC-2: APPLICATION PARTITIONING Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data. Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy: Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy GS-3 Governance and Strategy 14.1 - Segment the Network Based on Sensitivity 3.1 - Establish and Maintain a Data Management Process AC-4: INFORMATION FLOW ENFORCEMENT 3.1 Define and implement data protection strategy N/A Establish an enterprise-wide strategy for data protection in your cloud environment: Azure Security Benchmark - Data Protection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 3.7 - Establish and Maintain a Data Classification Scheme SI-4: INFORMATION SYSTEM MONITORING 3.2 - Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection 3.12 - Segment Data Processing and Storage Based on Sensitivity SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.3 - Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 - Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. Cloud Adoption Framework - Azure data security and encryption best practices: SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES 3.5 - Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices SC-28: PROTECTION OF INFORMATION AT REST 3.6 - Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys. RA-2: SECURITY CATEGORIZATION 3.7 Azure Security Fundamentals - Azure Data security, encryption, and storage: 4.1 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview A3.2 GS-4 Governance and Strategy 12.1 - Maintain an Inventory of Network Boundaries 12.2 - Establish and Maintain a Secure Network Infrastructure AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Define and implement network security strategy N/A Establish a cloud network security strategy as part of your organization\u2019s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: Azure Security Best Practice 11 - Architecture. Single unified security strategy: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 12.4 - Establish and Maintain Architecture Diagram(s) AC-17: REMOTE ACCESS 1.2 - Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy CA-3: SYSTEM INTERCONNECTIONS 1.3 - A virtual network segmentation model aligned with the enterprise segmentation strategy. CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1.5 - An Internet edge and ingress and egress strategy. Azure Security Benchmark - Network Security: CM-2: BASELINE CONFIGURATION 4.1 - A hybrid cloud and on-premises interconnectivity strategy. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security CM-6: CONFIGURATION SETTINGS 6.6 - A network monitoring and logging strategy. CM-7: LEAST FUNCTIONALITY 11.4 - An up-to-date network security artifacts (such as network diagrams, reference network architecture). Azure network security overview: SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES A2.1 https://docs.microsoft.com/azure/security/fundamentals/network-overview SC-2: APPLICATION PARTITIONING A2.2 SC-5: DENIAL OF SERVICE PROTECTION A2.3 Enterprise network architecture strategy: SC-7: BOUNDARY PROTECTION A3.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) SI-4: INFORMATION SYSTEM MONITORING GS-5 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1.1 Define and implement security posture management strategy N/A Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. Azure Security Benchmark - Posture and vulnerability management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CA-8: PENETRATION TESTING 1.2 https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 2.2 The security configuration management in cloud should include the following areas: CM-2: BASELINE CONFIGURATION 6.1 - Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. Azure Security Best Practice 9 - Establish security posture management: CM-6: CONFIGURATION SETTINGS 6.2 - Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management RA-1: RISK ASSESSMENT POLICY AND PROCEDURES 6.5 - Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline. RA-3: RISK ASSESSMENT 6.6 - Develop a cadence to stay updated with security features, for instance, subscribe to the service updates. RA-5: VULNERABILITY SCANNING 11.2 - Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified. SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 11.3 SI-2: FLAW REMEDIATION 11.5 The vulnerability management in the cloud should include the following security aspects: SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components. - Use a risk-based approach to prioritize assessment and remediation. - Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates. - Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization. GS-6 Governance and Strategy 4.5 - Use Multifactor Authentication For All Administrative Access 5.6 - Centralize Account Management AC-1: ACCESS CONTROL POLICY AND PROCEDURES 7.1 Define and implement identity and privileged access strategy N/A Establish a cloud identity and privileged access approach as part of your organization\u2019s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: Azure Security Benchmark - Identity management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 16.2 - Configure Centralized Point of Authentication 6.5 - Require MFA for Administrative Access AC-2: ACCOUNT MANAGEMENT 7.2 - Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management 6.7 - Centralize Access Control AC-3: ACCESS ENFORCEMENT 7.3 - Privileged identity and access governance (such as access request, review and approval) AC-4: INFORMATION FLOW ENFORCEMENT 8.1 - Privileged accounts in emergency (break-glass) situation Azure Security Benchmark - Privileged access: AC-5: SEPARATION OF DUTIES 8.2 - Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access AC-6: LEAST PRIVILEGE 8.3 - Secure access by administrative operations through web portal/console, command-line and API. IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 8.4 Azure Security Best Practice 11 - Architecture. Single unified security strategy: IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.5 For exception cases, where an enterprise system isn\u2019t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy IA-4: IDENTIFIER MANAGEMENT 8.6 - Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks) IA-5: AUTHENTICATOR MANAGEMENT 8.7 - Privileged users authenticated locally and/or use non-strong authentication methods Azure identity management security overview: IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 8.8 https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION A3.4 SI-4: INFORMATION SYSTEM MONITORING GS-7 Governance and Strategy 6.2 -Activate audit logging 8.1 - Establish and Maintain an Audit Log Management Process AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 10.1 Define and implement logging, threat detection and incident response strategy N/A Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. Azure Security Benchmark - Logging and threat detection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 6.3 - Enable Detailed Logging 13.1 - Centralize Security Event Alerting IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES 10.2 This strategy should include documented policy, procedure and standards for the following aspects: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection 6.6 - Deploy SIEM or Log Analytic tool 17.2 - Establish and Maintain Contact Information for Reporting Security Incidents IR-2: INCIDENT RESPONSE TRAINING 10.3 - The security operations (SecOps) organization's role and responsibilities 6.7 - Regularly Review Logs 17.4 - Establish and Maintain an Incident Response Process IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 10.4 - A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. Azure Security Benchmark - Incident response: 19.1 - Document Incident Response Procedures 17.7 - Conduct Routine Incident Response Exercises SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 10.5 - Communication and notification plan with your customers, suppliers, and public parties of interest. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response 19.5 - Maintain Contact Information For Reporting Security Incidents SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 10.6 - Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk. 19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 10.7 - Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud: 10.8 - Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. https://aka.ms/AzSec4 10.9 - Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses. 12.10 - Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. Azure Adoption Framework, logging, and reporting decision guide: A3.5 - Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/ - Post-incident activities, such as lessons learned and evidence retention. Azure enterprise scale, management, and monitoring: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring NIST SP 800-61 Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf GS-8 Governance and Strategy 10.1 - Ensure Regular Automated Backups 11.1 - Establish and Maintain a Data Recovery Process CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES 3.4 Define and implement backup and recovery strategy N/A Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: Azure Security Benchmark - Backup and recovery: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions CP-9: INFORMATION SYSTEM BACKUP - Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION - Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy. - Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery - Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks. - Monitoring the backup and recovery data and operations for audit and alerting purposes. Azure Adoption Framework-business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery Backup and restore plan to protect against ransomware: https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware GS-9 Governance and Strategy 8.1 - Utilize Centrally Managed Anti-malware Software 4.4 - Implement and Manage a Firewall on Servers SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security strategy N/A Establish a cloud endpoint security strategy which includes the following aspects: Azure Security Benchmark - Endpoint security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 9.4 - Apply Host-Based Firewalls or Port-Filtering 10.1 - Deploy and Maintain Anti-Malware Software SI-3: MALICIOUS CODE PROTECTION 5.2 - Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security SC-3: SECURITY FUNCTION ISOLATION 5.3 - Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint. 5.4 - Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. Best practices for endpoint security on Azure: 11.5 https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints GS-10 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process SA-12: SUPPLY CHAIN PROTECTION 2.2 Define and implement DevOps security strategy N/A Mandate the security controls as part of the organization\u2019s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. Azure Security Benchmark - DevOps security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 18.1 - Establish Secure Coding Practices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.1 https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security 18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.1 - Establish and Maintain a Secure Application Development\u00a0Process CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 6.2 Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This \u2018shift left\u2019 approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production. 16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities CM-2: BASELINE CONFIGURATION 6.3 Secure DevOps: CM-6: CONFIGURATION SETTINGS 6.5 When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. https://www.microsoft.com/securityengineering/devsecops AC-2: ACCOUNT MANAGEMENT 7.1 AC-3: ACCESS ENFORCEMENT 10.1 For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. Cloud Adoption Framework - DevSecOps controls: AC-6: LEAST PRIVILEGE 10.2 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls SA-11: DEVELOPER TESTING AND EVALUATION 10.3 AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.6 AU-12: AUDIT GENERATION 12.2 SI-4: INFORMATION SYSTEM MONITORING GS-11 Governance and Strategy nan nan nan nan Define and implement multi-cloud security strategy N/A Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: Azure hybrid and multicloud: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions - Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. https://docs.microsoft.com/en-us/hybrid/ - Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated. - Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. Azure hybrid and multicloud documentation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview AWS to Azure services comparison: https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services Azure for AWS professionals: https://docs.microsoft.com/en-us/azure/architecture/aws-professional/"},{"location":"Azure/Security/MCSB/Identity%20Management/","title":"MCSB_v1 - Identity Management","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders: IM-1 Identity Management 16.1 - Maintain an Inventory of 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT 7.2 Use centralized identity and authentication system Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: Tenancy in Azure AD: AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On (SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate accounts separately in two cloud platforms. AWS IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys Authentication Systems 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT 8.3 - Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html 16.2 - Configure Centralized IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS resources. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Point of Authentication IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. How to create and configure an Azure AD instance: AWS Single Sign-On: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.aws.amazon.com/singlesignon/index.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications. Define Azure AD tenants: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers IM-2 Identity Management 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 8.2 Protect identity and authentication systems Secure your identity and authentication system as a high priority in your organization's cloud security practice. Common security controls include: Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture, and remediate security and configuration gaps. What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score Use the following security best practices to secure your AWS IAM: Security Best Practice in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 4.5 - Use Multi-Factor Authentication for All Administrative Access 6.5 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.3 - Restrict privileged roles and accounts The Azure AD Identity Secure Score evaluates Azure AD for the following configurations: - Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access) https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Require strong authentication for all privileged access - Use limited administrative roles Best Practices for Securing Active Directory: - Follow least privilege principles for access assignments Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Monitor and audit high risk activities - Turn on user risk policy https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory - Leverage IAM groups to apply policies instead of individual user(s). IAM Access Advisor: SI-4: INFORMATION SYSTEM MONITORING - Designate more than one global admin - Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Enable policy to block legacy authentication What is Identity Protection? - Use AWS Organizations SCP (Service Control Policy) and permission boundaries - Ensure all users can complete multi-factor authentication for secure access https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - Use IAM Access Advisor to audit service access IAM Credential Report: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Require MFA for administrative roles - Use IAM credential report to track user accounts and credential status https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html - Enable self-service password reset What is Microsoft Defender for Identity? - Do not expire passwords https://learn.microsoft.com/en-us/defender-for-identity/what-is Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD security baseline if you use Azure AD to manage AWS identity and access. - Turn on sign-in risk policy - Do not allow users to grant consent to unmanaged applications Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks. To similarly protect your on-premises Active Directory domain, use Defender for Identity. Note: Follow published best practices for all other identity components, including your on-premises Active Directory and any third party capabilities, and the infrastructure (such as operating systems, networks, databases) that host them. IM-3 Identity Management nan nan AC-2: ACCOUNT MANAGEMENT N/A Manage application identities securely and automatically Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credentials to ensure the security of the identities. Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. Azure managed identities: Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating long-term access keys or a username/password for applications and hard-coded credentials in source code or configuration files. AWS IAM Roles: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html IA-4: IDENTIFIER MANAGEMENT For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. You may use service-linked roles which are attached with pre-defined permission policies for access between AWS services instead of customizing your own role permissions for the IAM roles. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops IA-5: AUTHENTICATOR MANAGEMENT Services that support managed identities for Azure resources: Providing access to an AWS service: IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8: Restrict the exposure of credential and secrets to secure your keys. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell IM-4 Identity Management nan nan IA-9: SERVICE IDENTITIFICATION AND AUTHENTICATION nan Authenticate server and services Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server\u2019s certificate was issued by a trusted certificate authority. Many Azure services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server\u2019s certificate issued by a trusted certificate authority) in the handshake stage. Enforce Transport Layer Security (TLS) for a storage account: Many AWS services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server\u2019s certificate issued by a trusted certificate authority) in the handshake stage. AWS Certificate Manager certificate pinning. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning Note: Mutual authentication can be used when both the server and the client authenticate one-another. Note: Services such as API Management and API Gateway support TLS mutual authentication. Note: Services such as API Gateway support TLS mutual authentication. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops SSL certificate for backend authentication: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html IM-5 Identity Management 16.2 - Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) IA-4: IDENTIFIER MANAGEMENT nan Use single sign-on (SSO) for application access Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments. Use Azure AD for workload application workload access (customer facing) through Azure AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides identity and access management to Azure resources (in the management plane including CLI, PowerShell, portal), cloud applications, and on-premises applications. Understand application SSO with Azure AD: Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to allow customers to bridge their third-party identities from different identity providers. AWS Single Sign-On: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.aws.amazon.com/singlesignon/ IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Azure AD also supports SSO for enterprise identities such as corporate user identities, as well as external user identities from trusted third-party and public users. For SSO access to the AWS native resources (including AWS console access or service management and data plane level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys AWS Cognito Single Sign-On Adding SAML identity providers: AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS identities, as well as external user identities from trusted third-party and public users. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops IM-6 Identity Management 4.2 - Change Default Passwords 6.3 - Require MFA for Externally-Exposed Applications AC-2: ACCOUNT MANAGEMENT 7.2 Use strong authentication controls Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). How to enable MFA in Azure: AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on all users, select users, or at the per-user level based on defined conditions. Using multi-factor authentication (MFA) in AWS: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.5 - Use Multifactor Authentication For All Administrative Access 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.2 - Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security keys. In addition, customers can use on-premises authentication methods such as smart cards. https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html 12.11 - Require All Remote Logins to Use Multi-Factor Authentication IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.3 When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. - Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities, follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control if you use Azure AD to manage AWS access. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 16.3 - Require Multi-Factor Authentication IA-5: AUTHENTICATOR MANAGEMENT 8.4 Introduction to passwordless authentication options for Azure Active Directory: IAM supported MFA form factors: IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or change them during initial service setup. https://aws.amazon.com/iam/features/mfa/ Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad Block legacy authentication: https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication IM-7 Identity Management 12.11 - Require All Remote Logins to Use Multi-Factor Authentication 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.2 Restrict resource access based on conditions Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on. Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organization\u2019s apps based on certain conditions. Azure Conditional Access overview: Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may include single or multiple conditions as well as logic. Policies and permissions in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 12.12 - Manage All Devices Remotely Logging Into Internal Network 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/conditional-access/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html 14.6 - Protect Information Through Access Control Lists 13.5 - Manage Access Control for Remote Assets AC-6: LEAST PRIVILEGE Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common use cases: Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 16.3 - Require Multi-Factor Authentication - Requiring multi-factor authentication for users with administrative roles Common Conditional Access policies: Conditions key table: - Requiring multi-factor authentication for Azure management tasks https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Blocking sign-ins for users attempting to use legacy authentication protocols - Requiring trusted locations for Azure AD Multi-Factor Authentication registration Conditional Access insights and reporting: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence - Blocking or granting access from specific locations https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting - Blocking risky sign-in behaviors - Requiring organization-managed devices for specific applications Configure authentication session management with Conditional Access: https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime Note: Granular authentication session management controls can also be implemented through Azure AD conditional access policies such as sign-in frequency and persistent browser session. IM-8 Identity Management 18.1 - Establish Secure Coding Practices 16.9 - Train Developers in Application Security Concepts and Secure Coding IA-5: AUTHENTICATOR MANAGEMENT 3.5 Restrict the exposure of credential and secrets Ensure that application developers securely handle credentials and secrets: When using a managed identity is not an option, ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. How to setup Credential Scanner: When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into the code and configuration files. AWS IAM roles in EC2: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 18.6 - Ensure Software Development Personnel Are Trained in Secure Coding 16.12 - Implement Code-Level Security Checks 6.3 - Avoid embedding the credentials and secrets into the code and configuration files https://secdevtools.azurewebsites.net/helpcredscan.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html 18.7 - Apply Static and Dynamic Code Analysis Tools 8.2 - Use key vault or a secure key store service to store the credentials and secrets If you use Azure DevOps and GitHub for your code management platform: Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Scan for credentials in source code. - Implement Azure DevOps Credential Scanner to identify credentials within the code. GitHub secret scanning: AWS Secrets Manager integrated services: - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. https://docs.github.com/github/administering-a-repository/about-secret-scanning If you use the Azure DevOps and GitHub for your code management platform: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process - Implement Azure DevOps Credential Scanner to identify credentials within the code. Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. CodeGuru Reviewer Secrets Detection: https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html Note: Azure Key Vault provides automatic rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. IM-9 Identity Management 12.10 Decrypt Network Traffic at Proxy 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT nan Secure user access to existing applications In a hybrid environment, where you have on-premises applications or non-native cloud applications using legacy authentication, consider solutions such as cloud access security broker (CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefits: Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: Azure AD Application Proxy: Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: AWS Marketplace Application Proxy solutions: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 16.2 Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT - Enforce a centralized strong authentication - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy SC-11: TRUSTED PATH - Monitor and control risky end-user activities - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Monitor and remediate risky legacy applications activities - Your existing third-party application delivery controllers and networks. Microsoft Cloud App Security best practices: - Your existing third-party application delivery controllers and networks. AWS Marketplace CASB solutions: - Detect and prevent sensitive data transmission https://docs.microsoft.com/cloud-app-security/best-practices https://aws.amazon.com/marketplace/search/results?searchTerms=CASB Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Azure AD secure hybrid access: https://docs.microsoft.com/azure/active-directory/manage-apps/secure-hybrid-access"},{"location":"Azure/Security/MCSB/Incident%20Response/","title":"MCSB_v1 - Incident Response","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: IR-1 Incident Response 19.1 - Document Incident Response Procedures 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 10.8 Preparation - update incident response plan and handling process Ensure your organization follows industry best practice to develop processes and plans to respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a direct impact to how you collaborate with your cloud provider in incident response and handling activities, such as incident notification and triage, evidence collection, investigation, eradication, and recovery. Update your organization's incident response process to include the handling of incidents in the Azure platform. Based on the Azure services used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. Implement security across the enterprise environment: Update your organization's incident response process to include the handling of incidents. Ensure a unified multi-cloud incident response plan is in place by updating your organization's incident response process to include the handling of incidents in the AWS platform. Based on the AWS services used and your application nature, follow the AWS Security Incident Response Guide to customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. AWS Security Incident Response Guide: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 17.7 - Conduct Routine Incident Response Exercises IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Regularly test the incident response plan and handling process to ensure they're up to date. Incident response reference guide: https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence NIST SP800-61 Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Incident response overview: https://docs.microsoft.com/en-us/security/compass/incident-response-overview IR-2 Incident Response 19.2 - Assign Job Titles and Duties for Incident Response 17.1 - Designate Personnel to Manage Incident Handling IR-4: INCIDENT HANDLING 12.1 Preparation - setup incident contact information Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs. How to set the Microsoft Defender for Cloud security contact: Set up security incident contact information in AWS Systems Manager Incident Manager (the incident management center for AWS). This contact information is used for incident management communication between you and AWS through the different channels (i.e., Email, SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how and when the Incident Manager engages the contact and to escalate if the contact(s) does not response to an incident. Incident Manager Contact: https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 19.3 - Designate Management Personnel to Support Incident Handling 17.3 - Establish and Maintain an Enterprise Process for Reporting Incidents IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details 19.4 - Devise Organization-wide Standards for Reporting Incidents 17.6 - Define Mechanisms for Communicating During Incident Response IR-5: INCIDENT MONITORING Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation 19.5 - Maintain Contact Information For Reporting Security Incidents IR-6: INCIDENT REPORTING IR-3 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.9 - Establish and Maintain Security Incident Thresholds IR-4: INCIDENT HANDLING 10.8 Detection and analysis - create incidents based on high-quality alerts Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. How to configure export: Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in Incident Manager based on the defined criteria and rule sets. You can also manually create incidents in the Incident Manager for further incident handling and tracking. Incident creation in Incident Manager: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/continuous-export https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html IR-7 INCIDENT RESPONSE ASSISTANCE High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud on AWS resources. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation How to stream alerts into Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence IR-4 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Detection and analysis - investigate an incident Ensure the security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. Ensure your security operations team can query and use diverse data sources that are collected from the in-scope services and systems. In addition, it sources can also include: Snapshot a Windows machine's disk: The data sources for investigation are the centralized logging sources that collect from the in-scope services and running systems, but can also include: Traffic Mirroring: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Identity and access log data: Use Azure AD logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk - Identity and access log data: Use IAM logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html Use the cloud native SIEM and incident management solution if your organization does not have an existing solution to aggregate security logs and alerts information. Correlate incident data based on the data sourced from different sources to facility the incident investigations. - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch to capture network flow logs and other analytics information. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation - Incident related activity data of from snapshots of the impacted systems, which can be obtained through: Snapshot a Linux machine's disk: - Snapshots of running systems, which can be obtained through: Creating EBS volume backups with AMIs and EBS snapshots: a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's disk. https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. c) The snapshot feature of the other supported Azure services or your software's own capability, to create snapshots of the running systems. Microsoft Azure Support diagnostic information and memory dump collection: c) The snapshot feature of the AWS services or your software's own capability, to create snapshots of the running systems. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-immutable-storage.html https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/ Microsoft Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. Investigate incidents with Azure Sentinel: Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. IR-5 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 12.1 Detection and analysis - prioritize incidents Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization\u2019s incident response plan. Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Security alerts in Microsoft Defender for Cloud: For each incident created in the Incident Manager, assign an impact level based on your organization's defined criteria, such as a measure of the severity of the incident and criticality level of the assets impacted. Define your naming convention best practice: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 17.9 - Establish and Maintain Security Incident Thresholds https://docs.microsoft.com/azure/security-center/security-center-alerts-overview https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming Additionally, mark resources using tags and create a naming system to identify and categorize your cloud resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the resources and environment where the incident occurred. Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Create incidents from Microsoft security alerts: https://learn.microsoft.com/azure/sentinel/create-incidents-from-alerts IR-6 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Containment, eradication and recovery - automate the incident handling Automate the manual, repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbooks to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks. Configure workflow automation in Security Center: If you use Microsoft Sentinel to centrally manage your incident, you can also create automated actions or run a playbooks to respond to incoming security alerts. AWS Systems Manager - runbooks and automation: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html IR-6: INCIDENT REPORTING Alternatively, use automation features in AWS System Manager to automatically trigger actions defined in the incident response plan, including notifying the contacts and/or running a runbook to respond to alerts, such as disabling accounts, and isolating problematic networks. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Set up automated threat responses in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Set up automated threat responses in Microsoft Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook IR-7 Incident Response nan 17.8 - Conduct Post-Incident Reviews IR-4 INCIDENT HANDLING 12.1 Post-incident activity - conduct lesson learned and retain evidence Conduct lessons learned in your organization periodically and/or after major incidents, to improve your future capability in incident response and handling. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Azure. Incident response process - Post-incident cleanup: Create incident analysis for a closed incident in Incident Manager using the standard incident analysis template or your own custom template. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as the AWS Systems Manager runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of the incidents in AWS. Post-incident analysis: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center https://docs.microsoft.com/security/compass/incident-response-process#2-post-incident-cleanup https://docs.aws.amazon.com/incident-manager/latest/userguide/analysis.html Based on the nature of the incident, retain the evidence related to the incident for the period defined in the incident handling standard for further analysis or legal actions. Keep the evidence collected during the \"Detection and analysis - investigate an incident step\" such as system logs, network traffic dumps and running system snapshots in storage such as an Azure Storage account for immutable retention. Keep the evidence collected during the \"Detection and analysis - investigate an incident step\" such as system logs, network traffic dumps and running system snapshot in storage such as an Amazon S3 bucket or Azure Storage account for immutable retention. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence"},{"location":"Azure/Security/MCSB/Logging%20and%20Threat%20Detection/","title":"MCSB_v1 - Logging and Threat Detection","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 AWS Config Rule (WIP) Customer Security Stakeholders: LT-1 Logging and threat detection 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS Enable threat detection capabilities To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services. Introduction to Microsoft Defender for Cloud: Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP addresses, or domains. Amazon GuardDuty: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html AU-12: AUDIT GENERATION For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365 Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to build analytics rules, which hunt detect threats and create alerts that match specific criteria across your environment. Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings when needed. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING Microsoft Defender for Cloud security alerts reference guide: Amazon GuardDuty data sources: For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. https://docs.microsoft.com/azure/security-center/alerts-reference For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within the supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Microsoft Sentinel. Create custom analytics rules to detect threats: You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances. Connect your AWS accounts to Microsoft Defender for Cloud: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Threat indicators for cyber threat intelligence in Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Security recommendations for AWS resources - a reference guide: https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws LT-2 Logging and threat detection 4.9 - Log and Alert on Unsuccessful Administrative Account Login 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS 10.6 Enable threat detection for identity and access management Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: Audit activity reports in Azure AD: AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM credential report: IAM credential reports: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 6.7 - Regularly Review Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.8 - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs - Every successful sign-in and unsuccessful login attempts. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html 16.13 - Alert on Account Login Behavior Deviation AU-12: AUDIT GENERATION A3.5 - Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Multi-factor authentication (MFA) status for each user. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. Enable Azure Identity Protection: - Dormant IAM user GuardDuty data source: - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM. Examples of these findings include: Azure AD also provides an Identity Protection module to detect and remediate risks related to user accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. Threat protection in Microsoft Defender for Cloud: - An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive measures GuardDuty IAM finding types: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/security-center/threat-protection - An API used to: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. a) discover resources was invoked in an anomalous way Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Overview of Microsoft Defender for Identity: b) collect data from an AWS environment was invoked in an anomalous way. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. https://learn.microsoft.com/defender-for-identity/what-is b) tamper with data or processes in an AWS environment was invoked in an anomalous way. c) gain unauthorized access to an AWS environment was invoked in an anomalous way. d) maintain unauthorized access to an AWS environment was invoked in an anomalous way. e) obtain high-level permissions to an AWS environment was invoked in an anomalous way. f) be invoked from a known malicious IP address. g) be invoked using root credentials. - AWS CloudTrail logging was disabled. - Account password policy was weakened. - Multiple worldwide successful console logins were observed. - Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS. - Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. - An API was invoked from a known malicious IP address. - An API was invoked from an IP address on a custom threat list. - An API was invoked from a Tor exit node IP address. LT-3 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging for security investigation Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Understand logging and different log types in Azure: Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and monitor these trails with CloudWatch for automated actions. Enabling logging from certain AWS services: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html 8.8 - Enable Command-Line Audit Logging 8.12 - Collect Service Provider Logs AU-12: AUDIT GENERATION 10.3 Be mindful about different types of logs for security, audit, and other operational logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in near real time. There are three main categories of logs: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. Understand Microsoft Defender for Cloud data collection: - Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 53 logs are the two supported types. These two logs are enabled by default. https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection - Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. - Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing CloudWatch Agent in your operating systems and forward them to CloudWatch. https://aws.amazon.com/cloudwatch/features/ Enable and configure antimalware monitoring: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amazon Kinesis Data Firehose where you can use different logging storage and retention policies. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest LT-4 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.8 Enable network logging for security investigation Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection agent for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. How to enable network security group flow logs: Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3 storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal 7.6 - Log All URL Requests 8.6 - Collect DNS Query Audit Logs AU-12: AUDIT GENERATION Collect DNS query logs to assist in correlating other network data. Infrastructure and endpoint security 8.7 - Enable DNS Query Logging 8.7 - Collect URL Request Audit Logs SI-4: INFORMATION SYSTEM MONITORING Azure Firewall logs and metrics: 12.8 - Deploy NetFlow Collection on Networking Boundary Devices 13.6 - Collect Network Traffic Flow Logs https://docs.microsoft.com/azure/firewall/logs-and-metrics Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Azure networking monitoring solutions in Azure Monitor: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics LT-5 Logging and threat detection 6.5 - Central Log Management 8.9 - Centralize Audit Logs AU-3: CONTENT OF AUDIT RECORDS nan Centralize security log management and analysis Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. How to collect platform logs and metrics with Azure Monitor: Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices, network resources, and other security systems. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 6.6 - Deploy SIEM or Log Analytic tool 8.11 - Conduct Audit Log Reviews AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 6.7 - Regularly Review Logs 13.1 - Centralize Security Event Alerting AU-12: AUDIT GENERATION Use Cloud native SIEM if you don't have an existing SIEM solution for CSPs. or aggregate logs/alerts into your existing SIEM. In addition, enable and onboard data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 8.6 - Centralize Anti-Malware Logging SI-4: INFORMATION SYSTEM MONITORING How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint LT-6 Logging and threat detection 6.4 - Ensure Adequate Storage for Logs 8.3 - Ensure Adequate Audit Log Storage AU-11: AUDIT RECORD RETENTION 10.5 Configure log storage retention Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources managed by yourself such as logs in the operating systems and applications inside VMs. Change the data retention period in Log Analytics: By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. Altering CloudWatch log retention: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 8.10 - Retain Audit Logs 10.7 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html You have the log retention option as below: Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. You can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. How to configure retention policy for Azure Storage account logs: Copy data from Amazon S3 to Azure Storage by using AzCopy: - Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3 Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Use Azure Event Hubs to forward logs to an external resource outside of Azure. Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time. LT-7 Logging and threat detection 6.1 - Utilize Three Synchronized Time Sources 8.4 - Standardize Time Synchronization AU-8: TIME STAMPS 10.4 Use approved time synchronization sources Use approved time synchronization sources for your logging time stamp which include date, time and time zone information. Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. How to configure time synchronization for Azure Windows compute resources: AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. Set the time for a Linux instance: nan Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards https://docs.microsoft.com/azure/virtual-machines/windows/time-sync https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html All logs generated by resources within Azure provide time stamps with the time zone specified by default. All logs generated by resources within AWS provide time stamps with the time zone specified by default. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops How to configure time synchronization for Azure Linux compute resources: Set the time for a Windows instance: https://docs.microsoft.com/azure/virtual-machines/linux/time-sync https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint How to disable inbound UDP for Azure services: https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services"},{"location":"Azure/Security/MCSB/Network%20Security/","title":"MCSB_v1 - Network Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders: NS-1 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Establish network segmentation boundaries Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Azure Virtual Network concepts and best practices: Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach in your AWS network, so resources such as EC2 instances can be deployed into the VPC within a network boundary. To further segment the network, you can create subnets inside VPC for smaller sub-networks. Control traffic to EC2 instances with security groups: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.4 - Apply Host-Based Firewalls or Port Filtering 13.4 - Perform Traffic Filtering Between Network Segments SC-2: APPLICATION PARTITIONING 1.2 Examples of high-risk workload include: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html 12.3 - Deny Communications with Known Malicious IP Addresses 4.4 - Implement and Manage a Firewall on Severs SC-7: BOUNDARY PROTECTION 1.3 - An application storing or processing highly sensitive data. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network security configuration to use Adaptive Network Hardening to recommend NSG hardening rules based on threat intelligence and traffic analysis result. For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic by port, protocol, source IP address, or destination IP address. At the VPC subnet level, use Network Access Control List (NACL) as a stateless firewall to have explicit rules for ingress and egress traffic to the subnet. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 12.4 - Deny Communication over Unauthorized Ports - An external network-facing application accessible by the public or users outside of your organization. Add, change, or delete a virtual network subnet: Compare security groups and network ACLs: 14.1 - Segment the Network Based on Sensitivity - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet Note: To control VPC traffic, Internet and NAT Gateway should be configured to ensure the traffic from/to the internet are restricted. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.2 - Enable Firewall Filtering Between VLANs To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure \"deny by default, permit by exception\" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. How to create a network security group with security rules: Internet Gateway: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html Understand and use application security groups: NAT Gateway: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html NS-2 Network Security 14.1 - Segment the Network Based on Sensitivity 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Secure cloud native services with network controls Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network. Understand Azure Private Link: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network. AWS PrivateLink: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.4 - Implement and Manage a Firewall on Servers SC-2: APPLICATION PARTITIONING 1.2 https://docs.microsoft.com/azure/private-link/private-link-overview https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html SC-7: BOUNDARY PROTECTION 1.3 Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform. For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Integrate Azure services with virtual networks for network isolation: Blocking public access to your Amazon S3 storage: For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service. https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network. When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet. For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network. NS-3 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Servers AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Deploy firewall at the edge of enterprise network Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). How to deploy Azure Firewall: Use AWS Network Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.4 - Apply Host-Based Firewalls or Port Filtering 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html 12.3 - Deny Communications with Known Malicious IP Addresses 13.10 Perform Application Layer Filtering CM-7: LEAST FUNCTIONALITY 1.3 At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. If you have a complex network topology, such as a hub/spoke setup, you may need to create custom VPC route tables to ensure the traffic goes through the desired route. For example, you have the option to use a custom route to redirect egress internet traffic through a specific AWS Firewall or a network virtual appliance. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 12.4 - Deny Communication over Unauthorized Ports Virtual network traffic routing: AWS VPC configure custom route tables: 14.1 - Segment the Network Based on Sensitivity https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.2 - Enable Firewall Filtering Between VLANs NS-4 Network Security 12.6 - Deploy Network-Based IDS Sensors 13.2 Deploy a Host-Based Intrusion Detection Solution SC-7: BOUNDARY PROTECTION 11.4 Deploy intrusion detection/intrusion prevention systems (IDS/IPS) Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution. Use Azure Firewall\u2019s IDPS capability to protect your virtual network to alert on and/or block traffic to and from known malicious IP addresses and domains. Azure Firewall IDPS: Use AWS Network Firewall\u2019s IPS capability to protect your VPC to alert on and/or block traffic to and from known malicious IP addresses and domains. IPS stateful rule groups in AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.7 - Deploy Network-Based Intrusion Prevention Systems 13.3 - Deploy a Network Intrusion Detection Solution SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/firewall/premium-features#idps https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html 13.7 Deploy a Host-Based Intrusion Prevention Solution For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as third-party solution for host-based IDS/IPS, at the VM level in conjunction with the network IDS/IPS. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 13.8 - Deploy a Network Intrusion Prevention Solution Microsoft Defender for Endpoint capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response https://aws.amazon.com/marketplace/search?searchTerms=IPS Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and Gateway Balancer to direct the traffic for in-line inspection. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-5 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-5: DENIAL OF SERVICE PROTECTION 1.1 Deploy DDOS protection Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. DDoS Protection Basic is automatically enabled to protect the Azure underlying platform infrastructure (e.g., Azure DNS) and requires no configuration from the users. Manage Azure DDoS Protection Standard using the Azure portal: AWS Shield Standard is automatically enabled with standard mitigations, to protect your workload from common network and transport layer (Layer 3 and 4) DDoS attacks AWS Shield Features: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.3 - Deny Communications with Known Malicious IP Addresses SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html 1.3 For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. For higher levels of protection of your applications against application layer (Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 6.6 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-6 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-7: BOUNDARY PROTECTION 1.1 Deploy web application firewall Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. How to deploy Azure WAF: Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services, and APIs against application layer attacks at the edge of your network. How AWS WAF works: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.3 - Deny Communications with Known Malicious IP Addresses 1.2 https://docs.microsoft.com/azure/web-application-firewall/overview https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html 12.9 - Deploy Application Layer Filtering Proxy Server 1.3 Set your WAF in \"detection\" or \"prevention mode,\" depending on your needs and threat landscape. Use AWS Managed Rules for WAF to deploy built-in baseline groups, and customize it to your application needs for the user-case rule groups. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 18.10 - Deploy Web Application Firewalls (WAFs) 6.6 AWS WAF Security Automations: Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application needs. To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL. https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/welcome.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops AWS Managed Rules for AWS WAF: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html NS-7 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Simplify network security configuration When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. Use the following features to simplify the implementation and management of the virtual network, NSG rules, and Azure Firewall rules: Adaptive Network Hardening in Microsoft Defender for Cloud: Use AWS Firewall Manager to centralize the network protection policy management across the following services. AWS Firewall Manager: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-2: APPLICATION PARTITIONING 1.2 - Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks and NSG rules across regions and subscriptions. https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening - AWS WAF policies https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html SC-7: BOUNDARY PROTECTION 1.3 - Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. - AWS Shield Advanced policies Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager Azure Resource Manager (ARM) template. Azure Firewall Manager: - VPC security group policies https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html https://docs.microsoft.com/azure/firewall-manager/overview - Network Firewall policies Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops AWS Firewall Manager can automatically analyze your firewall-related policies and create findings for non-compliant resources and for detected attacks and sends them to AWS Security Hub for investigation. Create an Azure Firewall and a firewall policy - ARM template https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy NS-8 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs CM-2: BASELINE CONFIGURATION 4.1 Detect and disable insecure services and protocols Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. Use Microsoft Sentinel\u2019s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet the appropriate security standard. Azure Sentinel insecure protocols workbook: Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to identify the possible insecure services and protocols that do not meet the appropriate security standard. Use GuardDuty with VPC Flow Logs as the data source: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-6: CONFIGURATION SETTINGS A2.1 https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc CM-7: LEAST FUNCTIONALITY A2.2 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security groups, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. If the logs in the AWS environment can be forwarded to Microsoft Sentinel, you can also use Microsoft Sentinel\u2019s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management A2.3 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through security groups, AWS Network Firewall, or AWS Web Application Firewall to reduce the attack surface. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-9 Network Security nan 12.7 - Ensure Remote Devices Utilize a VPN and are Connecting to CA-3: SYSTEM INTERCONNECTIONS nan Connect on-premises or cloud network privately Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment. For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device and the Azure virtual network. Azure VPN overview: For lightweight site-to-site or point-to-site connectivity, use AWS VPN to create a secure connection (when IPsec overhead is not a concern) between your on-premises site or end-user device to the AWS network. AWS Direct Connect introduction: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture an Enterprise\u2019s AAA Infrastructure AC-17: REMOTE ACCESS https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html AC-4: INFORMATION FLOW ENFORCEMENT For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment. For enterprise-level high performance connections, use AWS Direct Connect to connect AWS VPCs and resources with your on-premises infrastructure in a co-location environment. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management What are the ExpressRoute connectivity models: AWS VPN introduction: When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models You have the option to use VPC Peering or Transit Gateway to establish connectivity between two or more VPCs within or across regions. Network traffic between peered VPC is private and is kept on the AWS backbone network. When you need to join multiple VPCs to create a large flat subnet, you also have the option to use VPC Sharing. https://docs.aws.amazon.com/vpn/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Virtual network peering: Transit Gateway: https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html Create and accept VPC peering connections: https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html VPC Sharing: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/amazon-vpc-sharing.html NS-10 Network Security 7.7 - Use of DNS Filtering Services 4.9 - Configure Trusted DNS Servers on Enterprise Assets SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) nan Ensure Domain Name System (DNS) security Ensure that Domain Name System (DNS) security configuration protects against known risks: Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the service) or a trusted external DNS server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Azure DNS overview: Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is usually assigned to you through DHCP or preconfigured in the service) or a centralized trusted DNS resolver server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Amazon Route 53 DNSSEC configuration: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.2 - Use DNS Filtering Services SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) - Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. https://docs.microsoft.com/azure/dns/dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html - Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only allow trusted resolution to your client. Use Amazon Route 53 to create a private hosted zone setup where the DNS resolution process does not leave the designated VPCs. Use Amazon Route 53 firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for the following use cases: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. Secure Domain Name System (DNS) Deployment Guide: - Prevent attacks such as DNS exfiltration in your VPC Amazon Route 53 firewall: Use Microsoft Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: https://csrc.nist.gov/publications/detail/sp/800-81/2/final - Set up allow or deny lists for the domains that your applications can query https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Data exfiltration from your Azure resources using DNS tunneling - Malware communicating with a command-and-control server Azure Private DNS: Configure Domain Name System Security Extensions (DNSSEC) feature in Amazon Route 53 to secure DNS traffic to protect your domain from DNS spoofing or a man-in-the-middle attack. Amazon Route 53 domain registration: - Communication with malicious domains such as as phishing and crypto mining https://docs.microsoft.com/azure/dns/private-dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html - DNS attacks in communication with malicious DNS resolvers Amazon Route 53 also provides a DNS registration service where Route 53 can be used as the authoritative name servers for your domains. The following best practices should be followed to ensure the security of your domain names: Azure Defender for DNS: - Domain names should be automatically renewed by the Amazon Route 53 service. You can also use Microsoft Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction - Domain names should have the Transfer Lock feature enabled in order to keep them secure. - he Sender Policy Framework (SPF) is should be used to stop spammers from spoofing your domain. Prevent dangling DNS entries and avoid subdomain takeover: https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover"},{"location":"Azure/Security/MCSB/Posture%20and%20Vulnerability%20Mgmt/","title":"MCSB_v1 - Posture and Vulnerability Mgmt","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: PV-1 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 1.1 Define and establish secure configurations Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment. Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources. Illustration of Guardrails implementation in Enterprise Scale Landing Zone: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources. AWS Control Tower: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 11.1 - Maintain Standard Security Configurations for Network Devices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS 2.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy. Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Working with security policies in Microsoft Defender for Cloud: AWS Config rules: https://docs.microsoft.com/azure/security-center/tutorial-security-policy https://aws.amazon.com/config/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Tutorial: Create and manage policies to enforce compliance: AWS landing zone https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Blueprints: https://docs.microsoft.com/azure/governance/blueprints/overview PV-2 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration. Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Understand Azure Policy effects: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources. Remediating Noncompliant AWS Resources by AWS Config Rules: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/governance/policy/concepts/effects https://docs.aws.amazon.com/config/latest/developerguide/remediation.html 11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Create and manage policies to enforce compliance: Detecting unmanaged configuration changes to stacks and resources: For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Get compliance data of Azure resources: AWS Config Comformance Pack: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/ PV-3 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Define and establish secure configurations for compute resources Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template. Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline. Linux OS security configuration baseline: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline. Enable Azure Automation State Configuration: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS 11.5 https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-linux https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration. Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Windows OS security configuration baseline: Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS. https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-windows Enable Azure Automation State Configuration: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Security configuration recommendation for compute resources: https://docs.microsoft.com/azure/security-center/recommendations-reference Azure Automation State Configuration Overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview PV-4 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations for compute resources Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources. Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines. How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements. AWS System Manager State Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html 11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods : Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint How to create an Azure virtual machine from an ARM template: - Onboard your AWS account into Microsoft Defender for Cloud Connect your AWS accounts to Microsoft Defender for Cloud: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template - Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Azure Automation State Configuration overview: For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline. Enable Azure Automation State Configuration: https://docs.microsoft.com/azure/automation/automation-dsc-overview https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services. Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Container security in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/container-security Change Tracking and Inventory overview: https://learn.microsoft.com/azure/automation/change-tracking/overview?tabs=python-2 Guest attestation for confidential VMs: https://learn.microsoft.com/azure/confidential-computing/guest-attestation-confidential-vms PV-5 Posture and Vulnerability Management 3.1 - Run Automated Vulnerability Scanning Tools 5.5 - Establish and Maintain an Inventory of Service Accounts RA-3: RISK ASSESSMENT 6.1 Perform vulnerability assessments Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Amazon Inspector: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 3.3 - Protect Dedicated Assessment Accounts 7.1 - Establish and Maintain a Vulnerability Management Process RA-5: VULNERABILITY SCANNING 6.2 https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html 3.6 - Compare Back-to-back Vulnerability Scans 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets 6.6 Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. Integrated vulnerability scanner for virtual machines: Refer to control ES-1, \"Use Endpoint Detection and Response (EDR)\", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 11.2 https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management: When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive. https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops SQL vulnerability assessment: Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Note: Ensure you setup email notifications in Microsoft Defender for Cloud. Exporting Microsoft Defender for Cloud vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results PV-6 Posture and Vulnerability Management 3.4 - Deploy Automated Operating System Patch Management Tools 7.2 - Establish and Maintain a Remediation Process RA-3: RISK ASSESSMENT 6.1 Rapidly and automatically remediate vulnerabilities Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems. AWS Systems Manager - Patch Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 3.5 - Deploy Automated Software Patch Management Tools 7.3 - Perform Automated Operating System Patch Management RA-5: VULNERABILITY SCANNING 6.2 https://docs.microsoft.com/azure/automation/update-management/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html 3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated Application Patch Management SI-2: FLAW REMEDIATION 6.5 Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 7.7 - Remediate Detected Vulnerabilities 11.2 Manage updates and patches for your Azure VMs: Update Management overview: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. https://docs.microsoft.com/en-us/azure/automation/update-management/overview Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops PV-7 Posture and Vulnerability Management 20.1 - Establish a Penetration Testing Program 18.1 - Establish and Maintain a Penetration Testing Program CA-8: PENETRATION TESTING 6.6 Conduct regular red team operations Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks. As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Penetration testing in Azure: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings. AWS Customer Support Policy for Penetration Testing: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 20.2 - Conduct Regular External and Internal Penetration Tests 18.2 - Perform Periodic External Penetration Tests RA-5: VULNERABILITY SCANNING 11.2 https://docs.microsoft.com/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/ 20.3 - Perform Periodic Red Team Exercises 18.3 - Remediate Penetration Test Findings 11.3 Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications. Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 18.4 - Validate Security Measures Penetration Testing Rules of Engagement: 18.5 - Perform Periodic Internal Penetration Tests https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Microsoft Cloud Red Teaming: https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf Technical Guide to Information Security Testing and Assessment: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf"},{"location":"Azure/Security/MCSB/Privileged%20Access/","title":"MCSB_v1 - Privileged Access","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit highly privileged/administrative users Ensure you identify all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. You must secure all roles with direct or indirect administrative access to Azure hosted resources. Administrator role permissions in Azure AD: You must secure all roles with direct or indirect administrative access to AWS hosted resources. AWS Best Practices for Root User: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 14.6 - Protect Information Through Access Control Lists 6.8 - Define and Maintain Role-Based Access Control AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html 8.1 Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: The privileged/administrative users need to be secured include: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as well as services that use Azure AD identities. Use Azure Privileged Identity Management security alerts: - Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access). - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts - IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy such as AdministratorAccess can have full access to AWS services and resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. Securing privileged access for hybrid and cloud deployments in Azure AD: If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing the privileged roles in Azure AD. Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure - Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. - User Access Administrator: Lets you manage user access to Azure resources. Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned. In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they can be used to directly or indirectly manage Azure subscriptions. - Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions. - Enterprise Administrator: Users assigned with this role can manage (EA) portal users. - Department Administrator: Users assigned with this role can change account owners within the department. Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. PA-2 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access for user accounts and permissions Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Azure PIM just-in-time access deployment: Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: IAM Temporary credentials through AWS Security Token Service (AWS STS): Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan - Temporary security credentials have a short-term life, from minutes to hours. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it. - Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Understanding just-in-time (JIT) VM access: https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center PA-3 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of identities and entitlements Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision. Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval. What are Azure AD access reviews: Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions. IAM Access Advisor: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 6.2 - Establish an Access Revoking Process AC-5: SEPARATION OF DUTIES 7.2 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html AC-6: LEAST PRIVILEGE 8.1 Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures. Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops What is Azure AD entitlement management: AWS Marketplace Identity and Access Management solutions: https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview https://aws.amazon.com/marketplace/solutions/security/identity-access-management Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Overview of Permissions Management: https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/overview PA-4 Privileged Access 4.1 - Maintain Inventory of Administrative Accounts 5.1 - Establish and Maintain an Inventory of Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile user access regularly Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Create an access review of Azure resource roles in Privileged Identity Management (PIM): Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processes, and enterprise management and security tools. IAM Access Analyzer: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 16.6 - Maintain an Inventory of Accounts 5.3 - Disable Dormant Accounts AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html 16.8 - Disable Any Unassociated Accounts 5.5 - Establish and Maintain an Inventory of Service Accounts 8.1 Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Disable Dormant Accounts A3.4 How to use Azure AD identity and access reviews: Credential report: 16.9 - Disable Dormant Accounts In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the privileged accounts and access entitlements periodically. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management IAM Access Advisor: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html PA-5 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT nan Set up emergency access Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or \"break glass\"' scenarios where normal administrative accounts can't be used. Manage emergency access accounts in Azure AD: AWS \"root\" accounts should not be used for regular administrative tasks. As the \"root\" account is highly privileged, it should not be assigned to specific individuals. It's use should be limited to only emergency or \"break glass\u201d scenarios when normal administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and assigned the appropriate permissions via IAM roles. Best practices to protect your account's root user: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when authorized. You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only used when authorized. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-framework/organize/cloud-security-operations-center PA-6 Privileged Access 4.6 - Use Dedicated Workstations For All Administrative Tasks 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work AC-2: ACCOUNT MANAGEMENT nan Use privileged access workstations / channel for administrative tasks Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Understand privileged access workstations: Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a browser session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destination hosts through port forwarding. AWS Systems Manager Session Manager: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 11.6 - Use Dedicated Machines For All Network Administrative Tasks 13.5 Manage Access Control for Remote Assets SC-2 APPLICATION PARTITIONING https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html 12.12 - Manage All Devices Remotely Logging into Internal Network SC-7: BOUNDARY PROTECTION You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web browser. You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory, Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-operations-center Privileged access workstations deployment: https://docs.microsoft.com/security/compass/privileged-access-deploymenthttps Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys PA-7 Privileged Access 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough administration (least privilege) principle Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. What is Azure role-based access control (Azure RBAC): Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry excessive permissions that should not be assigned to the users. IAM access policies: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.8 - Define and Maintain Role-Based Access Control AC-3: ACCESS ENFORCEMENT 7.2 https://docs.microsoft.com/azure/role-based-access-control/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html AC-6: LEAST PRIVILEGE The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates. You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM resources, including IAM entities (users or roles) and AWS resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management How to configure RBAC in Azure: AWS ABAC: Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management How to use Azure AD identity and access reviews: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview Azure AD Privileged Identity Management - Time-bound assignment: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do PA-8 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-4: INFORMATION FLOW ENFORCEMENT nan Determine access process for cloud provider support Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft. Understand Customer Lockbox: In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS support to access to your data. Access permissions for AWS Support: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.2 - Establish an Access Revoking Process AC-2: ACCOUNT MANAGEMENT https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html AC-3: ACCESS ENFORCEMENT Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys"},{"location":"Azure/Security/MCSB/Readme/","title":"MCSB_v1 - Readme","text":"Unnamed: 0 Unnamed: 1 Unnamed: 2 nan Microsoft Cloud Security Benchmark v1 nan nan This spreadsheet is designed to provide you a private preview version of the Microsoft Cloud Security Benchmark v1. For the web version of the content, please refer to ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview nan a. The control mappings between MCSB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS, NIST or PCI. b. This document is developed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements and regulations. Customers should seek legal support from their organization on approved customer implementations. nan nan nan nan This multi-cloud guidance follows the below principles: nan 1. The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level as Azure's. 2. The security guidance for non-Azure platforms will provide the same level of granularity and same scope in the technical guidance as Azure's. 3. The non-Microsoft cloud service provider\u2019s (CSP) native solution or feature will usually be recommended as the first preference for each control. However, when there is a more mature multi-cloud solution available in Azure, it'll be prioritized as the default recommendation. 4. If neither the CSP's native technology nor Azure solutions are available to satisfy a security principle, third-party solutions will be recommended from the Azure or the other CSP's Marketplace. However, Microsoft Cloud Security Benchmark will not name any specific third-party vendor product or solution. nan nan nan nan nan nan nan Guidance - Column Header Descriptions nan ID# The Microsoft Cloud Security Benchmark ID. nan Control Domain The security control domain. nan Security Principle The technology-agnostic and cloud neutral principle for various security topics in each control domains. nan Recommendation The control recommendation in summarized format. nan Azure Guidance The technical guidance for Azure platforms. nan AWS Guidance The technical guidance for Amazon Web Services platforms. nan Implementation and additional context The implementation details and other relevant context which links to the Azure or AWS service offering documentation articles."},{"location":"blog/","title":"Blog","text":""},{"location":"blog/tags/","title":"Posts by Tags","text":"

                    Following is a list of relevant tags:

                    "},{"location":"blog/tags/#azure-arc","title":"Azure ARC","text":"
                    • Azure ARC
                    • How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account
                    "},{"location":"blog/tags/#azure-communication-services","title":"Azure Communication Services","text":"
                    • Azure Communication Services
                    "},{"location":"blog/tags/#azure-container-apps","title":"Azure Container Apps","text":"
                    • Comparing Container Apps with other Azure container options
                    "},{"location":"blog/tags/#azure-functions","title":"Azure Functions","text":"
                    • Azure Functions
                    "},{"location":"blog/tags/#azure-policy","title":"Azure Policy","text":"
                    • Azure Policy
                    • Azure Policy, defintion schema
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative with Portal
                    • Manage Azure Policy GitHub Action
                    • Enterprise Azure Policy as Code (EPAC)
                    • Azure Policy Management Best Practices
                    • Azure Policy useful queries
                    "},{"location":"blog/tags/#azure-well-architected-framework","title":"Azure Well-Architected Framework","text":"
                    • Azure Well-Architected Framework (WAF) mind maps
                    "},{"location":"blog/tags/#certifications","title":"Certifications","text":"
                    • Microsoft Azure Certifications
                    "},{"location":"blog/tags/#epac","title":"EPAC","text":"
                    • Enterprise Azure Policy as Code (EPAC)
                    "},{"location":"blog/tags/#english","title":"English","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#general","title":"General","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#management-groups","title":"Management Groups","text":"
                    • Management Groups
                    • Moving Management Groups and Subscriptions
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"
                    • Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud
                    "},{"location":"blog/tags/#onedrive-for-business","title":"OneDrive for Business","text":"
                    • Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n
                    "},{"location":"blog/tags/#pam","title":"PAM","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#security","title":"Security","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#trunk","title":"Trunk","text":"
                    • Trunk
                    "},{"location":"blog/tags/#windows-subsystem-for-linux-2","title":"Windows Subsystem for Linux 2","text":"
                    • Instalar WSL2 en Windows 11 con chocolatey
                    "},{"location":"blog/tags/#csharp","title":"csharp","text":"
                    • Starting to develop in c#
                    "},{"location":"blog/tags/#drawio","title":"draw.io","text":"
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#mkdocs","title":"mkdocs","text":"
                    • Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages
                    • Enhance your mkdocks.yml
                    "},{"location":"blog/tags/#vscode","title":"vscode","text":"
                    • Trunk
                    "},{"location":"blog/2023/10/17/hello-world-from-mkdocs-material/","title":"\"Hello world!!!\" from mkdocs-material","text":"

                    ...

                    "},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/","title":"Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages","text":"

                    A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

                    I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

                    These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

                    Some knowledge:

                    • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

                    • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

                    • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

                    • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#steps-to-deploy","title":"Steps to deploy","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-a-new-repository","title":"Create a new repository","text":"

                    Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn\u2019t exactly match your username, it won\u2019t work, so make sure to get it right.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#enable-github-pages-on-your-repository","title":"Enable GitHub Pages on your repository","text":"

                    Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#clone-the-repository","title":"Clone the repository","text":"

                    Go to the folder where you want to store your project, and clone the new repository:

                    git clone ssh://github.com/username/username.github.io\ncd username.github.io\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-requirementstxt-in-root-folder-for-mkdocs-mkdocs-material-and-plugins","title":"Create requirements.txt in root folder for mkdocs, mkdocs-material and plugins","text":"
                    mkdocs==1.5.3\nmkdocs-material==9.4.6\nmkdocs-rss-plugin==1.8.0\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-a-python-virtual-environment-and-install-requirementstxt","title":"Create a Python Virtual Environment and install requirements.txt","text":"

                    In username.github.io$ path:

                    sudo apt update\nsudo apt install libcairo2\nsudo apt install python3.10-venv\npython3 -m venv mysite\nsource mysite/bin/activate\npip install -r requirements.txt\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#initialize-your-site","title":"Initialize your site","text":"
                    mkdocs new .\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#add-configuration-to-mkdocsyml-in-root-folder","title":"Add configuration to mkdocs.yml in root folder","text":"

                    For this post I am going to add the following configuration:

                    • basic configuration
                    • configuration for theme mkdocs-material
                    • some native plugins of mkdocs-material and some ones that I like
                    site_name: My Site \nsite_description: A blog about Azure, DevOps and other stuff\nsite_author: Rafael Fern\u00e1ndez\n\ntheme: \n  name: material\n  features:\n    - navigation.tabs\n    - navigation.expand\n    - navigation.sections\n    - toc.integrate\n    - toc.nested\n    - toc.smoothscroll\n    - footer\n\nplugins:\n  - search  \n  - blog\n  - tags:\n      tags_file: tags.md      \n\n  - rss:\n      match_path: blog/posts/.* \n      date_from_meta:\n        as_creation: date\n      categories:\n        - categories\n        - tags\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#add-a-new-post","title":"Add a new post","text":"

                    In blog/post folder create a new folder with the name of the post and create a new file with the name of the post and the extension .md. For example: welcome.md

                    ---\ndate: 2023-10-18\ncategories:\n  - Hello\n  - World\n---\n\n# \"Hello world!!!\" from mkdocs-material\n\n...\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#check-your-site","title":"Check your site","text":"

                    In username.github.io$ path:

                    mkdocs serve\n

                    You can check your site in http://127.0.0.1:8000/ and make live changes in your site and see the results in your browser.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#publish-your-site","title":"Publish your site","text":"

                    In username.github.io$ path:

                    mkdocs gh-deploy\n

                    After a seconds, you can check your site in https://username.github.io/

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#automate-deploy-with-github-actions","title":"Automate deploy with GitHub Actions","text":"
                    name: ci # (1)!\non:\n  push:\n    branches:      \n      - main\npermissions:\n  contents: write\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: actions/setup-python@v4\n        with:\n          python-version: 3.x\n      - run: echo \"cache_id=$(date --utc '+%V')\" >> $GITHUB_ENV # (3)!\n      - uses: actions/cache@v3\n        with:\n          key: mkdocs-material-${{ env.cache_id }}\n          path: .cache\n          restore-keys: |\n            mkdocs-material-\n      - run: pip install -r requirements.txt # (4)!\n      - run: mkdocs gh-deploy --force\n
                    1. You can change the name to your liking.

                    2. At some point, GitHub renamed master to main. If your default branch is named master, you can safely remove main, vice versa.

                    3. Store the cache_id environmental variable to access it later during cache key creation. The name is case-sensitive, so be sure to align it with ${{ env.cache_id }}.

                      • The --utc option makes sure that each workflow runner uses the same time zone.
                      • The %V format assures a cache update once a week.
                      • You can change the format to %F to have daily cache updates.

                      You can read the [manual page] to learn more about the formatting options of the date command.

                    4. Add [MkDocs plugins] or Markdown extensions with pip to requirements.txt to be used during the build.

                    In the next post I will explain how to customize your site with mkdocs-material and some plugins writing mkdocs.yml.

                    That's it folks

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#urls-for-reference","title":"urls for reference","text":"
                    • https://www.mkdocs.org/
                    • https://pages.github.com/
                    • https://squidfunk.github.io/mkdocs-material/setup/setting-up-a-blog/
                    • https://guts.github.io/mkdocs-rss-plugin/ ...
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/","title":"Enhance your mkdocks.yml","text":"

                    In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

                    mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

                    In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#minimal-configuration-for-mkdocsyml-with-mkdocs-material","title":"Minimal configuration for mkdocs.yml with mkdocs-material","text":"
                    site_name: My Site\ntheme: \n  name: material\n#plugins:\n\n#markdown_extensions:\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#theme","title":"Theme","text":"

                    I only change the palette for now.

                    theme: \n  name: material\n  palette:\n    primary: blue\n    accent: white  \n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#plugins-for-mkdoc","title":"Plugins for mkdoc","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#glightbox","title":"glightbox","text":"

                    glightbox add image zoom functionality to your documentation.

                    requirements.txt
                    mkdocs-glightbox\n
                    mkdocs.yml
                    plugins:\n  - glightbox\n

                    Example:

                    Imagen de marymarkevich en Freepik

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mkdocs-minify-plugin","title":"mkdocs-minify-plugin","text":"

                    An MkDocs plugin to minify HTML, JS or CSS files prior to being written to disk.

                    requiremets.txt
                    mkdocs-minify-plugin\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#extensions","title":"Extensions","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#material-for-mkdocs","title":"Material for MkDocs","text":"

                    MkDocs supports a large number of Python Markdown extensions

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mermaid","title":"mermaid","text":"

                    mermaid2 is a plugin for MkDocs that allows you to embed diagrams written in mermaid.js in your Markdown documentation.

                    mkdocs.yml
                      - pymdownx.superfences:\n      custom_fences:\n        - name: mermaid\n          class: mermaid\n          format: !!python/name:pymdownx.superfences.fence_code_format\n
                    Example
                      ```mermaid\n  graph LR\n      A[Square Rect] -- Link text --> B((Circle))\n      A --> C(Round Rect)\n      B --> D{Rhombus}\n      C --> D\n  ```\n
                    graph LR\n    A[Square Rect] -- Link text --> B((Circle))\n    A --> C(Round Rect)\n    B --> D{Rhombus}\n    C --> D

                    You can find more information about mermaid.js in https://mermaid-js.github.io/mermaid/#/

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#admonitions","title":"Admonitions","text":"

                    Admonitions is a markdown extension of materials for MkDocs that allows you to add admonition blocks to your Markdown documentation.

                    mkdocs.yml
                    markdown_extensions:\n  - admonition\n  - pymdownx.details\n  - pymdownx.superfences\n

                    Example:

                    !!! Example\n    Example\n!!! Error\n    Error\n!!! Warning\n    Warning    \n!!! Success\n    Success\n!!! Info\n    Info    \n!!! Tip\n    Tip\n!!! Question\n    Question\n!!! Quote\n    Quote\n

                    Example

                    Example

                    Error

                    Error

                    Warning

                    Warning

                    Success

                    Success

                    Info

                    Info

                    Tip

                    Tip

                    Question

                    Question

                    Quote

                    Quote

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#icons-emojis","title":"Icons, Emojis","text":"

                    With material you can use more than 10000 icons and thousand of emojis in your documentation.

                    mkdocs.yml
                    markdown_extensions:  \n  - attr_list\n  - pymdownx.emoji:\n      emoji_index: !!python/name:material.extensions.emoji.twemoji\n      emoji_generator: !!python/name:material.extensions.emoji.to_svg\n

                    Example:

                    :smile:\n:man_head:\n:face_with_monocle:\n:jack_o_lantern:\n

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#annotations","title":"Annotations","text":"

                    One of the flagship features of Material for MkDocs is the ability to inject annotations \u2013 little markers that can be added almost anywhere in a document and expand a tooltip containing arbitrary Markdown on click or keyboard focus.

                    mkdocs.yml
                    markdown_extensions:\n  - attr_list\n  - md_in_html\n  - pymdownx.superfences\n

                    Examples:

                    This is a paragraph with a annotation(1).\n{ .annotate }\n\n1.  :man_raising_hand: I'm an annotation! I can contain `code`, __formatted\n    text__, images, ... basically anything that can be expressed in Markdown.\n

                    This is a paragraph with a annotation(1).

                    1. I'm an annotation! I can contain code, formatted text, images, ... basically anything that can be expressed in Markdown.
                    This is a paragraph with a annotation(1).\n{ .annotate }\n\n1.  :man_raising_hand: I'm an annotation! with a nested annotation(1)\n    { .annotate }\n\n    1. I'm a nested annotation!\n

                    This is a paragraph with a annotation(1).

                    1. I'm an annotation! with a nested annotation(1)

                      1. I'm a nested annotation!
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#buttons","title":"Buttons","text":"mkdocs.yml
                    markdown_extensions:\n  - attr_list  \n

                    Examples:

                    [This is a button](#)\n{ .md-button }\n

                    This is a button

                    [This is a button](#)\n{ .md-button .md-button--primary }\n

                    This is a button

                    [Send :fontawesome-regular-face-laugh-wink:](#){ .md-button }\n

                    Send

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#content-tabs","title":"Content tabs","text":"mkdocs.yml
                    markdown_extensions:\n  - pymdownx.superfences\n  - pymdownx.tabbed:\n      alternate_style: true \n

                    Example:

                    === \"azcli\"\n\n    ``` azcli    \n    az group create --name myResourceGroup --location westeurope\n    ```\n\n=== \"pwsh\"\n\n    ``` pwsh    \n    New-AzResourceGroup -Name myResourceGroup -Location westeurope    \n    ```\n
                    azclipwsh bubble_sort.py
                    az group create --name myResourceGroup --location westeurope\n
                    New-AzResourceGroup -Name myResourceGroup -Location westeurope    \n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#footnotes","title":"Footnotes","text":"mkdocs.yml
                    markdown_extensions:\n  - footnotes\n

                    Example:

                    This is a paragraph with a footnote[^1].\n\n[^1]: And here is the definition.\n

                    This is a paragraph with a footnote1.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#formatting","title":"Formatting","text":"mkdocs.yml
                    markdown_extensions:\n  - pymdownx.critic\n  - pymdownx.caret\n  - pymdownx.keys\n  - pymdownx.mark\n  - pymdownx.tilde\n

                    Example:

                    - ~~Mistaken text.~~\n- ^^Superscript^^\n- ==Marked text.==\n
                    • Mistaken text.
                    • Superscript
                    • Marked text.
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mkdocsyml-complete","title":"mkdocs.yml complete","text":"
                    site_name: My Site\nsite_description: A blog about Azure, DevOps and other stuff\nsite_author: Rafael Fern\u00e1ndez\nsite_url: https://rfernandezdo.github.io\n\ntheme: \n  name: material\n  palette:\n    primary: blue\n    accent: white\n  features:\n    - navigation.tabs\n    - navigation.expand\n    - navigation.sections\n    - toc.integrate\n    - toc.nested\n    - toc.smoothscroll\n    - footer\n    - content.code.copy\n    - content.code.annotate\n    - content.tooltips\nextra:\n  social:\n    - icon: fontawesome/brands/linkedin\n      link: https://www.linkedin.com/in/rafaelfernandezd/\n      name: LinkedIn\n    - icon: fontawesome/brands/github\n      link: https://github.com/rfernandezdo\n      name: GitHub\n    - icon: fontawesome/solid/square-rss\n      link: https://rfernandezdo.github.io/feed_rss_created.xml\n      name: RSS feed\ncopyright: Copyright &copy; 2023-now Rafael Fern\u00e1ndez\n\nplugins:\n  - search  \n  - mermaid2\n  - blog  \n  - tags:\n      tags_file: tags.md    \n  - rss:\n      match_path: blog/posts/.* \n      date_from_meta:\n        as_creation: date\n      categories:\n        - categories\n        - tags\n  - minify:\n      minify_html: true\n      minify_js: true\n      minify_css: true\n      htmlmin_opts:\n          remove_comments: true\n      cache_safe: true\n  - glightbox:\n      zoomable: true\n      draggable: true\n      skip_classes:\n        - skip-lightbox\n    #- meta in insiders, review in next release\n  - social\nmarkdown_extensions:\n  - admonition\n  - pymdownx.details\n  - pymdownx.superfences:\n      custom_fences:\n        - name: mermaid\n          class: mermaid\n          format: !!python/name:pymdownx.superfences.fence_code_format\n  - md_in_html\n  - attr_list\n  - pymdownx.emoji:\n      emoji_index: !!python/name:material.extensions.emoji.twemoji\n      emoji_generator: !!python/name:material.extensions.emoji.to_svg\n  - pymdownx.tabbed:\n      alternate_style: true\n  - pymdownx.highlight:\n      anchor_linenums: true\n      line_spans: __span\n      pygments_lang_class: true\n  - pymdownx.inlinehilite\n  - pymdownx.snippets\n  - footnotes\n  - pymdownx.critic\n  - pymdownx.caret\n  - pymdownx.keys\n  - pymdownx.mark\n  - pymdownx.tilde\n  - def_list\n  - pymdownx.tasklist:\n      custom_checkbox: true\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#urls-for-reference","title":"urls for reference","text":"
                    • Font Awesome
                    • Emojis ...
                    1. And here is the definition.\u00a0\u21a9

                    ","tags":["mkdocs"]},{"location":"blog/2023/11/03/trunk/","title":"Trunk","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#what-is-trunk","title":"What is Trunk ?","text":"

                    Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                    Support for the following languages is currently available:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#installing-trunk","title":"Installing Trunk","text":"Trunk cliTrunk VSCode extension
                    curl https://get.trunk.io -fsSL | bash\n
                    code --install-extension Trunk.io  \n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks","title":"Trunk checks","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks-cli","title":"Trunk checks cli","text":"

                    Trunk detects checks to enable in function of the files in the current directory, but you can also enable and disable checks manually.

                    • trunck check list: list all available checks
                    • trunck check enable checkname: enable a check
                    • trunck check disable checkname: disable a check
                    • trunck check: run all enabled checks

                    For example, to enable the Terraform check:

                    trunk check enable terraform \n1 linter was enabled:\n  terraform 1.1.0\n

                    Info

                    You can also enable checks by modifing .trunk.yml file in your repository. See the configuration page for more information.

                    Examples:

                    trunk commnad line check example
                    trunk check   \n\nChecking 68% [====================================================================================================================================================================>                                                                              ]  38/56  9.4s \n \u21b3 checkov                                                                                                                                                                                                                                                                      \n   \u21b3 modules/webapps/linux_function_app/private_endpoint.tf [lint] \u2827                                                                                                                                                                                                            \n   \u21b3 modules/webapps/linux_function_app/variables.tf [lint] \u2827                                                                                                                                                                                                                   \n \u21b3 terrascan                                                                                                                                                                                                                                                                    \n   \u21b3 modules/webapps/linux_function_app/locals.tf [lint] \u2827                                                                                                                                                                                                                      \n   \u21b3 modules/webapps/linux_function_app/main.tf [lint] \u2827                                                                              \n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks-vscode","title":"Trunk checks vscode","text":"

                    In the case of the VSCode extension, you can review your checks in your IDE:

                    And you can disable checks from quick fix menu:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates","title":"Trunk updates","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates-cli","title":"Trunk updates cli","text":"

                    Trunk is updated regularly with new checks and improvements. You can update Trunk by running the following command:

                    trunk update\n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates-vscode","title":"Trunk updates vscode","text":"

                    In the case of the VSCode extension, it will be updated automatically:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#references","title":"References","text":"
                    • Trunk
                    • Trunk VSCode extension
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/04/starting-to-develop-in-c/","title":"Starting to develop in c#","text":"

                    First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

                    If someone that knows me is reading this post, he/she will be thinking:

                    • \"What the hell is he doing?\"
                    • \"He is crazy\"
                    • \"He is going to die trying\".
                    • The end of the world is approaching!!

                    Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

                    I repeat, I am not a developer but I'd like to share with you my experience learning C#.

                    ","tags":["csharp"]},{"location":"blog/2023/11/04/starting-to-develop-in-c/#my-first-steps","title":"My first Steps","text":"

                    You have a lot of resources for learning on Learn .NET and in c# documentation.

                    In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

                    After that, I will follow the free course (New) Foundational C# with Microsoft.

                    And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

                    That's all folks!!

                    ","tags":["csharp"]},{"location":"blog/2023/11/15/azure--services/","title":"Azure Services","text":"

                    I have decided to create a new category on my blog to talk about Azure services.

                    The main goal of this category is to provide a quick overview of some Azure services and some design considerations.

                    What is this category due to?

                    In some cases, it is because I am working with this Service and I think it is a good idea to share my experience with you and write it down for me, in others, it is because I am studying/reviewing an Azure Service and I think it is a good idea. Share my notes with you.

                    I hope you like it.

                    I am going to start with Azure Communication Services

                    That's all folks!, thanks for reading !

                    ","tags":["General","English"]},{"location":"blog/2023/11/18/azure-communication-services/","title":"Azure Communication Services","text":"","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#what-is-azure-communication-services","title":"What is Azure Communication Services?","text":"

                    Azure Communication Services are cloud-based services with REST APIs and client library SDKs available to help you integrate communication into your applications. You can add communication to your applications without being an expert in underlying technologies such as media encoding or telephony.

                    Azure Communication Services supports various communication formats:

                    • Voice and Video Calling
                    • Rich Text Chat
                    • SMS
                    • Email

                    And offers the following services:

                    • SMS: Send and receive SMS messages from your applications.
                    • Phone calling: Enable your applications to make and receive PSTN calls.
                    • Voice and video calling: Enable your applications to make and receive voice and video calls.
                    • Chat: Enable your applications to send and receive chat messages.
                    • Email: Send and receive emails from your applications.
                    • Network traversal: Enable your applications to connect to other clients behind firewalls and NATs.
                    • Advanced Messaging:
                      • WhatsApp(Public Preview): Enable you to send and receive WhatsApp messages using the Azure Communication Services Messaging SDK.
                    • Job Router(Public Preview): It's a tool designed to optimize the management of customer interactions across various communication applications.

                    Some Use Cases:

                    • Telemedicine: Enable patients to connect with doctors and nurses through video consultations.
                    • Remote education: Enable students to connect with teachers and other students through video classes.
                    • Financial Advisory: Enhancing global advisor and client interactions with rich capabilities such as translation for chat.
                    • Retail Notifications: Send notifications to customers about their orders via SMS or email.
                    • Professional Support: Enable customers to connect with support agents through chat, voice, or video.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#design-considerations","title":"Design considerations","text":"

                    You have some data flow diagrams to help you to understand how Azure Communication Services works here

                    Some aspects to consider:

                    • You need to apply throttling patterns to avoid overloading the service, HTTP status code 429 (Too many requests).
                    • Plan how to map users from your identity domain to Azure Communication Services identities. You can follow any kind of pattern. For example, you can use 1:1, 1:N, N:1, or M:N
                    • Check regional availability. You can see more information about regional availability here.
                    • Check the service limits. You can see more information about service limits here.
                    • Check security baseline. You can see more information about security baseline here.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#pricing","title":"Pricing","text":"

                    Azure Communication Services is a pay-as-you-go service. You only pay for what you use, and there are no upfront costs. You can see more information about pricing here.

                    The bad news are:

                    • In some services pricing vary by country.
                    • You don't have a free tier, but you have something free.
                    • You don't have Azure Reservations or equivalent.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#conclusion","title":"Conclusion","text":"

                    Azure Communication Services is a very interesting service but you need to consider the cost of the service and the regional availability before to use it.

                    That's it folks!, thanks for reading !.

                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/","title":"Azure Well-Architected Framework (WAF) mind maps","text":"","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#microsoft-well-architected-framework-pillars-design-principles-mind-map","title":"Microsoft Well-Architected Framework Pillars Design Principles Mind Map","text":"

                    Para cuando lo renderice correctamente materials:

                    mindmap\n    root((Pillars))        \n        Reliability(Reliability)\n            DesignPrinciples(Design Principles)\n                Design for business requirements[\"**Design for business requirements:**\n                Gather business requirements with a focus on the intended utility of the workload.\"]\n                Design for resilience[\"**Design for resilience:**\n                The workload must continue to operate with full or reduced functionality.\"]\n                Design for recovery[\"**Design for recovery:**\n                The workload must be able to anticipate and recover from most failures, of all magnitudes, with minimal disruption to the user experience and business objectives.\"]\n                Design for operations[\"**Design for operations:**\n                Shift left in operations to anticipate failure conditions.\"]\n                Keep it simple[\"**Keep it simple:**\n                Avoid overengineering the architecture design, application code, and operations.\"]\n        Security(Security)\n            DesignPrinciples(Design Principles)\n                Plan your security readiness[\"**Plan your security readiness:**\n                Strive to adopt and implement security practices in architectural design decisions and operations with minimal friction.\"]\n                Design to protect confidentiality[\"**Design to protect confidentiality:**\n                Prevent exposure to privacy, regulatory, application, and proprietary information through access restrictions and obfuscation techniques.\"]\n                Design to protect integrity[\"**Design to protect integrity:**\n                Prevent corruption of design, implementation, operations, and data to avoid disruptions that can stop the system from delivering its intended utility or cause it to operate outside the prescribed limits. The system should provide information assurance throughout the workload lifecycle.\"]\n                Design to protect availability[\"**Design to protect availability:**\n                Prevent or minimize system and workload downtime and degradation in the event of a security incident by using strong security controls. You must maintain data integrity during the incident and after the system recovers.\"]\n                Sustain and evolve your security posture[\"**Sustain and evolve your security posture:**\n                 Incorporate continuous improvement and apply vigilance to stay ahead of attackers who are continuously evolving their attack strategies.\"]       \n        CostOptimization(Cost Optimization)\n            DesignPrinciples(Design Principles)\n                Develop cost-management discipline[\"**Develop cost-management discipline:**\n                Build a team culture that has awareness of budget, expenses, reporting, and cost tracking.\"]\n                Design with a cost-efficiency mindset[\"**Design with a cost-efficiency mindset:**\n                Spend only on what you need to achieve the highest return on your investments.\"]\n                Design for usage optimization[\"**Design for usage optimization:**\n                Maximize the use of resources and operations. Apply them to the negotiated functional and nonfunctional requirements of the solution.\"]\n                Design for rate optimization[\"**Design for rate optimization:**\n                Increase efficiency without redesigning, renegotiating, or sacrificing functional or nonfunctional requirements.\"]\n                Monitor and optimize over time[\"**Monitor and optimize over time:**\n                Continuously right-size investment as your workload evolves with the ecosystem.\"]\n        OperationalExcellence(Operational Excellence)\n            DesignPrinciples(Design Principles)\n               Embrace DevOps culture[\"**Embrace DevOps culture:**\n               Empower development and operations teams to continuously improve their system design and processes by working together with a mindset of collaboration, shared responsibility, and ownership.\"]\n               Establish development standards[\"**Establish development standards:**\n               Optimize productivity by standardizing development practices, enforcing quality gates, and tracking progress and success through systematic change management.\"]\n               Evolve operations with observability[\"**Evolve operations with observability:**\n                Gain visibility into the system, derive insight, and make data-driven decisions.\"]\n               Deploy with confidence[\"**Deploy with confidence:**\n               Reach the desired state of deployment with predictability.\"]\n               Automate for efficiency[\"**Automate for efficiency:**\n                Replace repetitive manual tasks with software automation that completes them quicker, with greater consistency and accuracy, and reduces risks.\"]\n               Adopt safe deployment practices[\"**Adopt safe deployment practices:**\n               Implement guardrails in the deployment process to minimize the effect of errors or unexpected conditions.\"]\n        PerformanceEfficiency(Performance Efficiency)        \n            DesignPrinciples(Design Principles)\n               Negotiate realistic performance targets[\"**Negotiate realistic performance targets:**\n               The intended user experience is defined, and there's a strategy to develop a benchmark and measure targets against the pre-established business requirements.\"]\n               Design to meet capacity requirements[\"**Design to meet capacity requirements:**\n               Provide enough supply to address anticipated demand.\"]\n               Achieve and sustain performance[\"**Achieve and sustain performance:**\n                Protect against performance degradation while the system is in use and as it evolves.\"]\n               Improve efficiency through optimization[\"**Improve efficiency through optimization:**\n                Improve system efficiency within the defined performance targets to increase workload value.\"]

                    English Mermaid Live Editor

                    Spanish Mermaid Live Editor

                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#microsoft-well-architected-framework-pillars-tradeofs-mind-map","title":"Microsoft Well-Architected Framework Pillars Tradeofs Mind Map","text":"

                    Para cuando lo renderice correctamente materials:

                    mindmap\n    root((Pillars))        \n        Reliability(Reliability)\n            Tradeoffs(Tradeoffs)\n                Reliability tradeoffs with Security[\"`**Reliability tradeoffs with Security**`\"]\n                     Tradeoff: Increased workload surface area. The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.[\"`**Tradeoff: Increased workload surface area.** The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.`\"]\n                        Tradeoff: Security control bypass. The Security pillar recommends that all controls remain active in both normal and stressed systems.[\"`**Tradeoff: Security control bypass.** The Security pillar recommends that all controls remain active in both normal and stressed systems.`\"]\n                            Tradeoff: Old software versions. The Security pillar encourages a *get current, stay current* approach to vendor security patches.[\"`**Tradeoff: Old software versions.** The Security pillar encourages a *get current, stay current* approach to vendor security patches.`\"]\n                Reliability tradeoffs with Cost Optimization[\"`**Reliability tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Increased implementation redundancy or waste. A cost-optimized workload minimizes underutilized resources and avoids over-provisioning resources.[\"`**Tradeoff: Increased implementation redundancy or waste.** A cost-optimized workload minimizes underutilized resources and avoids over-provisioning resources.`\"]\n                        Tradeoff: Increased investment in operations that aren't aligned with functional requirements. One approach to cost optimization is evaluating the value that's provided by any deployed solution.[\"`**Tradeoff: Increased investment in operations that aren't aligned with functional requirements.** One approach to cost optimization is evaluating the value that's provided by any deployed solution.`\"]\n                Reliability tradeoffs with Operational Excellence[\"`**Reliability tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Increased operational complexity. Operational Excellence, like Reliability itself, prioritizes simplicity.[\"`**Tradeoff: Increased operational complexity.** Operational Excellence, like Reliability itself, prioritizes simplicity.`\"]\n                        Tradeoff: Increased effort to generate team knowledge and awareness. The Operational Excellence pillar recommends keeping and maintaining a documentation repository for procedures and topologies. [\"`**Tradeoff: Increased effort to generate team knowledge and awareness.** The Operational Excellence pillar recommends keeping and maintaining a documentation repository for procedures and topologies.`\"]\n                Reliability tradeoffs with Performance Efficiency[\"`**Reliability tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased latency. Performance Efficiency requires a system to achieve performance targets for user and data flows.[\"`**Tradeoff: Increased latency.** Performance Efficiency requires a system to achieve performance targets for user and data flows.`\"]\n                        Tradeoff: Increased over-provisioning. The Performance Efficiency pillar discourages over-provisioning, instead recommending the use of just enough resources to satisfy demand.[\"`**Tradeoff: Increased over-provisioning.** The Performance Efficiency pillar discourages over-provisioning, instead recommending the use of just enough resources to satisfy demand.`\"]\n        Security(Security)\n            Tradeoffs(Tradeoffs)\n                Security tradeoffs with Reliability[\"`**Security tradeoffs with Reliability**`\"]\n                    Tradeoff: Increased complexity. The Reliability pillar prioritizes simplicity and recommends that points of failure are minimized.[\"`**Tradeoff: Increased complexity.** The Reliability pillar prioritizes simplicity and recommends that points of failure are minimized.`\"]\n                        Tradeoff: Increased critical dependencies. The Reliability pillar recommends minimizing critical dependencies. A workload that minimizes critical dependencies, especially external ones, has more control over its points of failure.[\"`**Tradeoff: Increased critical dependencies.** The Reliability pillar recommends minimizing critical dependencies. A workload that minimizes critical dependencies, especially external ones, has more control over its points of failure.`\"]\n                            Tradeoff: Increased complexity of disaster recovery. A workload must reliably recover from all forms of disaster.[\"`**Tradeoff: Increased complexity of disaster recovery.** A workload must reliably recover from all forms of disaster.`\"]\n                                Tradeoff: Increased rate of change. A workload that experiences runtime change is exposed to more risk of reliability impact due to that change.[\"`**Tradeoff: Increased rate of change.** A workload that experiences runtime change is exposed to more risk of reliability impact due to that change.`\"]\n                Security tradeoffs with Cost Optimization[\"`**Security tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Additional infrastructure. One approach to cost optimizing a workload is to look for ways to reduce the diversity and number of components and increase density.[\"`**Tradeoff: Additional infrastructure.** One approach to cost optimizing a workload is to look for ways to reduce the diversity and number of components and increase density.`\"]\n                        Tradeoff: Increased demand on infrastructure. The Cost Optimization pillar prioritizes driving down demand on resources to enable the use of cheaper SKUs, fewer instances, or reduced consumption.[\"`**Tradeoff: Increased demand on infrastructure.** The Cost Optimization pillar prioritizes driving down demand on resources to enable the use of cheaper SKUs, fewer instances, or reduced consumption.`\"]\n                            Tradeoff: Increased process and operational costs. Personnel process costs are part of the overall total cost of ownership and are factored into a workload's return on investment. Optimizing these costs is a recommendation of the Cost Optimization pillar.[\"`**Tradeoff: Increased process and operational costs.** Personnel process costs are part of the overall total cost of ownership and are factored into a workload's return on investment. Optimizing these costs is a recommendation of the Cost Optimization pillar.`\"]\n                Security tradeoffs with Operational Excellence[\"`**Security tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Complications in observability and serviceability. Operational Excellence requires architectures to be serviceable and observable. The most serviceable architectures are those that are the most transparent to everyone involved.[\"`**Tradeoff: Complications in observability and serviceability.** Operational Excellence requires architectures to be serviceable and observable. The most serviceable architectures are those that are the most transparent to everyone involved.`\"]\n                        Tradeoff: Decreased agility and increased complexity. Workload teams measure their velocity so that they can improve the quality, frequency, and efficiency of delivery activities over time. Workload complexity factors into the effort and risk involved in operations[\"`**Tradeoff: Decreased agility and increased complexity.** Workload teams measure their velocity so that they can improve the quality, frequency, and efficiency of delivery activities over time. Workload complexity factors into the effort and risk involved in operations`\"]\n                            Tradeoff: Increased coordination efforts. A team that minimizes external points of contact and review can control their operations and timeline more effectively.[\"`**Tradeoff: Increased coordination efforts.** A team that minimizes external points of contact and review can control their operations and timeline more effectively.`\"]             \n                Security tradeoffs with Performance Efficiency[\"`**Security tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased latency and overhead. A performant workload reduces latency and overhead.[\"`**Tradeoff: Increased latency and overhead.** A performant workload reduces latency and overhead.`\"]\n                        Tradeoff: Increased chance of misconfiguration. Reliably meeting performance targets depends on predictable implementations of the design.[\"`**Tradeoff: Increased chance of misconfiguration.** Reliably meeting performance targets depends on predictable implementations of the design.`\"]\n        Cost Optimization[\"Cost Optimization`\"]\n            Tradeoffs(Tradeoffs)\n                Cost Optimization tradeoffs with Reliability[\"`**Cost Optimization tradeoffs with Reliability**`\"]\n                    Tradeoff: Reduced resiliency. A workload incorporates resiliency measures to attempt to avoid and withstand specific types and quantities of malfunction.[\"`**Tradeoff: Reduced resiliency.** A workload incorporates resiliency measures to attempt to avoid and withstand specific types and quantities of malfunction.`\"]\n                        Tradeoff: Limited recovery strategy. A workload that's reliable has a tested incident response and recovery plan for disaster scenarios.[\"`**Tradeoff: Limited recovery strategy.** A workload that's reliable has a tested incident response and recovery plan for disaster scenarios.`\"]\n                            Tradeoff: Increased complexity. A workload that uses straightforward approaches and avoids unnecessary or overengineered complexity is generally easier to manage in terms of reliability.[\"`**Tradeoff: Increased complexity.** A workload that uses straightforward approaches and avoids unnecessary or overengineered complexity is generally easier to manage in terms of reliability.`\"]\n                Cost Optimization tradeoffs with Security[\"`**Cost Optimization tradeoffs with Security**`\"]\n                    Tradeoff: Reduced security controls. Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.[\"`**Tradeoff: Reduced security controls.** Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.`\"]\n                        Tradeoff: Increased workload surface area. The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and the management of security controls.[\"`**Tradeoff: Increased workload surface area.** The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and the management of security controls.`\"]\n                            Tradeoff: Removed segmentation. The Security pillar prioritizes strong segmentation to support the application of targeted security controls and to control the blast radius.[\"`**Tradeoff: Removed segmentation.** The Security pillar prioritizes strong segmentation to support the application of targeted security controls and to control the blast radius.`\"]\n                Cost Optimization tradeoffs with Operational Excellence[\"`**Cost Optimization tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Compromised software development lifecycle SDLC capacities. A workload's SDLC process provides rigor, consistency, specificity, and prioritization to change management in a workload.[\"`**Tradeoff: Compromised software development lifecycle capacities.** A workload's SDLC process provides rigor, consistency, specificity, and prioritization to change management in a workload.`\"]\n                        Tradeoff: Reduced observability. Observability is necessary to help ensure that a workload has meaningful alerting and successful incident response.[\"`**Tradeoff: Reduced observability.** Observability is necessary to help ensure that a workload has meaningful alerting and successful incident response.`\"]\n                            Tradeoff: Deferred maintenance. Workload teams are expected to keep code, tooling, software packages, and operating systems patched and up to date in a timely and orderly way.[\"`**Tradeoff: Deferred maintenance.** Workload teams are expected to keep code, tooling, software packages, and operating systems patched and up to date in a timely and orderly way.`\"]\n                Cost Optimization tradeoffs with Performance Efficiency[\"`**Cost Optimization tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Underprovisioned or underscaled resources. A performance-efficient workload has enough resources to serve demand but doesn't have excessive unused overhead, even when usage patterns fluctuate.[\"`**Tradeoff: Underprovisioned or underscaled resources.** A performance-efficient workload has enough resources to serve demand but doesn't have excessive unused overhead, even when usage patterns fluctuate.`\"]\n                        Tradeoff: Lack of optimization over time. Evaluating the effects of changes in functionality, changes in usage patterns, new technologies, and different approaches on the workload is one way to try to increase efficiency.[\"`**Tradeoff: Lack of optimization over time.** Evaluating the effects of changes in functionality, changes in usage patterns, new technologies, and different approaches on the workload is one way to try to increase efficiency.`\"]\n        Operational Excellence[\"Operational Excellence\"]\n            Tradeoffs(Tradeoffs)\n                Operational Excellence tradeoffs with Reliability[\"`**Operational Excellence tradeoffs with Reliability**`\"]\n                    Tradeoff: Increased complexity. Reliability prioritizes simplicity, because simple design minimizes misconfiguration and reduces unexpected interactions.[\"`**Tradeoff: Increased complexity.** Reliability prioritizes simplicity, because simple design minimizes misconfiguration and reduces unexpected interactions.`\"]\n                        Tradeoff: Increased potentially destabilizing activities. The Reliability pillar encourages the avoidance of activities or design choices that can destabilize a system and lead to disruptions, outages, or malfunctions[\"`**Tradeoff: Increased potentially destabilizing activities.** The Reliability pillar encourages the avoidance of activities or design choices that can destabilize a system and lead to disruptions, outages, or malfunctions.`\"]\n                Operational Excellence tradeoffs with Security[\"`**Operational Excellence tradeoffs with Security**`\"]\n                    Tradeoff: Increased surface area. The Security pillar recommends a reduced workload surface area in terms of components and exposure to operations. This reduction minimizes attack vectors and produces a smaller scope for security control and testing.[\"`**Tradeoff: Increased surface area.** The Security pillar recommends a reduced workload surface area in terms of components and exposure to operations. This reduction minimizes attack vectors and produces a smaller scope for security control and testing.`\"]\n                        Tradeoff: Increased desire for transparency. A secure workload is based on designs that protect the confidentiality of data that flows through the components of the system.[\"`**Tradeoff: Increased desire for transparency.** A secure workload is based on designs that protect the confidentiality of data that flows through the components of the system.`\"]\n                            Tradeoff: Reduced segmentation. A key security approach for isolating access and function is to design a strong segmentation strategy. This design is implemented through resource isolation and identity controls.[\"`**Tradeoff: Reduced segmentation.** A key security approach for isolating access and function is to design a strong segmentation strategy. This design is implemented through resource isolation and identity controls.`\"]                    \n                Operational Excellence tradeoffs with Cost Optimization[\"`**Operational Excellence tradeoffs with Cost Optimization**`\"]\n                     Tradeoff: Increased resource spending. A major cost driver for a workload is the cost of its resources. Deploying fewer resources, right-sizing resources, and reducing consumption generally helps keep costs low.[\"`**Tradeoff: Increased resource spending.** A major cost driver for a workload is the cost of its resources. Deploying fewer resources, right-sizing resources, and reducing consumption generally helps keep costs low.`\"]\n                        Tradeoff: Decreased focus on delivery activities. Workload team members deliver increased workload value by efficiently performing tasks that are aligned to their capabilities.[\"`**Tradeoff: Decreased focus on delivery activities.** Workload team members deliver increased workload value by efficiently performing tasks that are aligned to their capabilities.`\"]\n                            Tradeoff: Increased tooling demands and diversity. The Cost Optimization pillar recommends the reduction of tooling sprawl, consolidation of vendors, and a right-sized approach to all tooling purchases.[\"`**Tradeoff: Increased tooling demands and diversity.** The Cost Optimization pillar recommends the reduction of tooling sprawl, consolidation of vendors, and a right-sized approach to all tooling purchases.`\"]\n                Operational Excellence tradeoffs with Performance Efficiency[\"`**Operational Excellence tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased resource utilization. The Performance Efficiency pillar recommends the allocation of as much of the available compute and network as possible to the requirements of the workload.[\"`**Tradeoff: Increased resource utilization.** The Performance Efficiency pillar recommends the allocation of as much of the available compute and network as possible to the requirements of the workload.`\"]\n                        Tradeoff: Increased latency. To create performant workloads, teams look for ways to reduce the time and resources that workloads consume to perform their tasks.[\"`**Tradeoff: Increased latency.** To create performant workloads, teams look for ways to reduce the time and resources that workloads consume to perform their tasks.`\"]\n        Performance Efficiency(\"Performance Efficiency\")\n            Tradeoffs(Tradeoffs)\n                Performance Efficiency tradeoffs with Reliability[\"`**Performance Efficiency tradeoffs with Reliability**`\"]\n                    Tradeoff: Reduced replication and increased density. A cornerstone of reliability is ensuring resilience by using replication and limiting the blast radius of malfunctions.[\"`**Tradeoff: Reduced replication and increased density.** A cornerstone of reliability is ensuring resilience by using replication and limiting the blast radius of malfunctions.`\"]\n                        Tradeoff: Increased complexity. Reliability prioritizes simplicity.[\"`**Tradeoff: Increased complexity.** Reliability prioritizes simplicity.`\"]\n                            Tradeoff: Testing and observation on active environments. Avoiding the unnecessary use of production systems is a self-preservation approach for reliability.[\"`**Tradeoff: Testing and observation on active environments.** Avoiding the unnecessary use of production systems is a self-preservation approach for reliability.`\"]                  \n                Performance Efficiency tradeoffs with Security[\"`**Performance Efficiency tradeoffs with Security**`\"]\n                    Tradeoff: Reduction of security controls. Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth[\"`**Tradeoff: Reduction of security controls.** Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.`\"]\n                        Tradeoff: Increased workload surface area. Security prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.[\"`**Tradeoff: Increased workload surface area.** Security prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.`\"]\n                            Tradeoff: Removing segmentation. The Security pillar prioritizes strong segmentation to enable fine-grained security controls and reduce blast radius.[\"`**Tradeoff: Removing segmentation.** The Security pillar prioritizes strong segmentation to enable fine-grained security controls and reduce blast radius.`\"]                   \n                Performance Efficiency tradeoffs with Cost Optimization[\"`**Performance Efficiency tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Too much supply for demand. Both Cost Optimization and Performance Efficiency prioritize having just enough supply to serve demand.[\"`**Tradeoff: Too much supply for demand.** Both Cost Optimization and Performance Efficiency prioritize having just enough supply to serve demand.`\"]\n                        Tradeoff: More components. One cost optimization technique is to consolidate with a smaller number of resources by increasing density, removing duplication, and co-locating functionality.[\"`**Tradeoff: More components.** One cost optimization technique is to consolidate with a smaller number of resources by increasing density, removing duplication, and co-locating functionality.`\"]\n                        Tradeoff: Increased investment on items that aren't aligned with functional requirements. One approach to cost optimization is evaluating the value provided by any solution that's deployed.[\"`**Tradeoff: Increased investment on items that aren't aligned with functional requirements.** One approach to cost optimization is evaluating the value provided by any solution that's deployed.`\"]                    \n                Performance Efficiency tradeoffs with Operational Excellence[\"`**Performance Efficiency tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Reduced observability. Observability is necessary to provide a workload with meaningful alerting and help ensure successful incident response.[\"`**Tradeoff: Reduced observability.** Observability is necessary to provide a workload with meaningful alerting and help ensure successful incident response.`\"]\n                        Tradeoff: Increased complexity in operations. A complex environment has more complex interactions and a higher likelihood of a negative impact from routine, ad hoc, and emergency operations.[\"`**Tradeoff: Increased complexity in operations.** A complex environment has more complex interactions and a higher likelihood of a negative impact from routine, ad hoc, and emergency operations.`\"]\n                            Tradeoff: Culture stress. Operational Excellence is rooted in a culture of blamelessness, respect, and continuous improvement.[\"`**Tradeoff: Culture stress.** Operational Excellence is rooted in a culture of blamelessness, respect, and continuous improvement.`\"]\n\n

                    English Mermaid Live Editor

                    Spanish Mermaid live editor

                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#references","title":"References","text":"
                    • Microsoft Well-Architected Framework pillars
                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/","title":"Comparing Container Apps with other Azure container options","text":"","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/#container-option-comparisons","title":"Container option comparisons","text":"Service Primary Use Advantages Disadvantages Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs. Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications. Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided. Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription. Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers. Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications. Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

                    Please note that the advantages and disadvantages may vary according to specific use cases.

                    ","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/#references","title":"References","text":"
                    • Azure Container Apps https://learn.microsoft.com/en-us/azure/container-apps/compare-options
                    ","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/azure-updates-rss-feed/","title":"Azure updates RSS feed","text":"

                    All the Azure updates in one place.

                    • All
                    "},{"location":"blog/2023/11/30/azure-updates-rss-feed/#by-category","title":"By category","text":"
                    • Featured

                    • AI + Machine Learning

                    • Analytics

                    • Blockchain

                    • Compute

                    • Containers

                    • Databases

                    • Developer Tools

                    • DevOps

                    • Hybrid + multicloud

                    • Identity

                    • Integration

                    • Internet of Things

                    • Management

                    • Media

                    • Migration

                    • Mixed Reality

                    • Mobile

                    • Networking

                    • Security

                    • Storage

                    • Virtual desktop infrastructure

                    • Web

                    "},{"location":"blog/2023/11/30/azure-updates-rss-feed/#custom","title":"Custom","text":"

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

                    For example:

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

                    "},{"location":"blog/2023/12/01/azure-functions/","title":"Azure Functions","text":"","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#introduction","title":"Introduction","text":"

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#service-overview","title":"Service Overview","text":"

                    Azure Functions allows developers to run small pieces of code (called \"functions\") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#architecture-and-components","title":"Architecture and Components","text":"

                    Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#deployment-and-configuration","title":"Deployment and Configuration","text":"

                    Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#scalability-and-performance","title":"Scalability and Performance","text":"

                    Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#security-and-compliance","title":"Security and Compliance","text":"

                    Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#monitoring-and-logging","title":"Monitoring and Logging","text":"

                    Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#use-cases-and-examples","title":"Use Cases and Examples","text":"

                    Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#best-practices-and-tips","title":"Best Practices and Tips","text":"

                    When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

                    If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#conclusion","title":"Conclusion","text":"

                    Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/","title":"Instalar WSL2 en Windows 11 con chocolatey","text":"","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#introduccion","title":"Introducci\u00f3n","text":"

                    Windows Subsystem for Linux (WSL) es una caracter\u00edstica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versi\u00f3n de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparaci\u00f3n con WSL1. Este an\u00e1lisis proporciona una gu\u00eda paso a paso para instalar WSL2 en Windows 11.

                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#pasos-a-seguir","title":"Pasos a seguir","text":"","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#1-instalar-chocolatey","title":"1. Instalar Chocolatey","text":"

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalaci\u00f3n y gesti\u00f3n de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))\n
                    1. Espere a que se complete la instalaci\u00f3n de Chocolatey.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#2-instalar-wsl2","title":"2. Instalar WSL2","text":"

                    Para instalar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar WSL2:

                    choco install wsl2\n
                    3. Espere a que se complete la instalaci\u00f3n de WSL2.

                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#3-configurar-wsl2","title":"3. Configurar WSL2","text":"

                    Para configurar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para configurar WSL2 como la versi\u00f3n predeterminada:

                    wsl --set-default-version 2\n
                    1. Reinicie su computadora para aplicar los cambios.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#4-instalar-una-distribucion-de-linux","title":"4. Instalar una distribuci\u00f3n de Linux","text":"

                    Para instalar una distribuci\u00f3n de Linux en WSL2, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Busque la distribuci\u00f3n de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

                    wsl --list --online\n
                    1. Ejecute el siguiente comando para instalar la distribuci\u00f3n de Linux seleccionada:
                    wsl --install -d <nombre de la distribuci\u00f3n>\n
                    1. Espere a que se complete la instalaci\u00f3n de la distribuci\u00f3n de Linux.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#5-iniciar-wsl2","title":"5. Iniciar WSL2","text":"

                    Para iniciar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Ejecute el siguiente comando para iniciar la distribuci\u00f3n de Linux instalada:

                    wsl\n
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#referencias","title":"Referencias","text":"
                    • Chocolatey
                    • What is the Windows Subsystem for Linux?
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/","title":"Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n","text":"

                    Necesitas WSL2

                    Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#introduccion","title":"Introducci\u00f3n","text":"

                    Llevo unos d\u00edas con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna raz\u00f3n aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

                    Lo primero es seguir la siguiente documentaci\u00f3n de Microsoft que puede ser \u00fatil para alguien que tenga problemas de sincronizaci\u00f3n con OneDrive:

                    Fix OneDrive sync problems

                    Pero si no funciona, se puede obtener m\u00e1s informaci\u00f3n de los logs de OneDrive.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#pasos-a-seguir","title":"Pasos a seguir","text":"","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#1-acceder-a-los-logs-de-onedrive","title":"1. Acceder a los logs de OneDrive","text":"

                    Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

                    1. Abrir el Explorador de archivos.
                    2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
                    3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
                    BusinessPersonal
                    %localappdata%\\Microsoft\\OneDrive\\logs\\Business1\n
                    %localappdata%\\Microsoft\\OneDrive\\logs\\Personal\n

                    Ahora es necesario seleccionar los archivos de log m\u00e1s recientes y copiarlos a un directorio, los archivos pueden tener extensi\u00f3n .odl,.odlgz, .odlsent o .aold, tambi\u00e9n se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#2-instalar-el-visor-de-logs-de-onedrive","title":"2. Instalar el visor de logs de OneDrive","text":"

                    Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

                    Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

                    pip3 install pycryptodome\npip3 install construct\npython odl.py -o <ruta de salida>/fichero.csv <ruta de los logs>\n

                    Por ejemplo:

                    python3 odl.py -o output/fichero.csv input/\nWARNING: Multiple instances of some keys were found in the ObfuscationMap.\nRead 40493 items from map\nRecovered Unobfuscation key Churreradenumneros, version=1, utf_type=utf16\nSearching  /mnt/c/Users/userdemo/Escritorio/input/SyncEngine-2023-09-04.0637.32.2.odl\nWrote 821 rows\nSearching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.13536.1.odlgz\nWrote 203 rows\nSearching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.14112.1.odlgz\n.......\n............\n...............\nWrote 872 rows\nFinished processing files, output is at output/fichero.csv\nuserdemo@DESKTOP:/mnt/c/Users/userdemo/Escritorio$\n
                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#3-analizar-los-logs","title":"3. Analizar los logs","text":"

                    Una vez que se ha generado el fichero CSV, se puede abrir con Excel o cualquier editor de texto para analizar los logs y detectar problemas de sincronizaci\u00f3n, busca error o warn para averiguar que puede estar provocando el problema.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#solucion","title":"Soluci\u00f3n","text":"

                    En mi caso, tras poder leer los logs de OneDrive, he descubierto que OneDrive no pod\u00eda escribir varios ficheros en disco, luego record\u00e9 que el otro d\u00eda mi equipo no se apag\u00f3 bien.

                    Tras un chkdsk c: /F /R, fin de la historia, ahora todo funciona, espero que le resulte \u00fatil a alguien.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#referencias","title":"Referencias","text":"
                    • https://github.com/ydkhatri/OneDrive/tree/main
                    ","tags":["OneDrive for Business"]},{"location":"blog/2024/02/24/azure-policy/","title":"Azure Policy","text":"

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

                    As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#azure-policy-overview","title":"Azure Policy Overview","text":"

                    Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

                    Azure Policy helps to address questions like:

                    • Are all virtual machines encrypted using Azure Disk Encryption?
                    • Are resources deployed only in certain Azure regions?
                    • Are specific tags applied to resources for tracking and organization?

                    Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

                    Info

                    It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#policies","title":"Policies","text":"

                    Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

                    Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

                    Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#initiatives","title":"Initiatives","text":"

                    Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

                    graph TD;\n    A[Azure Policy] -->|Contains| B1[Policy 1]\n    A[Azure Policy] -->|Contains| B2[Policy 2]\n    A[Azure Policy] -->|Contains| B3[Policy 3]\n    A[Azure Policy] -->|Contains| B4[Policy 4]\n    B1[Policy 1] -->|Belongs to| C[Initiative 1]\n    B2[Policy 2] -->|Belongs to| C[Initiative 1]\n    B3[Policy 3] -->|Belongs to| D[Initiative 2]\n\n\n    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;\n    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;\n    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;\n\n    class A,B1,B2,B3,B4 azurePolicy;\n    class C,D initiative;\n    class D1,D2,E1,E2 policy;

                    Initiatives allow you to:

                    • Apply multiple policies at once to a scope (like a subscription or management group).
                    • Monitor compliance against a set of defined standards or regulations.
                    • Streamline governance by organizing policies logically.

                    By using initiatives, you can efficiently manage and enforce compliance with regulatory standards (e.g., CIS benchmarks, PCI DSS) or organizational best practices.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#assignments","title":"Assignments","text":"

                    Assignments in Azure Policy are the mechanism to apply policies or initiatives to specific scopes within Azure. You can assign policies to subscriptions, resource groups, or even individual resources. Assignments help in enforcing governance and compliance standards across your Azure environment.

                    graph TD;\n    A[Azure Policy] -->|Contains| B1[Policy 1]\n    A[Azure Policy] -->|Contains| B2[Policy 2]\n    A[Azure Policy] -->|Contains| B3[Policy 3]\n    A[Azure Policy] -->|Contains| B4[Policy 4]\n    B1[Policy 1] -->|Belongs to| C[Initiative 1]\n    B2[Policy 2] -->|Belongs to| C[Initiative 1]\n    B3[Policy 3] -->|Belongs to| D[Initiative 2]\n    C[Initiative 1] -->|Assigned to| E[Subscription 1]\n    D[Initiative 2] -->|Assigned to| F[Resource Group 1]\n    B4[Policy 4] -->|Assigned to| G[Management Group 1]\n\n    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;\n    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;\n    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;\n    classDef assignment fill:#9f9,stroke:#333,stroke-width:2px;\n\n    class A,B1,B2,B3,B4 azurePolicy;\n    class C,D initiative;\n    class E,F,G assignment;\n    class D1,D2,E1,E2 policy;\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#conclusion","title":"Conclusion","text":"

                    In conclusion, Azure Policy, policies, and initiatives are fundamental components of Azure's governance framework. They enable organizations to define and enforce rules for Azure resources, ensuring adherence to compliance standards, security protocols, and operational guidelines. By leveraging these capabilities, Azure users can maintain control over their cloud environment while promoting consistency and security across deployments. If you're looking to enhance governance and compliance within Azure, exploring Azure Policy, policies, and initiatives is a crucial step forward.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#references","title":"References","text":"
                    • Azure Policy overview
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/","title":"Azure Policy, defintion schema","text":"

                    This is the schema for the Azure Policy definition:

                    {\n    \"properties\": {\n        \"displayName\": {\n            \"type\": \"string\",\n            \"description\": \"The display name of the policy definition.\"\n        },\n        \"policyType\": {\n            \"type\": \"string\",\n            \"description\": \"The policy type of the policy definition.\"\n        },\n        \"mode\": {\n            \"type\": \"string\",\n            \"description\": \"The mode of the policy definition.\"\n        },\n        \"description\": {\n            \"type\": \"string\",\n            \"description\": \"The description of the policy definition.\"\n        },\n        \"mode\": {\n            \"type\": \"string\",\n            \"description\": \"The mode of the policy definition.\"\n        },\n        \"metadata\": {\n            \"type\": \"object\",\n            \"description\": \"The metadata of the policy definition.\"\n        },\n        \"parameters\": {\n            \"type\": \"object\",\n            \"description\": \"The parameters of the policy definition.\"\n        },\n        \"policyRule\": {\n            \"type\": \"object\",\n            \"description\": \"The policy rule of the policy definition. If/then rule.\"\n        }       \n\n    }\n}\n

                    You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                    Full schema is in Azure Policy definition schema.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#example","title":"Example","text":"

                    Here is an example of a policy definition:

                    {\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                \"exists\": \"false\"\n            },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n}\n

                    This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

                    How you can see, the most important part of the policy definition is the policy rule.

                    Note

                    The policy rule is where you describe the logic that enforces the policy.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#conclusion","title":"Conclusion","text":"

                    Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#references","title":"References","text":"
                    • Azure Policy definition schema
                    • Azure Policy
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/","title":"Writing Your First Policy in Azure with Portal","text":"

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                    In this post, we'll walk through the steps of creating your first policy in Azure.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#prerequisites","title":"Prerequisites","text":"
                    1. An active Azure subscription.
                    2. Access to Azure portal.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-1-open-azure-policy","title":"Step 1: Open Azure Policy","text":"
                    • Login to the Azure Portal.
                    • In the left-hand menu, click on All services.
                    • In the All services blade, search for Policy.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-2-create-a-new-policy-definition","title":"Step 2: Create a New Policy Definition","text":"
                    • Click on Definitions under the Authoring section.
                    • Click on + Policy definition.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-3-fill-out-the-policy-definition","title":"Step 3: Fill Out the Policy Definition","text":"

                    You will need to fill out several fields:

                    • Definition location: The location where the policy is stored.
                    • Name: This is a unique name for your policy.
                    • Description: A detailed description of what the policy does.
                    • Category: You can categorize your policy for easier searching and filtering.

                    The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

                    Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

                    {\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n

                    But, in portal, you can add properties directly in the form but you can't add displayName, policyType and metadata because they are added by portal itself, so you can add only mode,parameters and policyRule, Policy definition could be like this:

                    • Definition location: Tenant Root Group
                    • Name: Require a tag and its value
                    • Description: This policy requires a specific tag and its value.
                    • Category: Tags
                    • POLICY RULE:
                    {\n\n        \"mode\": \"Indexed\", \n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n}\n

                    Once you've filled out all the fields and written your policy rule, click on Save.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-4-assign-the-policy","title":"Step 4: Assign the Policy","text":"
                    • Go back to the Policy service in the Azure portal.
                    • Click on Assignments under the Authoring section.
                    • Click on + Assign Policy.
                    • In Basics, fill out the following fields:
                      • Scope
                        • Scope: Select the scope where you want to assign the policy.
                        • Exclusions: Add any exclusions if needed.
                      • Basics
                        • Policy definition: Select the policy you created.
                        • Assignment name: A unique name for the assignment.
                        • Description: A detailed description of the assignment.
                        • Policy enforcement: Enabled.
                    • In Parameters: Fill out any parameters needed for the policy.
                    • In Non-compliance message: A message to display when a resource is non-compliant.
                    • Click on Review + create: Review the assignment and click on Create.

                    Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                    Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/","title":"Writing Your First Initiative with Portal","text":"

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                    In this post, we'll walk through the steps of creating your first initiative in Azure.

                    Info

                    You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#prerequisites","title":"Prerequisites","text":"
                    1. An active Azure subscription.
                    2. Access to Azure portal.
                    3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-1-open-azure-policy","title":"Step 1: Open Azure Policy","text":"
                    • Login to the Azure Portal.
                    • In the left-hand menu, click on All services.
                    • In the All services blade, search for Policy.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-2-create-a-new-initiative-definition","title":"Step 2: Create a New Initiative Definition","text":"
                    • Click on Defitinions under the Authoring section.
                    • Click on + Initiative definition.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-3-fill-out-the-initiative-definition","title":"Step 3: Fill Out the Initiative Definition","text":"

                    You will need to fill out several fields:

                    • Basics:
                    • Initiative location: The location where the initiative is stored.
                    • Name: This is a unique name for your initiative.
                    • Description: A detailed description of what the initiative does.
                    • Category: You can categorize your initiative for easier searching and filtering.
                    • Policies:
                    • Add policy definition(s): Here you can add the policies that will be part of the initiative.
                    • Initiative parameters:
                    • Add parameter: Here you can add parameters that will be used in the initiative.
                    • Policy parameters:
                    • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies.

                    • Click on Review + create: Review the assignment and click on Create.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-4-assign-the-initiative","title":"Step 4: Assign the Initiative","text":"
                    • Go to Policy again.
                    • Go to Assignments under the Authoring section.
                    • Click on + Assign initiative.

                    You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

                    • Click on Review + create: Review the assignment and click on Create.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#conclusion","title":"Conclusion","text":"

                    Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/","title":"Manage Azure Policy GitHub Action","text":"

                    It's recommended to review:

                    • Azure Policy
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative in Azure with Portal
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#overview","title":"Overview","text":"

                    The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                    Info

                    This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#key-features","title":"Key Features","text":"
                    1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                    2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                    3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                      |- policies/\n   |- <policy1_name>/\n      |- policy.json\n      |- assign.<name1>.json\n      |- assign.<name2>.json\n      ...\n   |- <policy2_name>/\n      |- policy.json\n      |- assign.<name1>.json\n      |- assign.<name2>.json\n      ...\n
                      • Each policy resides in a subfolder under the policies/ directory.
                      • The policy.json file contains the policy definition.
                      • Assignment files (e.g., assign.<name1>.json) specify how the policy is applied.
                    4. Inputs for the Action:

                      • Paths: Specify the mandatory path(s) to the directory containing your Azure policy files.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#sample-workflow","title":"Sample Workflow","text":"

                    Here's an example of how you can apply policies at the Management Group scope using the Manage Azure Policy action:

                    name: 'Test Policy'\non:\n  push:\n    branches: \n    - \"*\" \n    paths: \n     - 'policies/**'\n     - 'initiatives/**'\n  workflow_dispatch:\n\njobs:\n  apply-azure-policy:    \n    runs-on: ubuntu-latest\n    steps:\n    # Azure Login\n    - name: Login to Azure\n      uses: azure/login@v1\n      with:\n        creds: ${{ secrets.AZURE_CREDENTIALS }}\n        allow-no-subscriptions: true\n\n    - name: Checkout\n      uses: actions/checkout@v2 \n\n    - name: Create or Update Azure Policies\n      uses: azure/manage-azure-policy@v0\n      with:      \n        paths:  |                \n          policies/**\n          initiatives/**\n        assignments:  |\n          assign.*_testRG_*.json\n

                    Remember to replace the placeholder values (such as secrets.AZURE_CREDENTIALS) with your actual configuration, you can follow this instructions to create a service principal and get the credentials: Create a service principal and get the credentials

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#example-of-use-for-policy","title":"Example of use for Policy","text":"

                    In this example we define all our policies and initiatives at management group level and assign to resource group, and we have a policy that requires a specific tag and its value.

                    You need to create a folder structure like this:

                    |- policies/\n   |- require-tag-and-its-value/\n      |- policy.json\n      |- assign.testRG_testazurepolicy.json\n|- initiatives/\n   |- initiative1/\n      |- policyset.json\n      |- assign.testRG_testazurepolicy.json\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policies","title":"policies","text":"

                    Info

                    • The policy.json file contains the policy definition, and the assign.<name>.json file specifies how the policy is applied.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policyjson","title":"policy.json","text":"

                    Info

                    • The id value specifies where you are going to define the policy.
                    policy.json
                    {\n    \"id\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"name\": \"requite-tag-and-its-value\",\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#assigntestrg_testazurepolicyjson","title":"assign.testRG_testazurepolicy.json","text":"

                    Info

                    • Change the id and scope values in the assign.<name>.json file to match your Azure subscription and resource group.
                    • id specifies where you are going to deploy the assignment.
                    • id and name are related, name can not be any value, it should be the same as the last part of the id. You can generete a new GUID and use it as name with (1..24 | %{ '{0:x}' -f (Get-Random -Max 16) }) -join ''
                    • name and id are related.
                    • The policyDefinitionId value should match the id value in the policy.json file.
                    assign.testRG_testazurepolicy.json
                    {\n    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/599a2c3a1a3b1f8b8e547b3e\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"name\": \"599a2c3a1a3b1f8b8e547b3e\",     \n    \"properties\": {\n        \"description\": \"This policy audits the presence of a specific tag and its value.\",\n        \"displayName\": \"Require a tag and its value\",\n        \"parameters\": {\n            \"tagName\": {\n              \"value\": \"environment\"\n            },\n            \"tagValue\": {\n              \"value\": \"production\"\n            }\n          },\n          \"nonComplianceMessages\": [\n            {\n              \"message\": \"This resource is not compliant with the policy. Please apply the required tag and its value.\"\n            }\n          ],\n          \"enforcementMode\": \"Default\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n          \"scope\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy\"\n    }    \n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#initiatives","title":"initiatives","text":"

                    Info

                    • The policyset.json file contains the policy definition, and the assign.<name>.json file specifies how the initiative is applied.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policysetjson","title":"policyset.json","text":"

                    Info

                    • The id value specifies where you are going to define the initiative.
                    • The policyDefinitions array contains the policy definitions that are part of the initiative.
                    • The parameters object defines the parameters that can be passed to the policies within the initiative.
                    • The policyDefinitionId value should match the id value in the policy.json file of the policy.
                    policyset.json
                    {\n    \"id\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/initiative1\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"name\": \"initiative1\",\n    \"properties\": {\n        \"displayName\": \"Initiative 1\",\n        \"description\": \"This initiative contains a set of policies for testing.\",\n        \"metadata\": {\n            \"category\": \"Test\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n                \"parameters\": {\n                    \"tagName\": {\n                        \"value\": \"[parameters('tagName')]\"\n                    },\n                    \"tagValue\": {\n                        \"value\": \"[parameters('tagValue')]\"\n                    },\n                    \"effect\": {\n                        \"value\": \"Deny\"\n                    }\n                }\n            }\n        ]\n    }\n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#assigntestrg_testazurepolicysetjson","title":"assign.testRG_testazurepolicyset.json","text":"assign.testRG_testazurepolicyset.json
                    {\n    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/ada0f4a34b09cf6ad704cc62\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"name\": \"ada0f4a34b09cf6ad704cc62\",     \n    \"properties\": {\n        \"description\": \"This initiative audits the presence of a specific tag and its value.\",\n        \"displayName\": \"Require a tag and its value\",\n        \"parameters\": {\n            \"tagName\": {\n              \"value\": \"environment\"\n            },\n            \"tagValue\": {\n              \"value\": \"production\"\n            }\n          },\n          \"nonComplianceMessages\": [\n            {\n              \"message\": \"This resource is not compliant with the policy. Please apply the required tag and its value.\"\n            }\n          ],\n          \"enforcementMode\": \"Default\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/requite-tag-and-its-value\",\n          \"scope\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy\"\n    }    \n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#conclusion","title":"Conclusion","text":"

                    By incorporating the Manage Azure Policy action into your GitHub workflows, you can seamlessly enforce policies, maintain compliance, and ensure the robustness of your Azure resources, although it has its drawbacks, it is one more step compared to a portal. Later we will see the deployment with a more robust tool: EPAC

                    Learn more about Azure Policies and explore the action on the GitHub Marketplace.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/","title":"Enterprise Azure Policy as Code (EPAC)","text":"

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#key-features-of-epac","title":"Key Features of EPAC","text":"
                    • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                    • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                    • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                    • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.
                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#who-should-use-epac","title":"Who Should Use EPAC?","text":"

                    EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#how-does-epac-work","title":"How Does EPAC Work?","text":"

                    EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                    The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                    1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                    2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                    3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                    4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                    5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                    The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                    Warning

                    EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#conclusion","title":"Conclusion","text":"

                    EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#references","title":"References","text":"
                    • EPAC Documentation
                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/03/02/azure-policy-management-best-practices/","title":"Azure Policy Management Best Practices","text":"
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

                    2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

                    3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

                    4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

                    5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

                    6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

                    7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

                    8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

                    9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

                    10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

                    11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

                    By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/","title":"Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services","text":"

                    Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                    \ngraph LR;\n    A[Phase 1: Set Policy] \n    C[Phase 2: The Process of Discovery]\n    E[Phase 3: Protect Credentials]\n    G[Phase 4: Secure Privileged Access]\n    I[Phase 5: Least Privilege]\n    K[Phase 6: Control All Applications]\n    M[Phase 7: Detect and Respond]\n\n    A-->C\n    C-->E\n    E-->G\n    G-->I\n    I-->K\n    K-->M\n    M-->A\n\n    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;\n    class A,C,E,G,I,K,M phase;\n\n

                    Info

                    Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-1-set-policy","title":"Phase 1: Set Policy","text":"

                    The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                    • Define clear access control policies.
                    • Establish guidelines for password management and multi-factor authentication.
                    • Regularly review and update the policy to reflect changes in the organization.

                    How to implement this:

                    • Use Azure Policy to define and manage policies for your Azure environment.
                    • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-2-the-process-of-discovery","title":"Phase 2: The Process of Discovery","text":"

                    In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                    • Use automated tools to identify all privileged accounts across the organization.
                    • Regularly update the inventory of privileged accounts.
                    • Identify any accounts that are no longer in use and deactivate them.

                    How to implement this:

                    • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-3-protect-credentials","title":"Phase 3: Protect Credentials","text":"

                    Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                    • Store credentials in a secure vault.
                    • Implement regular password rotation.
                    • Use unique passwords for each account.

                    How to implement this:

                    • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                    • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-4-secure-privileged-access","title":"Phase 4: Secure Privileged Access","text":"

                    Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                    • Limit the number of privileged accounts.
                    • Implement just-in-time access, where access is granted only for the duration of a task.
                    • Use session recording and monitoring for privileged access.

                    How to implement this:

                    • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                    • Implement Microsoft Entra Privileged Identity Management for just-in-time access.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-5-least-privilege","title":"Phase 5: Least Privilege","text":"

                    The principle of least privilege involves giving users the minimum levels of access \u2014 or permissions \u2014 they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                    • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Regularly review user roles and access rights.
                    • Implement a process for revoking access when it's no longer needed.

                    How to implement this:

                    • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-6-control-all-applications","title":"Phase 6: Control All Applications","text":"

                    In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                    • Implement application control policies that dictate what applications can be run on systems.
                    • Monitor application usage and block unauthorized applications.
                    • Regularly update and patch all applications to reduce vulnerabilities.

                    How to implement this:

                    • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                    • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                    • Implement Microsoft Intune to manage and secure your devices and applications.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-7-detect-and-respond","title":"Phase 7: Detect and Respond","text":"

                    The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                    • Set up alerts for unusual activity.
                    • Regularly audit access logs.
                    • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                    How to implement this:

                    • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                    • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                    By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                    Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/05/microsoft-azure-certifications/","title":"Microsoft Azure Certifications","text":"

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                    Microsoft divide this certifications into different categories, such as:

                    • Infrastructure
                    • Data and AI
                    • Digital app and innovation
                    • Modern work
                    • Business applications
                    • Security

                    Inside of each category, you can find different certification levels:

                    • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                    • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                    • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                    In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                    • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                    • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                    Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                    In the majority of cases, you need associate certifications to get expert certifications.

                    ","tags":["Certifications"]},{"location":"blog/2024/04/05/microsoft-azure-certifications/#azure-certifications","title":"Azure Certifications","text":"

                    Here's a table summarizing the Azure Certifications and their description:

                    Certification Exam required Description url Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                    You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                    ","tags":["Certifications"]},{"location":"blog/2024/04/06/azure-arc/","title":"Azure ARC","text":"

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-overview","title":"Azure ARC Overview","text":"

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                    Azure ARC enables you to:

                    • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                    • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                    • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-components","title":"Azure ARC Components","text":"

                    Azure ARC consists of the following components:

                    • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-use-cases","title":"Azure ARC Use Cases","text":"

                    Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                    • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                    • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                    • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#getting-started-with-azure-arc","title":"Getting Started with Azure ARC","text":"

                    To get started with Azure ARC, you need to:

                    1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                    2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                    3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                    By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#conclusion","title":"Conclusion","text":"

                    Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                    For more information on Azure ARC, visit the Azure ARC documentation.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/","title":"How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account","text":"

                    In this demo we will show how to use Azure ARC-enabled servers with managed identity to access to Azure Storage Account.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#prerequisites","title":"Prerequisites","text":"
                    • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#required-permissions","title":"Required permissions","text":"

                    You'll need the following Azure built-in roles for different aspects of managing connected machines:

                    • To onboard machines, you must have the\u00a0Azure Connected Machine Onboarding\u00a0or\u00a0Contributor\u00a0role for the resource group where you're managing the servers.
                    • To read, modify, and delete a machine, you must have the\u00a0Azure Connected Machine Resource Administrator\u00a0role for the resource group.
                    • To select a resource group from the drop-down list when using the\u00a0Generate script\u00a0method, you'll also need the\u00a0Reader\u00a0role for that resource group (or another role that includes\u00a0Reader\u00a0access).
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#register-azure-resource-providers","title":"Register Azure resource providers","text":"

                    To use Azure Arc-enabled servers with managed identity, you need to register the following resource providers:

                    az account set --subscription \"{Your Subscription Name}\"\naz provider register --namespace 'Microsoft.HybridCompute'\naz provider register --namespace 'Microsoft.GuestConfiguration'\naz provider register --namespace 'Microsoft.HybridConnectivity'\naz provider register --namespace 'Microsoft.AzureArcData'\n

                    Info

                    Microsoft.AzureArcData (if you plan to Arc-enable SQL Servers) Microsoft.Compute (for Azure Update Manager and automatic extension upgrades)

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#networking-requirements","title":"Networking requirements","text":"

                    The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. In this demo, we have use Azure Private Link.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#azure-arc-enabled-enabled-server","title":"Azure ARC-enabled enabled server","text":"

                    We use Use Azure Private Link to securely connect networks to Azure Arc-enabled servers to achieve this.

                    Some tips:

                    • If you have any issue registerin de VM: generate a script to register a machine with Azure Arc following that instructions here

                    • If you have an error that says \"Path C:\\ProgramData\\AzureConnectedMachineAgent\\Log\\himds.log is busy. Retrying...\" you can use the following command to resolve it if you know that you are doing:

                     (get-wmiobject -class win32_product | where {$_.name -like \"Azure *\"}).uninstall() \n
                    - Review /etc/hosts file and add the following entries:

                    $Env:PEname = \"myprivatelink\"\n$Env:resourceGroup = \"myResourceGroup\"\n$file = \"C:\\Windows\\System32\\drivers\\etc\\hosts\"\n\n$gisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query '[0].privateDnsZoneConfigs[0].recordSets[0].fqdn' -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[0].ipAddresses[0] -o json).replace(\"`\"\",\"\")\n$hisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$hisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$agentfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$agentIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gasfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gasIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$dpfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$dpIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n\n$hostfile += \"$gisIP $gisfqdn\"\n$hostfile += \"$hisIP $hisfqdn\"\n$hostfile += \"$agentIP $agentfqdn\"\n$hostfile += \"$gasIP $gasfqdn\"\n$hostfile += \"$dpIP $dpfqdn\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#storage-account-configuration","title":"Storage Account configuration","text":"","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#create-a-storage-account-with-static-website-enabled","title":"Create a Storage Account with static website enabled","text":"
                    $resourceGroup = \"myResourceGroup\"\n$location = \"eastus\"\n$storageAccount = \"mystorageaccount\"\n$indexDocument = \"index.html\"\naz group create --name $resourceGroup --location $location\naz storage account create --name $storageAccount --resource-group $resourceGroup --location $location --sku Standard_LRS\naz storage blob service-properties update --account-name $storageAccount --static-website --index-document $indexDocument\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#add-private-endpoints-to-the-storage-accoun-for-blob-and-static-website","title":"Add private endpoints to the storage accoun for blob and static website","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$privateEndpointName = \"myprivatelink\"\n$location = \"eastus\"\n$vnetName = \"myVnet\"\n$subnetName = \"mySubnet\"\n$subscriptionId = \"{subscription-id}\"\naz network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id \"/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\" --group-id blob --connection-name $privateEndpointName --location $location\naz network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id \"/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\" --group-id web --connection-name $privateEndpointName --location $location\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#disable-public-access-to-the-storage-account-except-for-your-ip","title":"Disable public access to the storage account except for your ip","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$ipAddress = \"myIpAddress\"\naz storage account update --name $storageAccount --resource-group $resourceGroup --bypass \"AzureServices,Logging,Metrics\" --default-action Deny\naz storage account network-rule add --account-name $storageAccount --resource-group $resourceGroup --ip-address $ipAddress\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#assign-the-storage-blob-data-contributor-role-to-the-managed-identity-of-the-azure-arc-enabled-server","title":"Assign the Storage Blob Data Contributor role to the managed identity of the Azure ARC-enabled server","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$serverName = \"myserver\"\n$managedIdentity = az resource show --resource-group $resourceGroup --name $serverName --resource-type \"Microsoft.HybridCompute/machines\" --query \"identity.principalId\" --output tsv\naz role assignment create --role \"Storage Blob Data Contributor\" --assignee-object-id $managedIdentity --scope \"/subscriptions/{subscription-id}/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#download-azcopy-install-it-and-copy-something-to-web-in-the-storage-account","title":"Download azcopy, install it and copy something to $web in the storage account","text":"","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#download-azcopy-in-the-vm","title":"Download azcopy in the vm","text":"
                    Invoke-WebRequest -Uri \"https://aka.ms/downloadazcopy-v10-windows\" -OutFile AzCopy.zip\n\nExpand-Archive AzCopy.zip -DestinationPath $env:ProgramFiles\n\n$env:Path += \";$env:ProgramFiles\\azcopy\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#copy-something-to-web-in-the-storage-account","title":"Copy something to $web in the storage account","text":"
                    $storageAccount = \"mystorageaccount\"\n$source = \"C:\\Users\\Public\\Documents\\myFile.txt\"\n$destination = \"https://$storageAccount.blob.core.windows.net/\\$web/myFile.txt\"\nazcopy login --identity\nazcopy copy $source $destination\n

                    Now you can check the file in the static website of the storage account.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/","title":"Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud","text":"

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuaci\u00f3n, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio\u00a02 Nombre NUEVO del nivel de servicio\u00a02 Nivel de servicio: nivel de servicio\u00a04 (sin cambios) Advanced Data Security Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para SQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para registros de contenedor Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para DNS Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Key Vault Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Kubernetes Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para MySQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para PostgreSQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Resource Manager Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Storage Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Administraci\u00f3n de superficie expuesta a ataques externos de Defender Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Azure Cosmos\u00a0DB Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para contenedores Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender for MariaDB Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para App Service Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para servidores Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Administraci\u00f3n de la posici\u00f3n de seguridad en la nube de Defender","tags":["Microsoft Defender for Cloud"]},{"location":"blog/2024/04/17/azure-policy-useful-queries/","title":"Azure Policy useful queries","text":"","tags":["Azure Policy"]},{"location":"blog/2024/04/17/azure-policy-useful-queries/#policy-assignments-and-information-about-each-of-its-respective-definitions","title":"Policy assignments and information about each of its respective definitions","text":"
                    // Policy assignments and information about each of its respective definitions\n// Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.\n\npolicyResources\n| where type =~'Microsoft.Authorization/PolicyAssignments'\n| project policyAssignmentId = tolower(tostring(id)), policyAssignmentDisplayName = tostring(properties.displayName), policyAssignmentDefinitionId = tolower(properties.policyDefinitionId)\n| join kind=leftouter(\n policyResources\n | where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions'\n | project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy')\n) on $left.policyAssignmentDefinitionId == $right.definitionId\n
                    • Original Gist
                    ","tags":["Azure Policy"]},{"location":"blog/2024/04/22/management-groups/","title":"Management Groups","text":"","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#what-are-management-groups","title":"What are Management Groups?","text":"

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They provide a way to manage access, policies, and compliance for multiple subscriptions. Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. You organize subscriptions into containers called \"management groups\" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-groups-hierarchy","title":"Management Groups Hierarchy","text":"

                    The management group hierarchy is a level of management groups that represent the different levels of your organization. The hierarchy starts with a single root management group, which represents the Microsoft Entra ID tenant. The root management group is the highest level in the hierarchy. All other management groups are subgroups of the root management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-design-considerations","title":"Management group design considerations","text":"

                    When designing your management group hierarchy, consider the following:

                    • How does your organization differentiate services that are managed or run by particular teams?

                    • Are there any specific operations that need to be isolated due to business or regulatory compliance requirements?

                    • Management groups can be utilized to consolidate policy and initiative assignments through Azure Policy.

                    • A management group hierarchy can accommodate up to six nested levels. The tenant root level and the subscription level are not included in this count.

                    • Any principal, be it a user or service principal, within a Microsoft Entra tenant has the authority to establish new management groups. This is due to the fact that Azure role-based access control (RBAC) authorization for managing group activities is not activated by default. For additional details, refer to the guide on safeguarding your resource hierarchy.

                    • By default, all newly created subscriptions will be assigned to the tenant root management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-recommendations","title":"Management group recommendations","text":"
                    • Maintain a relatively flat management group hierarchy, ideally with three to four levels maximum. This practice minimizes managerial complexity and overhead.

                    • Refrain from mirroring your organizational structure into a deeply nested management group hierarchy. Utilize management groups primarily for policy assignment rather than billing. This strategy aligns with the Azure landing zone conceptual architecture, which applies Azure policies to workloads that need similar security and compliance at the same management group level.

                    • Establish management groups under your root-level group representing different types of workloads you will host. These groups should reflect the security, compliance, connectivity, and feature requirements of the workloads. By doing this, you can apply a set of Azure policies at the management group level for all workloads with similar needs.

                    • Leverage resource tags for querying and horizontally traversing across the management group hierarchy. Resource tags, enforced or appended via Azure Policy, allow you to group resources for search purposes without relying on a complex management group hierarchy.

                    • Set up a top-level sandbox management group. This allows users to immediately experiment with Azure and try out resources not yet permitted in production environments. The sandbox provides isolation from your development, testing, and production settings.

                    • Create a platform management group beneath the root management group to support common platform policy and Azure role assignments. This ensures distinct policies can be applied to subscriptions used for your Azure foundation and centralizes billing for common resources in one foundational subscription set.

                    • Minimize the number of Azure Policy assignments made at the root management group scope. This reduces the debugging of inherited policies in lower-level management groups.

                    • Implement policies to enforce compliance requirements either at the management group or subscription scope to achieve policy-driven governance.

                    • Ensure only privileged users have operational access to management groups in the tenant. Enable Azure RBAC authorization in the management group hierarchy settings to fine-tune user privileges. By default, all users are authorized to create their own management groups under the root management group.

                    • Set up a default, dedicated management group for new subscriptions. This prevents any subscriptions from being placed under the root management group. This is particularly important if there are users eligible for Microsoft Developer Network (MSDN) or Visual Studio benefits and subscriptions. A sandbox management group could be a suitable candidate for this type of management group. For more information, see Setting - default management group.

                    • Avoid creating management groups for production, testing, and development environments. If needed, separate these groups into different subscriptions within the same management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-structure-in-the-enterprise-scale-landing-zone","title":"Management Group Structure in the Enterprise Scale Landing Zone","text":"

                    This is the common structure for the Management Groups in the Enterprise Scale Landing Zone:

                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]
                    1. Root Management Group
                      • Intermediary-Management-Group
                        • Decommissioned: This could be where resources that are being phased out or decommissioned are managed.
                        • Sandboxes: This could be an area where developers can test and experiment without affecting production systems.
                        • Landing Zones
                          • Corp: This could represent corporate resources or applications.
                          • Online: This could represent online or customer-facing applications.
                        • Platform
                          • Connectivity: This could manage resources related to network connectivity.
                          • Identity: This could manage resources related to identity and access management.
                          • Management: This could manage resources related to overall platform management.

                    This structure allows for clear segmentation of resources based on their purpose and lifecycle. For example, decommissioned resources are separated from active ones, like Sandbox, and resources within the 'Platform' are further categorized based on their function (Connectivity, Identity, Management). The 'Landing Zones' group appears to separate resources based on their use case or environment (Corp, Online).

                    The exact interpretation would depend on the specific context and conventions of your organization.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#bad-examples","title":"Bad Examples","text":"","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-1-deeply-nested-hierarchy","title":"Example 1: Deeply Nested Hierarchy","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    B --> C[Group 2]\n    C --> D[Group 3]\n    D --> E[Group 4]\n    E --> F[Group 5]\n    F --> G[Group 6]

                    Why it's bad: This hierarchy is too deep. It becomes difficult to manage and increases complexity. Azure supports up to six levels of nested management groups but it's recommended to keep the hierarchy as flat as possible for simplicity.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-2-unorganized-structure","title":"Example 2: Unorganized Structure","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    A --> C[Group 2]\n    B --> D[Group 3]\n    C --> E[Group 4]\n    D --> F[Group 5]\n    E --> G[Group 6]

                    Why it's bad: The structure is not well-organized and doesn't follow a logical grouping or hierarchy. This can lead to confusion and difficulty in managing resources and policies.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-3-single-level-hierarchy","title":"Example 3: Single Level Hierarchy","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    A --> C[Group 2]\n    A --> D[Group 3]\n    A --> E[Group 4]\n    A --> F[Group 5]\n    A --> G[Group 6]

                    Why it's bad: Although this structure is simple, it lacks the ability to group related subscriptions together under a common management group. This makes it harder to apply consistent policies across related subscriptions.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-4-environment-based-hierarchy","title":"Example 4: Environment-Based Hierarchy","text":"
                    \ngraph TD\n    A[Root Management Group] --> B[Production Management Group]\n    A[Root Management Group] --> C[Development Management Group]\n    A[Root Management Group] --> D[Testing Management Group]

                    Why it's bad: This structure separates environments into different management groups, which can lead to duplication of policies and increased complexity. It's better to use subscriptions within the same management group to separate environments and apply policies accordingly.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#good-examples","title":"Good examples","text":"
                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]
                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#references","title":"References","text":"
                    • https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
                    • https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/","title":"Moving Management Groups and Subscriptions","text":"

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a brief guide on how to do it:

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/#moving-management-groups","title":"Moving Management Groups","text":"

                    To move a management group, you need to have the necessary permissions. You must be an owner of the target parent management group and have Management Group Contributor role at the group you want to move.

                    Here's the step-by-step process:

                    1. Navigate to the Azure portal.
                    2. Go to Management groups.
                    3. Select the management group you want to move.
                    4. Click Details.
                    5. Under Parent group, click Change.
                    6. Choose the new parent group from the list and click Save.

                    Remember, moving a management group will also move all its child resources including other management groups and subscriptions.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/#moving-subscriptions","title":"Moving Subscriptions","text":"

                    You can move a subscription from one management group to another or within the same management group. To do this, you must have the Owner or Contributor role at the target management group and Owner role at the subscription level.

                    Follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Select the management group where the subscription currently resides.
                    4. Click on Subscriptions.
                    5. Find the subscription you want to move and select ...\" (More options).
                    6. Click Change parent.
                    7. In the pop-up window, select the new parent management group and click Save.

                    Note

                    Moving subscriptions could affect the resources if there are policies or permissions applied at the management group level. It's important to understand the implications before making the move. Also, keep in mind that you cannot move the Root management group or rename it.

                    In conclusion, moving management groups and subscriptions allows for better organization and management of your Azure resources. However, it should be done carefully considering the impact on resources and compliance with assigned policies.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/","title":"How to create a Management Group diagram with draw.io","text":"

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#export-your-management-group-structure-from-azure-portal-or-ask-for-it","title":"Export your Management Group structure from Azure Portal or ask for it","text":"

                    If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Click on Export.
                    4. Save the CSV file to your local machine.

                    If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                    The file has the following columns:

                    • id: The unique identifier of the Management Group or subscription.
                    • displayName: The name of the Management Group or subscription.
                    • itemType: The type of the item (Management Group or subscription).
                    • path: The path to the management or subscription group, its parent.
                    • accessLevel: Your access level.
                    • childSubscriptionCount: The number of child subscriptions at this level.
                    • totalSubscriptionCount: The total number of subscriptions.
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#create-a-csv-to-be-imported-into-drawio","title":"Create a CSV to be imported into draw.io","text":"
                    1. Import the CSV file to excel, rename the sheet to \"Export_Portal\"
                    2. Create a second sheet with the following columns:
                      • id: reference to the id in the first sheet
                      • displayName: reference to the displayName in the first sheet
                      • itemType: reference to the itemType in the first sheet
                      • Parent: Use the following formula to get the parent of the current item:
                        =IF(ISERROR(FIND(\",\"; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; \",\"; REPT(\" \"; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))\n
                    3. Export the second sheet to a CSV file.
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#import-the-csv-file-into-drawio","title":"Import the CSV file into draw.io","text":"
                    1. Go to draw.io and create a new diagram.
                    2. Click on Arrange > Insert > Advanced > CSV.
                    3. Insert the header for the columns: id, displayName, itemType, Parent:

                          #label: %displayName%\n    #stylename: itemType\n    #styles: {\"Management Group\": \"label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];\",\\\n    #\"Subscription\": \"label;image=img/lib/azure2/general/Subscriptions.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#d6b656;fillColor=#fff2cc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];imageWidth=26;\"}\n    #\n    #\n    #namespace: csvimport-\n    #\n    #connect: {\"from\": \"ParentId\", \"to\": \"displayName\", \"invert\": true, \"style\": \"curved=1;endArrow=blockThin;endFill=1;fontSize=11;edgeStyle=orthogonalEdgeStyle;\"}\n    #\n    ## Node width and height, and padding for autosize\n    #width: auto\n    #height: auto\n    #padding: -12\n    #\n    ## ignore: id,image,fill,stroke,refs,manager\n    #\n    ## Column to be renamed to link attribute (used as link).\n    ## link: url\n    #\n    ## Spacing between nodes, heirarchical levels and parallel connections.\n    #nodespacing: 40\n    #levelspacing: 100\n    #edgespacing: 40\n    #\n    ## layout: auto\n    #layout: verticaltree\n    #\n    ## ---- CSV below this line. First line are column names. ----\n
                      4. Paste the content of the CSV file and click on Import.

                    You should see a diagram with the Management Groups and Subscriptions.

                    For example:

                    This is the common structure for the Management Groups in the Enterprise Scale Landing Zone, now Accelerator Landing Zone:

                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]        

                    And this is the CSV file to import into draw.io:

                    #label: %displayName%\n#stylename: itemType\n#styles: {\"Management Group\": \"label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];\",\\\n#\"Subscription\": \"label;image=img/lib/azure2/general/Subscriptions.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#d6b656;fillColor=#fff2cc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];imageWidth=26;\"}\n#\n#\n#namespace: csvimport-\n#\n#connect: {\"from\": \"ParentId\", \"to\": \"displayName\", \"invert\": true, \"style\": \"curved=1;endArrow=blockThin;endFill=1;fontSize=11;edgeStyle=orthogonalEdgeStyle;\"}\n#\n## Node width and height, and padding for autosize\n#width: auto\n#height: auto\n#padding: -12\n#\n## ignore: id,image,fill,stroke,refs,manager\n#\n## Column to be renamed to link attribute (used as link).\n## link: url\n#\n## Spacing between nodes, heirarchical levels and parallel connections.\n#nodespacing: 40\n#levelspacing: 100\n#edgespacing: 40\n#\n## layout: auto\n#layout: verticaltree\n#\n## ---- CSV below this line. First line are column names. ----\nid,displayName,itemType,ParentId\n1,Tenant Root Group,Management Group,\n2,Intermediary Management Group,Management Group,Tenant Root Group\n3,Decommissioned,Management Group,Intermediary Management Group\n4,Landing Zones,Management Group,Intermediary Management Group\n5,Platform,Management Group,Intermediary Management Group\n6,Sandboxes,Management Group,Landing Zones\n7,Corp,Management Group,Landing Zones\n8,Online,Management Group,Landing Zones\n9,Connectivity,Management Group,Platform\n10,Identity,Management Group,Platform\n11,Management,Management Group,Platform\n12,subcr-1,Subscription,Decommissioned\n13,subcr-2,Subscription,Sandboxes\n14,subcr-3,Subscription,Corp\n15,subcr-4,Subscription,Online\n16,subcr-5,Subscription,Connectivity\n17,subcr-6,Subscription,Identity\n18,subcr-7,Subscription,Management\n
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#make-your-diagram-animated-and-interactive","title":"Make your diagram animated and interactive","text":"

                    You can make your diagram animated and interactive by following these steps:

                    1. File > Export as > URL
                    2. Add &p=ex after the first ? in the URL.

                    For example, the URL should look like this:

                    https://viewer.diagrams.net/?&p=ex&tags=%7B%7D&highlight=0000ff&layers=1&nav=1&title=MGs.drawio#R7Zxbc5s4FMc%2FjR%2BbAQkEPK7dJHWn3XbW6exMX3ZkkLFakDxCvvXTr7jFxrZi1k0Wg5lxYnR0QfqfHxqOBB7AUbx5FHgx%2F8wDEg2AEWwG8P0AAGAgQ32llm1uMU0X5pZQ0KCw7QwT%2BosUxqJiuKQBSSoFJeeRpIuq0eeMEV9WbFgIvq4Wm%2FGoetYFDsmRYeLj6Nj6Nw3kvBwG8nYZHwgN58WpXeDkGTEuCxcjSeY44Os9E7wfwJHgXOZH8WZEolS9Upe83oMm97ljgjB5osK3hIgv0x%2BpJsCI8FQ5Jis0AHZAk0WEt3%2FimKhU3k7Z7HBLxq7x42mcwOHy%2B0dn9PCRvIOFz%2FYrZqWfCMMsPcFf6TCA8Sj4clE0KEn8tF0UBT9jpoSKCTso9TXr%2Fjgo%2B5YNKcI%2BmStHEbHvvKoMidyWLioGN6Rx7ksah0qFiE7Vf%2FxrKUgqSkgYEVjVfNh15Z%2BsI8ldsgpV9fVcdXmyUOdWbawVzso2l3Eqm6kOVVEWkKBIpSjRKBrxiIusF3aaTNWEw0QK%2FpPssiDyXTKdqZxqFRhg4s58ZV9wymQ2VnuoPsadcsrIqPzZqsLoOc88zFOftFOpfCsiJNloIdnX8pHwmEixVUWKCpYD7goituU1nCfXO%2FqB4ea2%2BR74dmHDhc%2FC57Z3TKqDwoFlco%2FS16fW0lA7ZpKImAQUZ0PXsXkJwS9cED3WDWINnQOsTegec%2B20g2tbw%2FV74vM4pklCOVMuvRjimtdHD3RzQJezcjlJ2%2BiIZtNrB81IQ%2FMnzALKFCLGd4Vz0uPcYZyhZ57nuSWzs6Ph%2BWuE5YyLuAe5wyB7rn0eZKsdILsakCdqYp7yze9MySfn9p7bBu8nAKxwCx3rmFvUDm49DbcjLn4jsuuRvTJkLWieRxa0AlnL0CD7hUWUkR7azkBre955aGE7oDW182y2FE9XVG4vR7d6u9wz2xyzjuN05d7AAhpmx4ESo%2Be1E7wexmBtnmN1G2%2F7TPbEtp1Y00Q1wq92rH9Zul23ZDn1xTvzFK%2BT5TTxBV1IytkpUk9tbLwxr%2FtdentWAzRFNjpmdTabAf8VWc0GXz7HANAr3dPWmG5bEofpdtZydsEl7B6slvXYXgu2wKrOuZYHWsutbg8t5xZewu1utaxH9lqQPVzyajOyum2yHFnrEmT3V8t6aK8FWmRYnYFWtyWWQ2tfAu3xalmP7rWg63hOZ9DV7Yrl6KJL0K0umvXYXgu2nmd0BVtbtzOWY%2Btcgu3h2lkP7rWAa5qu2yS5Ry9ZnGayGNcKR0tSog2qjPhLsXp2IGHBH%2BmrKCo5jbj%2F82lOWW5%2BSB2ZF5pxJovXX8ysUhCSSdEgF3LOQ85wdL%2BzFoKn5V6WW3WML4VPXhhS%2BYKHxCIk8qWC1mkHChJhdQ9T7cl%2FcEZN5UH3lLfqKm83qjy8YeVRo8pbN6y806jydveUR3WVdxtVHt2w8l6jyju3q3z%2BFF5jyrvdU96pq7wmLPiflPduWHnQpPLlrwPcpPKwUeU7GMPadZVvNIZFHYxh3brKNxrDog7GsF5d5RuNYVH3YtjylY3zyjcaw6LuxbDlewfnlW80hkXdi2HLp%2BfPK99oDIu6F8Naddfn7TeKYVVy90tVWd7eD37B%2B38B#%7B%22pageId%22%3A%22UGUHswWqf16rUITyRAQM%22%7D\n

                    You can check it here

                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#references","title":"References","text":"
                    • Automatically create draw.io diagrams from CSV files
                    • Animation and Automatic Layout: Explore Complex Diagrams
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/","title":"2024/04","text":""},{"location":"blog/2024/03/","title":"2024/03","text":""},{"location":"blog/2024/02/","title":"2024/02","text":""},{"location":"blog/2023/12/","title":"2023/12","text":""},{"location":"blog/2023/11/","title":"2023/11","text":""},{"location":"blog/2023/10/","title":"2023/10","text":""},{"location":"blog/category/azure-services/","title":"Azure Services","text":""},{"location":"blog/category/learning/","title":"Learning","text":""},{"location":"blog/category/security/","title":"Security","text":""},{"location":"blog/category/tools/","title":"Tools","text":""},{"location":"blog/category/microsoft-365/","title":"Microsoft 365","text":""},{"location":"blog/category/windows/","title":"Windows","text":""},{"location":"blog/category/azure-updates/","title":"Azure Updates","text":""},{"location":"blog/category/azure-frameworks/","title":"Azure Frameworks","text":""},{"location":"blog/category/development/","title":"Development","text":""},{"location":"blog/category/devops/","title":"DevOps","text":""},{"location":"blog/category/english/","title":"English","text":""},{"location":"blog/category/hello_world/","title":"Hello_World","text":""},{"location":"blog/page/2/","title":"Blog","text":""},{"location":"blog/page/3/","title":"Blog","text":""},{"location":"blog/category/azure-services/page/2/","title":"Azure Services","text":""},{"location":"blog/tags/","title":"Posts by Tags","text":"

                    Following is a list of relevant tags:

                    "},{"location":"blog/tags/#azure-arc","title":"Azure ARC","text":"
                    • Azure ARC
                    • How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account
                    "},{"location":"blog/tags/#azure-communication-services","title":"Azure Communication Services","text":"
                    • Azure Communication Services
                    "},{"location":"blog/tags/#azure-container-apps","title":"Azure Container Apps","text":"
                    • Comparing Container Apps with other Azure container options
                    "},{"location":"blog/tags/#azure-functions","title":"Azure Functions","text":"
                    • Azure Functions
                    "},{"location":"blog/tags/#azure-policy","title":"Azure Policy","text":"
                    • Azure Policy
                    • Azure Policy, defintion schema
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative with Portal
                    • Manage Azure Policy GitHub Action
                    • Enterprise Azure Policy as Code (EPAC)
                    • Azure Policy Management Best Practices
                    • Azure Policy useful queries
                    "},{"location":"blog/tags/#azure-well-architected-framework","title":"Azure Well-Architected Framework","text":"
                    • Azure Well-Architected Framework (WAF) mind maps
                    "},{"location":"blog/tags/#certifications","title":"Certifications","text":"
                    • Microsoft Azure Certifications
                    "},{"location":"blog/tags/#epac","title":"EPAC","text":"
                    • Enterprise Azure Policy as Code (EPAC)
                    "},{"location":"blog/tags/#english","title":"English","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#general","title":"General","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#management-groups","title":"Management Groups","text":"
                    • Management Groups
                    • Moving Management Groups and Subscriptions
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"
                    • Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud
                    "},{"location":"blog/tags/#onedrive-for-business","title":"OneDrive for Business","text":"
                    • Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n
                    "},{"location":"blog/tags/#pam","title":"PAM","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#security","title":"Security","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#trunk","title":"Trunk","text":"
                    • Trunk
                    "},{"location":"blog/tags/#windows-subsystem-for-linux-2","title":"Windows Subsystem for Linux 2","text":"
                    • Instalar WSL2 en Windows 11 con chocolatey
                    "},{"location":"blog/tags/#csharp","title":"csharp","text":"
                    • Starting to develop in c#
                    "},{"location":"blog/tags/#drawio","title":"draw.io","text":"
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#mkdocs","title":"mkdocs","text":"
                    • Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages
                    • Enhance your mkdocks.yml
                    "},{"location":"blog/tags/#vscode","title":"vscode","text":"
                    • Trunk
                    "}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Thats me","text":""},{"location":"#quien-soy","title":"Quien soy?","text":"

                    \u00a1Hola a todos!

                    Soy Rafa , y este es mi peque\u00f1o rinc\u00f3n en la web.

                    Como profesional apasionado de la inform\u00e1tica, me encanta explorar nuevas tecnolog\u00edas, enfrentar nuevos desaf\u00edos y compartir mis experiencias con otros.

                    Como soy bastante malo present\u00e1ndome, le he pedido a chatgpt que me ayude a hacerlo en base a los comentarios de algunos de mis compa\u00f1eros de trabajo en Linkedin, este es el resultado:

                    "},{"location":"#un-lider-y-mentor-excepcional","title":"Un L\u00edder y Mentor Excepcional","text":"

                    \u00a1Hola a todos!

                    Hoy quiero compartir con ustedes mi experiencia trabajando con un profesional de increible talento, Rafael.

                    Tuve la suerte de trabajar con \u00e9l en Bravent durante m\u00e1s de seis meses. Durante ese tiempo, Rafael fue no solo mi jefe directo, sino tambi\u00e9n mi mentor dentro de la empresa. No puedo decir ni una cosa mala sobre \u00e9l; es un excelente l\u00edder, uno de los pocos que he encontrado en mi vida laboral, que nunca te pide algo que \u00e9l mismo no pueda hacer.

                    Rafael siempre est\u00e1 dispuesto a echar una mano si ve que est\u00e1s desbordado o perdido. Como mentor, aplica siempre el principio de \u201cno le des un pez, ens\u00e9\u00f1ale a pescar\u201d. Me ayud\u00f3 a reconducir todas las situaciones en las que me encontr\u00e9 con un callej\u00f3n sin salida, apuntando en la direcci\u00f3n en la que ten\u00eda que seguir avanzando.

                    A nivel t\u00e9cnico, Rafael es excepcional. M\u00e1s all\u00e1 de su conocimiento, sorprende por su capacidad para aprender en un tiempo m\u00ednimo lo necesario para resolver cualquier tipo de problema. Trabajar con \u00e9l es tremendamente f\u00e1cil, ya que nunca tiene una mala palabra ni un mal gesto y genera un ambiente de trabajo incre\u00edblemente positivo.

                    Rafael demuestra un profundo conocimiento no solo t\u00e9cnico en las \u00e1reas que le competen, sino tambi\u00e9n de planificaci\u00f3n, an\u00e1lisis y gesti\u00f3n. He tenido la gran suerte de trabajar con \u00e9l y sin duda es una de las personas que me gustar\u00eda que formara parte de cualquier equipo en el que me encuentre ahora o en el futuro.

                    Rafael es un maestro en las artes inform\u00e1ticas y un verdadero profesional. En su trabajo no deja nada al azar, todo lo estudia detenidamente y suele tomar muy buenas decisiones. Adem\u00e1s, Rafael es un profesional altamente calificado. Tiene una actitud amigable y resuelve r\u00e1pidamente cualquier pregunta que tengas, explic\u00e1ndote siempre la soluci\u00f3n. Si tienes alg\u00fan problema, \u00e9l es la persona adecuada a quien pedir ayuda.

                    Espero que este testimonio brinde una visi\u00f3n clara del incre\u00edble profesional y persona que es Rafael. Estoy seguro de que aquellos que tengan la oportunidad de trabajar con \u00e9l se beneficiar\u00e1n enormemente de su liderazgo, conocimientos t\u00e9cnicos y actitud positiva.

                    "},{"location":"#who-am-i","title":"Who am I?","text":"

                    Hello everyone!

                    I'm Rafa, and this is my little corner on the web.

                    As a passionate IT professional, I love exploring new technologies, facing new challenges, and sharing my experiences with others.

                    Since I'm pretty bad at introducing myself, I've asked chatgpt to help me do it based on comments from some of my coworkers on Linkedin, this is the result:

                    "},{"location":"#an-exceptional-leader-and-mentor","title":"An Exceptional Leader and Mentor","text":"

                    Hello everyone!

                    Today I want to share with you my experience working with an incredibly talented professional, Rafael.

                    I was lucky enough to work with him at Bravent for over six months. During that time, Rafael was not only my direct boss, but also my mentor within the company. I can't say a single bad thing about him; He is an excellent leader, one of the few I have encountered in my working life, who never asks you for something that he cannot do himself.

                    Rafael is always willing to lend a hand if he sees that you are overwhelmed or lost. As a mentor, he always applies the principle of \u201cdon't give him a fish, teach him to fish.\u201d He helped me redirect all the situations in which I found myself at a dead end, pointing in the direction in which I had to continue moving forward.

                    On a technical level, Rafael is exceptional. Beyond his knowledge, he is surprised by his ability to learn in a minimum amount of time what is necessary to solve any type of problem. Working with him is tremendously easy, since he never has a bad word or a bad gesture and generates an incredibly positive work environment.

                    Rafael demonstrates deep knowledge not only of technical knowledge in the areas in which he is responsible, but also of planning, analysis and management. I have had the great fortune to work with him and he is undoubtedly one of the people I would like to be part of any team I am on now or in the future.

                    Rafael is a master of computer arts and a true professional. In his work he leaves nothing to chance, he studies everything carefully and he usually makes very good decisions. Furthermore, Rafael is a highly qualified professional. He has a friendly attitude and quickly resolves any questions you have, always explaining the solution. If you have a problem, he is the right person to ask for help.

                    I hope this testimony provides a clear vision of the incredible professional and person that Rafael is. I am confident that those who have the opportunity to work with him will benefit greatly from his leadership, technical knowledge and positive attitude.

                    "},{"location":"contributions/","title":"Contributions","text":"

                    Better or worse, here I am adding my contributions in case one day I have to compile them to be MVP (a real pain):

                    Generally, I try to contribute to the community in the following ways:

                    • Post/shares in Linkedin
                    • Post in my blog
                    • Some contributions to github projects azure related(see below)
                    "},{"location":"contributions/#2024","title":"2024","text":"
                    • Organizer of Azure Global Seville 2024 and collaborator in Global Azure Spain 2024, Zaragoza.
                    "},{"location":"contributions/#2023","title":"2023","text":"
                    • Creator of Azure Certified World Community, a community by and for Azure Certified Experts.
                    • Microsoft Azure Documentation

                      • Added comparative table to Containers
                      • Add mind maps to WAF pillars
                    • mingrammer

                      • Update azure icons to v12 mingrammer
                    • Cloud Adoption Framework for Azure - Terraform module

                      • First version of the module to support azurerm_linux_function_app
                      • Feature/add ddos protection plan id var non global to ddos
                    • Microsoft Cloud Adoption Framework for Azure, run aznamingtool in podman
                    "},{"location":"contributions/#2022","title":"2022","text":"
                    • Cloud Adoption Framework for Azure - Terraform module

                      • Adding support for Digital Twins
                      • Submodule Eventgrid
                      • System Identity option added to identity in function app
                    • Global Azure Zaragoza 2022

                      • Enterprise Scale Zone \u2013 Empieza bien
                      • Enterprise Scale Zone \u2013 CAF Landing zones for Terraform
                    • Microsoft Azure Documentation

                      • Example added for Azure IP reserves in subnet
                    • Azure-Samples

                      • Update example KeyVault-Rotation-StorageAccountKey-PowerShell
                    • Azure Naming Calculator for early stage of the Cloud Adoption Framework for Azure

                    "},{"location":"Azure/Security/MCSB/Asset%20Management/","title":"MCSB_v1 - Asset Management","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: AM-1 Asset Management 1.1 - Utilize an Active Discovery Tool 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Track asset inventory and their risks Track your asset inventory by query and discover all your cloud resources. Logically organize your assets by tagging and grouping your assets based on their service nature, location, or other characteristics. Ensure your security organization has access to a continuously updated inventory of assets. The Microsoft Defender for Cloud inventory feature and Azure Resource Graph can query for and discover all resources in your subscriptions, including Azure services, applications, and network resources. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in Azure (Name, Description, and Category). How to create queries with Azure Resource Graph Explorer: Use the AWS Systems Manager Inventory feature to query for and discover all resources in your EC2 instances, including application level and operating system level details. In addition, use AWS Resource Groups - Tag Editor to browse AWS resource inventories. AWS Systems Manager Inventory: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 1.2 - Use a Passive Asset Discovery Tool 1.5 - Use a Passive Asset Discovery Tool PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory.html 1.4 - Maintain Detailed Asset Inventory 2.1 - Establish and Maintain a Software Inventory Ensure your security organization can monitor the risks of the cloud assets by always having security insights and risks aggregated centrally Ensure that security organizations have access to a continuously updated inventory of assets on Azure. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. Logically organize assets according to your organization's taxonomy using tags as well as other metadata in AWS (Name, Description, and Category). Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management 1.5 - Maintain Asset Inventory Information 2.4 - Utilize Automated Software Inventory Tools Microsoft Defender for Cloud asset inventory management: AWS Resource Groups and Tags: 2.1 - Maintain Inventory of Authorized Software Ensure security organizations are granted Security Reader permissions in your Azure tenant and subscriptions so they can monitor for security risks using Microsoft Defender for Cloud. Security Reader permissions can be applied broadly to an entire tenant (Root Management Group) or scoped to management groups or specific subscriptions. https://docs.microsoft.com/azure/security-center/asset-inventory Ensure that security organizations have access to a continuously updated inventory of assets on AWS. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input for continuous security improvements. https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html Note: Additional permissions might be required to get visibility into workloads and services. For more information about tagging assets, see the resource naming and tagging decision guide: Note: Additional permissions might be required to get visibility into workloads and services. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/resource-tagging/?toc=/azure/azure-resource-manager/management/toc.json Overview of Security Reader Role: https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#security-reader AM-2 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved services Ensure that only approved cloud services can be used, by auditing and restricting which services users can provision in the environment. Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within their subscriptions. You can also use Azure Monitor to create rules to trigger alerts when a non-approved service is detected. Configure and manage Azure Policy: Use AWS Config to audit and restrict which services users can provision in your environment. Use AWS Resource Groups to query for and discover resources within their accounts. You can also use CloudWatch and/or AWS Config to create rules to trigger alerts when a non-approved service is detected. AWS Resource Groups: Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management 2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries PM-5: INFORMATION SYSTEM INVENTORY https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage https://docs.aws.amazon.com/ARG/latest/userguide/gettingstarted.html 2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software How to deny a specific resource type with Azure Policy: https://docs.microsoft.com/azure/governance/policy/samples/not-allowed-resource-types How to create queries with Azure Resource Graph Explorer: https://docs.microsoft.com/azure/governance/resource-graph/first-query-portal AM-3 Asset Management 1.4 - Maintain Detailed Asset Inventory 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 2.4 Ensure security of asset lifecycle management Ensure security attributes or configurations of the assets are always updated during the asset lifecycle. Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. Delete Azure resource group and resource: Establish or update security policies/process that address asset lifecycle management processes for potentially high impact modifications. These modifications include changes to identity providers and access, data sensitivity level, network configuration, and administrative privilege assignment. How do I check for active resources that I no longer need on my AWS account? Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 1.5 - Maintain Asset Inventory Information 2.1 - Establish and Maintain a Software Inventory CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/azure-resource-manager/management/delete-resource-group https://aws.amazon.com/premiumsupport/knowledge-center/check-for-active-resources/ 2.1 - Maintain Inventory of Authorized Software Identify and remove Azure resources when they are no longer needed. Identify and remove AWS resources when they are no longer needed. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 2.4 - Track Software Inventory Information How do I terminate active resources that I no longer need on my AWS account? https://aws.amazon.com/premiumsupport/knowledge-center/terminate-resources-account-closure/ Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management AM-4 Asset Management 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-3: ACCESS ENFORCEMENT nan Limit access to asset management Limit users' access to asset management features, to avoid accidental or malicious modification of the assets in your cloud. Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources (assets) in Azure. Use Azure AD Conditional Access to limit users' ability to interact with Azure Resource Manager by configuring \"Block access\" for the \"Microsoft Azure Management\" App. How to configure Conditional Access to block access to Azure Resources Manager: Use AWS IAM to restrict access to a specific resource. You can specify allowed or deny actions as well as the conditions under which actions are triggered. You may specify one condition or combine methods of resource-level permissions, resource-based policies, tag-based authorization, temporary credentials, or service-linked roles to have a fine-grain control access control for your resources. AWS services that work with IAM: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html Use Azure Role-based Access Control (Azure RBAC) to assign roles to identities to control their permissions and access to Azure resources. For example, a user with only the 'Reader' Azure RBAC role can view all resources, but is not allowed to make any changes. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Lock your resources to protect your infrastructure: Use Resource Locks to prevent either deletions or modifications to resources. Resource Locks may also be administered through Azure Blueprints. https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json Protect new resources with Azure Blueprints resource locks: https://learn.microsoft.com/azure/governance/blueprints/tutorials/protect-new-resources AM-5 Asset Management 2.7 - Utilize Application Whitelisting 2.5 - Allowlist Authorized Software CM-8: INFORMATION SYSTEM COMPONENT INVENTORY 6.3 Use only approved applications in virtual machine Ensure that only authorized software executes by creating an allow list and block the unauthorized software from executing in your environment. Use Microsoft Defender for Cloud adaptive application controls to discover and generate an application allow list. You can also use ASC adaptive application controls to ensure that only authorized software can executes, and all unauthorized software is blocked from executing on Azure Virtual Machines. How to use Microsoft Defender for Cloud adaptive application controls: Use the AWS Systems Manager Inventory feature to discover the applications installed in your EC2 instances. Use AWS Config rules to ensure that non-authorized software is blocked from executing on EC2 instances. Preventing blacklisted applications with AWS Systems Manager and AWS Config: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 2.8 - Implement Application Whitelisting of Libraries 2.6 - Allowlist Authorized Libraries CM-7: LEAST FUNCTIONALITY https://docs.microsoft.com/azure/security-center/security-center-adaptive-application https://aws.amazon.com/blogs/mt/preventing-blacklisted-applications-with-aws-systems-manager-and-aws-config/ 2.9 - Implement Application Whitelisting of Scripts 2.7 - Allowlist Authorized Scripts CM-10: SOFTWARE USAGE RESTRICTIONS Use Azure Automation Change Tracking and Inventory to automate the collection of inventory information from your Windows and Linux VMs. Software name, version, publisher, and refresh time information are available from the Azure portal. To get the software installation date and other information, enable guest-level diagnostics and direct the Windows Event Logs to a Log Analytics workspace. You can also use a third-party solution to discover and identify unapproved software. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 9.2 - Ensure Only Approved Ports, Protocols, and Services Are Running 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-11: USER-INSTALLED SOFTWARE Understand Azure Automation Change Tracking and Inventory: Depending on the type of scripts, you can use operating system-specific configurations or third-party resources to limit users' ability to execute scripts in Azure compute resources. https://docs.microsoft.com/azure/automation/change-tracking Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management You can also use a third-party solution to discover and identify unapproved software. How to control PowerShell script execution in Windows environments: https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-6"},{"location":"Azure/Security/MCSB/Backup%20and%20Recovery/","title":"MCSB_v1 - Backup and Recovery","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: BR-1 Backup and recovery 10.1 - Ensure Regular Automated Backups 11.2 - Perform Automated Backups CP-2: CONTINGENCY PLAN nan Ensure regular automated backups Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources. For Azure Backup supported resources (such as Azure VMs, SQL Server, HANA databases, Azure PostgreSQL Database, File Shares, Blobs or Disks), enable Azure Backup and configure the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy. How to enable Azure Backup: For AWS Backup supported resources (such as EC2, S3, EBS or RDS), enable AWS Backup and configure the desired frequency and retention period. AWS Backup supported resources and third-party applications: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards CP-4: CONTINGENCY PLAN TESTING https://docs.microsoft.com/azure/backup/ https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html CP-9: INFORMATION SYSTEM BACKUP For resources or services not supported by Azure Backup, use the native backup capability provided by the resource or service. For example, Azure Key Vault provides a native backup capability. For resources/services not supported by AWS Backup, such as AWS KMS, enable the native backup feature as part of its resource creation. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Auto-Enable Backup on VM Creation using Azure Policy: Amazon S3 versioning: For resources/services that are neither supported by Azure Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.microsoft.com/azure/backup/backup-azure-auto-enable-backup For resources/services that are neither supported by AWS Backup nor have a native backup capability, evaluate your backup and disaster needs, and create your own mechanism as per your business requirements. For example: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint - If you use Azure Storage for data storage, enable blob versioning for your storage blobs which will allow you to preserve, retrieve, and restore every version of every object stored in your Azure Storage. - If Amazon S3 is used for data storage, enable S3 versioning for your storage backet which will allow you to preserve, retrieve, and restore every version of every object stored in your S3 bucket. - Service configuration settings can usually be exported to Azure Resource Manager templates. - Service configuration settings can usually be exported to CloudFormation templates. AWS CloudFormation best practices: Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html BR-2 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-6: ALTERNATE STORAGE SITE 3.4 Protect backup and recovery data Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit. Use multi-factor-authentication and Azure RBAC to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults. Overview of security features in Azure Backup: Use AWS IAM access control to secure AWS Backup. This includes securing the AWS Backup service access and backup and restore points. Example controls include: Security in AWS Backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/security-overview - Use multi-factor authentication (MFA) for critical operations such as deletion of a backup/restore point. https://docs.aws.amazon.com/aws-backup/latest/devguide/security-considerations.html For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using a customer managed key. In this case, ensure the customer-managed key in the Azure Key Vault is also in the backup scope. If you use a customer-managed key, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. - Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to communicate with AWS resources. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Encryption of backup data using customer-managed keys: - Use AWS KMS in conjunction with AWS Backup to encrypt the backup data either using customer-managed CMK or an AWS-managed CMK associated with the AWS Backup service. Security Best Practices for Amazon S3: Safeguard backup data from accidental or malicious deletion, such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable geo-redundant storage or cross-region restoration to ensure backup data is restorable when there is a disaster in primary region. You can also enable Zone-redundant Storage (ZRS) to ensure backups are restorable during zonal failures. https://docs.microsoft.com/azure/backup/encryption-at-rest-with-cmk - Use AWS Backup Vault Lock for immutable storage of critical data. https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation - Secure S3 buckets through access policy, disabling public access, enforcing data at-rest encryption, and versioning control. Note: If you use a resource's native backup feature or backup services other than Azure Backup, refer to the Microsoft Cloud Security Benchmark (and service baselines) to implement the above controls. Security features to help protect hybrid backups from attacks: https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks Azure Backup - set cross region restore https://docs.microsoft.com/azure/backup/backup-create-rs-vault#set-cross-region-restore BR-3 Backup and recovery 10.4 - Ensure Protection of Backups 11.3 - Protect Recovery Data CP-9: INFORMATION SYSTEM BACKUP nan Monitor backups Ensure all business-critical protectable resources are compliant with the defined backup policy and standard. Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policy for backup to audit and enforce such controls. For Azure Backup supported resources, Backup Center helps you centrally govern your backup estate. Govern your backup estate using Backup Center: AWS Backup works with other AWS tools to empower you to monitor its workloads. These tools include the following: AWS Backup Monitoring: Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation https://docs.microsoft.com/azure/backup/backup-center-govern-environment - Use AWS Backup Audit Manager to monitor the backup operations to ensure the compliance. https://docs.aws.amazon.com/aws-backup/latest/devguide/monitoring.html Ensure critical backup operations (delete, change retention, updates to backup config) are monitored, audited, and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, and audit triggered user actions on vaults. - Use CloudWatch and Amazon EventBridge to monitor AWS Backup processes. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Monitor and operate backups using Backup center: - Use CloudWatch to track metrics, create alarms, and view dashboards. Monitoring AWS Backup events using EventBridge: Note: Where applicable, also use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup. https://docs.microsoft.com/azure/backup/backup-center-monitor-operate - Use EventBridge to view and monitor AWS Backup events. https://docs.aws.amazon.com/aws-backup/latest/devguide/eventbridge.html - Use Amazon Simple Notification Service (Amazon SNS) to subscribe to AWS Backup-related topics such as backup, restore, and copy events. Monitoring and reporting solutions for Azure Backup: Monitoring AWS Backup metrics with CloudWatch: https://docs.microsoft.com/azure/backup/monitoring-and-alerts-overview https://docs.aws.amazon.com/aws-backup/latest/devguide/cloudwatch.html Using Amazon SNS to track AWS Backup events: https://docs.aws.amazon.com/aws-backup/latest/devguide/sns-notifications.html Audit backups and create reports with AWS Backup Audit Manager: https://docs.aws.amazon.com/aws-backup/latest/devguide/aws-backup-audit-manager.html BR-4 Backup and recovery 10.3 - Test Data on Backup Media 11.5 - Test Data Recovery CP-4: CONTINGENCY PLAN TESTING nan Regularly test backup Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. How to recover files from Azure Virtual Machine backup: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as defined in the RTO and RPO. Restoring a backup: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture CP-9: INFORMATION SYSTEM BACKUP https://docs.microsoft.com/azure/backup/backup-azure-restore-files-from-vm https://docs.aws.amazon.com/aws-backup/latest/devguide/restoring-a-backup.html You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation How to restore Key Vault keys in Azure: https://docs.microsoft.com/powershell/module/azurerm.keyvault/restore-azurekeyvaultkey?view=azurermps-6.13.0 Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security"},{"location":"Azure/Security/MCSB/Data%20Protection/","title":"MCSB_v1 - Data Protection","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: AWS Foundational Security Best Practices controls AWS Config Rule (WIP) Azure Policy CIS AWS Foundations Benchmark 1.4.0 Customer Security Stakeholders: DP-1 Data Protection 13.1 - Maintain an Inventory of Sensitive Information 3.2 - Establish and Maintain a Data Inventory RA-2: SECURITY CATEGORIZATION A3.2 Discover, classify, and label sensitive data Establish and maintain an inventory of the sensitive data, based on the defined sensitive data scope. Use tools to discover, classify and label the in- scope sensitive data. Use tools such as Microsoft Purview, which combines the former Azure Purview and Microsoft 365 compliance solutions, and Azure SQL Data Discovery and Classification to centrally scan, classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations. Data classification overview: Replicate your data from various sources to a S3 storage bucket and use AWS Macie to scan, classify and label the sensitive data stored in the bucket. AWS Macie can detect sensitive data such as security credentials, financial information, PHI and PII data, or other data pattern based on the custom data identifier rules. Data Classification Process: nan nan [Preview]: Sensitive data in your SQL databases should be classified 2.3.1 Ensure that encryption is enabled for RDS Instances Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.5 - Utilize an Active Discovery Tool to Identify Sensitive Data 3.7 - Establish and Maintain a Data Classification Scheme SC-28: PROTECTION OF INFORMATION AT REST https://docs.microsoft.com/azure/cloud-adoption-framework/govern/policy-compliance/data-classification https://docs.aws.amazon.com/whitepapers/latest/data-classification/data-classification-process.html (Automated) 3.13 - Deploy a Data Loss Prevention Solution You may also use the Azure Purview multi-cloud scanning connector to scan, classify and label the sensitive data residing in a S3 storage bucket. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security Labeling in the Microsoft Purview Data Map: AWS Marketplace - DLP Solution: https://docs.microsoft.com/azure/purview/create-sensitivity-label Note: You can also use third-party enterprise solutions from AWS marketplace for the purpose of data discovery classification and labeling https://aws.amazon.com/marketplace/search/results?searchTerms=DLP Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Tag sensitive information using Azure Information Protection: https://docs.microsoft.com/azure/information-protection/what-is-information-protection How to implement Azure SQL Data Discovery: https://docs.microsoft.com/azure/sql-database/sql-database-data-discovery-and-classification Microsoft Purview data sources: https://docs.microsoft.com/azure/purview/purview-connector-overview#purview-data-sources DP-2 Data Protection 13.3 - Monitor and Block Unauthorized Network Traffic 3.13 - Deploy a Data Loss Prevention Solution AC-4: INFORMATION FLOW ENFORCEMENT A3.2 Monitor anomalies and threats targeting sensitive data Monitor for anomalies around sensitive data, such as unauthorized transfer of data to locations outside of enterprise visibility and control. This typically involves monitoring for anomalous activities (large or unusual transfers) that could indicate unauthorized data exfiltration. Use Azure Information protection (AIP) to monitor the data that has been classified and labeled. Enable Azure Defender for SQL: Use AWS Macie to monitor the data that has been classified and labeled, and use GuardDuty to detect anomalous activities on some resources (S3, EC2 or Kubernetes or IAM resources). Findings and alerts can be triaged, analyzed, and tracked using EventBridge and forwarded to Microsoft Sentinel or Security Hub for incident aggregation and tracking. GuardDuty S3 finding types: nan nan Azure Defender for open-source relational databases should be enabled nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security 14.7 - Enforce Access Control to Data through Automated Tools SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/azure-sql/database/azure-defender-for-sql https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html Azure Defender for Storage should be enabled Use Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information. You may also connect your AWS accounts to Microsoft Defender for Cloud for compliance checks, container security, and endpoint security capabilities. Azure Defender for SQL servers on machines should be enabled Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Enable Azure Defender for Storage: Amazon S3 protection in Amazon GuardDuty: Azure Defender for Azure SQL Database servers should be enabled Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from Azure Marketplace or a Microsoft 365 DLP solution to enforce detective and/or preventative controls to prevent data exfiltration. https://docs.microsoft.com/azure/storage/common/storage-advanced-threat-protection?tabs=azure-security-center Note: If required for compliance of data loss prevention (DLP), you can use a host-based DLP solution from AWS Marketplace. https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Enable Microsoft Defender for Azure Cosmos DB: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections?tabs=azure-portal Enable Microsoft Defender for open-source relational databases and respond to alerts: https://learn.microsoft.com/azure/defender-for-cloud/defender-for-databases-usage DP-3 Data Protection 14.4 - Encrypt All Sensitive Information in Transit 3.10 - Encrypt Sensitive Data In Transit SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.5 Encrypt sensitive data in transit Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data. Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in. Double encryption for Azure data in transit: Enforce secure transfer in services such as Amazon S3, RDS and CloudFront, where a native data in transit encryption feature is built in. TLS security policies in Elastic Load Balancer: CloudFront distributions should require encryption in transit nan Kubernetes clusters should be accessible only over HTTPS 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 3.6 https://docs.microsoft.com/azure/security/fundamentals/double-encryption#data-in-transit https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#tls-security-policies Classic Load Balancer listeners should be configured with HTTPS or TLS termination Only secure connections to your Azure Cache for Redis should be enabled 4.1 Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks. Enforce HTTPS for web application workloads and services by ensuring that any clients connecting to your Azure resources use transport layer security (TLS) v1.2 or later. For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Enforce HTTPS (such as in AWS Elastic Load Balancer) for workload web application and services (either on the server side or client side, or on both) by ensuring that any clients connecting to your AWS resources use TLS v1.2 or later. Application load balancers should be configured to drop HTTP headers FTPS only should be required in your Function App Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Understand encryption in transit with Azure: AWS Transfer SFTP and FTPS: Application Load Balancer should be configured to redirect all HTTP requests to HTTPS Secure transfer to storage accounts should be enabled For remote management of Azure virtual machines, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use the SFTP/FTPS service in Azure Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service. https://docs.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit For remote management of EC2 instances, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. For secure file transfer, use AWS Transfer SFTP or FTPS service instead of a regular FTP service. https://aws.amazon.com/aws-transfer-family/getting-started/?pg=ln&cp=bn Connections to Elasticsearch domains should be encrypted using TLS 1.2 FTPS should be required in your Web App Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops S3 buckets should require requests to use Secure Socket Layer Windows web servers should be configured to use secure communication protocols Note: Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side. Information on TLS Security: Note: All network traffic between AWS data centers is transparently encrypted at the physical layer. All traffic within a VPC and between peered VPCs across regions is transparently encrypted at the network layer when using supported Amazon EC2 instance types. TLS v1.2 or later is enabled on most AWS services by default. And some services such as AWS Load Balancer can enforce TLS v1.2 or later on the server side. Function App should only be accessible over HTTPS Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security https://docs.microsoft.com/security/engineering/solving-tls1-problem Latest TLS version should be used in your API App FTPS only should be required in your API App Enforce secure transfer in Azure storage: Web Application should only be accessible over HTTPS https://docs.microsoft.com/azure/storage/common/storage-require-secure-transfer?toc=/azure/storage/blobs/toc.json#require-secure-transfer-for-a-new-storage-account API App should only be accessible over HTTPS Enforce SSL connection should be enabled for PostgreSQL database servers Enforce SSL connection should be enabled for MySQL database servers Latest TLS version should be used in your Web App Latest TLS version should be used in your Function App DP-4 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-28: PROTECTION OF INFORMATION AT REST 3.4 Enable data at rest encryption by default To complement access controls, data at rest should be protected against 'out of band' attacks (such as accessing underlying storage) using encryption. This helps ensure that attackers cannot easily read or modify the data. Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. These service-managed keys are generated on the customer\u2019s behalf and automatically rotated every two years. Understand encryption at rest in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#encryption-at-rest-in-microsoft-cloud-services Many AWS services have data at rest encryption enabled by default at the infrastructure/platform layer using an AWS-managed customer master key. These AWS-managed customer master keys are generated on the customer's behalf and rotated automatically every three years. AWS Protecting Data at Rest: API Gateway REST API cache data should be encrypted at rest nan Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources 2.1.1 Ensure all S3 buckets employ encryption-at-rest (Manual) Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 3.5 https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/protecting-data-at-rest.html CloudTrail should have encryption at rest enabled Transparent Data Encryption on SQL databases should be enabled 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests (Manual) Where technically feasible and not enabled by default, you can enable data at rest encryption in the Azure services, or in your VMs at the storage level, file level, or database level. Data at rest double encryption in Azure: https://docs.microsoft.com/azure/security/fundamentals/encryption-models Where technically feasible and not enabled by default, you can enable data at rest encryption in the AWS services, or in your VMs at the storage level, file level, or database level DynamoDB Accelerator (DAX) clusters should be encrypted at rest Automation account variables should be encrypted 2.2.1 Ensure EBS volume encryption is enabled (Manual) Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Attached EBS volumes should be encrypted at rest Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign 2.3.1 Ensure that encryption is enabled for RDS Instances Encryption model and key management table: EBS default encryption should be enabled (Automated) Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/security/fundamentals/encryption-models Amazon EFS should be configured to encrypt file data at rest using AWS KMS Elasticsearch domains should have encryption at-rest enabled Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security Amazon Elasticsearch Service domains should encrypt data sent between nodes RDS DB instances should have encryption at rest enabled RDS cluster snapshots and database snapshots should be encrypted at rest S3 buckets should have server-side encryption enabled SNS topics should be encrypted at rest using AWS KMS AWS WAF Classic global web ACL logging should be enabled Amazon SQS queues should be encrypted at rest DynamoDB Accelerator (DAX) clusters should be encrypted at rest DP-5 Data Protection 14.8 - Encrypt Sensitive Information at Rest 3.11 - Encrypt Sensitive Data at Rest SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 Use customer-managed key option in data at rest encryption when required If required for regulatory compliance, define the use case and service scope where customer-managed key option is needed. Enable and implement data at rest encryption using customer-managed key in services. Azure also provides an encryption option using keys managed by yourself (customer-managed keys) for most services. Encryption model and key management table: AWS also provides an encryption option using keys managed by yourself (customer-managed customer master key stored in AWS Key Management Service) for certain services. AWS Services Integrated with AWS KMS: nan nan SQL managed instances should use customer-managed keys to encrypt data at rest nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture SC-28: PROTECTION OF INFORMATION AT REST 3.5 https://docs.microsoft.com/azure/security/fundamentals/encryption-models https://aws.amazon.com/kms/features/ SQL servers should use customer-managed keys to encrypt data at rest 3.6 Azure Key Vault Standard, Premium, and Managed HSM are natively integrated with many Azure Services for customer-managed key use cases. You may use Azure Key Vault to generate your key or bring your own keys. AWS Key Management Service (KMS) is natively integrated with many AWS services for customer-managed customer master key use cases. You may either use AWS Key Management Service (KMS) to generate your master keys or bring your own keys. PostgreSQL servers should use customer-managed keys to encrypt data at rest Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Services that support encryption using customer-managed key: https://docs.microsoft.com/azure/security/fundamentals/encryption-models#supporting-services AWS-managed and Customer-managed CMKs: Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest However, using the customer-managed key option requires additional operational effort to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. However, using the customer-managed key option requires additional operational efforts to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt Container registries should be encrypted with a customer-managed key Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops How to configure customer managed encryption keys in Azure Storage: https://docs.microsoft.com/azure/storage/common/storage-encryption-keys-portal Cognitive Services accounts should enable data encryption with a customer-managed key Storage accounts should use customer-managed key for encryption Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security MySQL servers should use customer-managed keys to encrypt data at rest Azure Machine Learning workspaces should be encrypted with a customer-managed key DP-6 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure key management process Document and implement an enterprise cryptographic key management standard, processes, and procedures to control your key lifecycle. When there is a need to use customer-managed key in the services, use a secured key vault service for key generation, distribution, and storage. Rotate and revoke your keys based on the defined schedule and when there is a key retirement or compromise. Use Azure Key Vault to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in Azure Key Vault and your service based on the defined schedule and when there is a key retirement or compromise. Require a certain cryptographic type and minimum key size when generating keys. Azure Key Vault overview: Use AWS Key Management Service (KMS) to create and control your encryption keys life cycle, including key generation, distribution, and storage. Rotate and revoke your keys in KMS and your service based on the defined schedule and when there is a key retirement or compromise. AWS-managed and Customer-managed CMKs: IAM users' access keys should be rotated every 90 days or less nan Key Vault keys should have an expiration date nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/general/overview https://docs.aws.amazon.com/whitepapers/latest/kms-best-practices/aws-managed-and-customer-managed-cmks.html Secrets Manager secrets should have automatic rotation enabled Key Vault secrets should have an expiration date SC-28: PROTECTION OF INFORMATION AT REST When there is a need to use customer-managed key (CMK) in the workload services or applications, ensure you follow the best practices: When there is a need to use customer-managed customer master key in the workload services or applications, ensure you follow the best practices: Secrets Manager secrets configured with automatic rotation should rotate successfully Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your key vault. Azure data encryption at rest--Key Hierarchy: - Use a key hierarchy to generate a separate data encryption key (DEK) with your key encryption key (KEK) in your KMS. Importing key material in AWS KMS keys: Secrets Manager secrets should be rotated within a specified number of days - Ensure keys are registered with Azure Key Vault and implemented via key IDs in each service or application. https://docs.microsoft.com/azure/security/fundamentals/encryption-atrest#key-hierarchy - Ensure keys are registered with KMS and implement via IAM policies in each service or application. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into Azure Key Vault). Follow the recommended guideline to perform the key generation and key transfer. BYOK(Bring Your Own Key) specification: To maximize the key material lifetime and portability, bring your own key (BYOK) to the services (i.e., importing HSM-protected keys from your on-premises HSMs into KMS or Cloud HSM). Follow the recommended guideline to perform the key generation and key transfer. Secure transfer of keys into to CloudHSM: Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security https://docs.microsoft.com/azure/key-vault/keys/byok-specification https://aws.amazon.com/premiumsupport/knowledge-center/cloudhsm-import-keys-openssl/ Note: Refer to the below for the FIPS 140-2 level for Azure Key Vault types and FIPS compliance/validation level. Note: AWS KMS uses shared HSM infrastructure in the backend. Use AWS KMS Custom Key Store backed by AWS CloudHSM when you need to manage your own key store and dedicated HSMs (e.g. regulatory compliance requirement for higher level of key security) to generate and store your encryption keys. - Software-protected keys in vaults (Premium & Standard SKUs): FIPS 140-2 Level 1 Creating a custom key store backed by CloudHSM: - HSM-protected keys in vaults (Premium SKU): FIPS 140-2 Level 2 Note: Refer to the below for the FIPS 140-2 level for FIPS compliance level in AWS KMS and CloudHSM https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html - HSM-protected keys in Managed HSM: FIPS 140-2 Level 3 - AWS KMS default: FIPS 140-2 Level 2 validated Azure Key Vault Premium uses a shared HSM infrastructure in the backend. Azure Key Vault Managed HSM uses dedicated, confidential service endpoints with a dedicated HSM for when you need a higher level of key security. - AWS KMS using CloudHSM: FIPS 140-2 Level 3 (for certain services) validated - AWS CloudHSM: FIPS 140-2 Level 3 validated Note: For secrets management(credentials, password, API keys etc.), use AWS Secrets Manager. DP-7 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Use a secure certificate management process Document and implement an enterprise certificate management standard, processes and procedures which includes the certificate lifecycle control, and certificate policies (if a public key infrastructure is needed). Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in Azure Key Vault and supported Azure services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use a manual rotation in Azure Key Vault. Get started with Key Vault certificates: Use AWS Certificate Manager (ACM) to create and control the certificate lifecycle, including creation/import, rotation, revocation, storage, and purge of the certificate. Ensure the certificate generation follows the defined standard without using any insecure properties, such as insufficient key size, overly long validity period, insecure cryptography and so on. Setup automatic rotation of the certificate in ACM and supported AWS services based on the defined schedule and when a certificate expires. If automatic rotation is not supported in the frontend application, use manual rotation in ACM. In the meantime, you should always track your certificate renewal status to ensure the certificate validity. AWS Certificate Manager - Check a certificate's renewal status: [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates nan [Preview]: Certificates should have the specified maximum validity period nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://docs.microsoft.com/azure/key-vault/certificates/certificate-scenarios https://docs.aws.amazon.com/acm/latest/userguide/check-certificate-renewal-status.html SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES Ensure certificates used by the critical services in your organization are inventoried, tracked, monitored, and renewed timely using automated mechanism to avoid service disruption. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, you can create public signed certificates in Azure Key Vault. The following Certificate Authorities (CAs) are the partnered providers that are currently integrated with Azure Key Vault. Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance. Instead, create public-signed certificates (signed by the Amazon Certificate Authority) in ACM and deploy it programmatically in services such as CloudFront, Load Balancers, API Gateway etc. You also can use ACM to establish your private certificate authority (CA) to sign the private certificates. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - DigiCert: Azure Key Vault offers OV TLS/SSL certificates with DigiCert. Certificate Access Control in Azure Key Vault: - GlobalSign: Azure Key Vault offers OV TLS/SSL certificates with GlobalSign. https://docs.microsoft.com/azure/key-vault/certificates/certificate-access-control Note: Use only an approved CA and ensure that known bad CA root/intermediate certificates issued by these CAs are disabled. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Note: Use only approved CA and ensure that known bad root/intermediate certificates issued by these CAs are disabled. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security DP-8 Data Protection nan nan IA-5: AUTHENTICATOR MANAGEMENT 3.6 Ensure security of key and certificate repository Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security. Secure your cryptographic keys and certificates by hardening your Azure Key Vault service through the following controls: Azure Key Vault overview: For cryptographic keys security, secure your keys by hardening your AWS Key Management Service (KMS) service through the following controls: Security best practice for AWS Key Management Service: IAM customer managed policies should not allow decryption actions on all KMS keys nan Key vaults should have purge protection enabled nan Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT - Implement access control using RBAC policies in Azure Key Vault Managed HSM at the key level to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. For Azure Key Vault Standard and Premium, create unique vaults for different applications to ensure the least privilege and separation of duties principles are followed. https://docs.microsoft.com/azure/key-vault/general/overview - Implement access control using key policies (key-level access control) in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties are in place for users who manage encryption keys so they do not have the ability to access encrypted data, and vice versa. https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys Azure Defender for Key Vault should be enabled SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES - Turn on Azure Key Vault logging to ensure critical management plane and data plane activities are logged. - Use detective controls such as CloudTrails to log and track the usage of keys in KMS and alert you on critical actions. AWS KMS keys should not be unintentionally deleted Key vaults should have soft delete enabled Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Secure the Azure Key Vault using Private Link and Azure Firewall to ensure minimal exposure of the service Azure Key Vault security best practices: - Never store keys in plaintext format outside of KMS. Security in AWS Certificate Manager: [Preview]: Azure Key Vault should disable public network access - Use managed identity to access keys stored in Azure Key Vault in your workload applications. https://docs.microsoft.com/azure/key-vault/general/best-practices - When keys need to be deleted, consider disabling keys in KMS instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. https://docs.aws.amazon.com/acm/latest/userguide/security.html [Preview]: Private endpoint should be configured for Key Vault Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. - When purging data, ensure your keys are not deleted before the actual data, backups and archives are purged. Resource logs in Key Vault should be enabled - Backup your keys and certificates using Azure Key Vault. Enable soft delete and purge protection to avoid accidental deletion of keys.When keys need to be deleted, consider disabling keys instead of deleting them to avoid accidental deletion of keys and cryptographic erasure of data. Use managed identity to access Azure Key Vault: - For bring your own key (BYOK) uses cases, generate keys in an on-premise HSM and import them to maximize the lifetime and portability of the keys. Data Security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-data-security - For bring your own key (BYOK) use cases, generate keys in an on-premises HSM and import them to maximize the lifetime and portability of the keys. https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad - Never store keys in plaintext format outside of the Azure Key Vault. Keys in all key vault services are not exportable by default. For certificates security, secure your certificates by hardening your AWS Certificate Manager (ACM) service through the following controls: - Use HSM-backed key types (RSA-HSM) in Azure Key Vault Premium and Azure Managed HSM for the hardware protection and the strongest FIPS levels. Overview of Microsoft Defender for Key Vault: - Implement access control using resource-level policies in conjunction with IAM policies (identity-based access control) to ensure the least privilege and separation of duties principles are followed. For example, ensure separation of duties is in place for user accounts: user accounts who generate certificates are separate from the user accounts who only require read-only access to certificates. https://learn.microsoft.com/azure/defender-for-cloud/defender-for-key-vault-introduction - Use detective controls such as CloudTrails to log and track the usage of the certificates in ACM, and alert you on critical actions. Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. - Follow the KMS security guidance to secure your private key (generated for certificate request) used for service certificate integration."},{"location":"Azure/Security/MCSB/DevOps%20Security/","title":"MCSB_v1 - DevOps Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Azure Implementation and additional context AWS Guidance AWS Implementation and additional context Customer Security Stakeholders: DS-1 DevOps Security nan 16.10 - Apply Secure Design Principles in Application Architectures SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 Conduct threat modeling Perform threat modeling to identify the potential threats and enumerate the mitigating controls. Ensure your threat modeling serves the following purposes: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Threat Modeling Overview: Use threat modeling tools such as the Microsoft threat modeling tool with the Azure threat model template embedded to drive your threat modeling process. Use the STRIDE model to enumerate the threats from both internal and external and identify the controls applicable. Ensure the threat modeling process includes the threat scenarios in the DevOps process, such as malicious code injection through an insecure artifacts repository with misconfigured access control policy. Microsoft Threat Modeling Tool: Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards 16.14 - Conduct Threat Modeling 12.2 https://www.microsoft.com/securityengineering/sdl/threatmodeling https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool Secure your applications and services in the production run-time stage. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. If using a threat modeling tool is not applicable, you should, at minimum, use a questionnaire-based threat modeling process to identify the threats. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Secure the artifacts, underlying CI/CD pipeline and other tooling environment used for build, test, and deployment. The threat modeling at least should include the following aspects: Application threat analysis (including STRIDE + questionnaire based method): How to approach threat modeling for AWS: Define the security requirements of the application. Ensure these requirements are adequately addressed in the threat modeling. Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Ensure the threat modeling or analysis results are recorded and updated when there is a major security-impact change in your application or in the threat landscape. https://aws.amazon.com/blogs/security/how-to-approach-threat-modeling/ Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Analyze application components, data connections and their relationship. Ensure this analysis also includes the upstream and downstream connections outside of your application scope. List the potential threats and attack vectors that your application components, data connections and upstream and downstream services may be exposed to. Azure Template - Microsoft Security Threat Model Stencil: Application threat analysis (including STRIDE + questionnaire based method): Identify the applicable security controls that can be used to mitigate the threats enumerated and identify any controls gaps (e.g., security vulnerabilities) that may require additional treatment plans. https://github.com/AzureArchitecture/threat-model-templates https://docs.microsoft.com/azure/architecture/framework/security/design-threat-model Enumerate and design the controls that can mitigate the vulnerabilities identified. DS-2 DevOps Security 18.3 - Verify That Acquired Software is Still Supported 16.4 - Establish and Manage an Inventory of Third-Party Software Components SA-12: SUPPLY CHAIN PROTECTION 6.3 Ensure software supply chain security Ensure your enterprise\u2019s SDLC (Software Development Lifecycle) or process include a set of security controls to govern the in-house and third-party software components (including both proprietary and open-source software) where your applications have dependencies. Define gating criteria to prevent vulnerable or malicious components being integrated and deployed into the environment. For the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub\u2019s native feature:- Use Dependency Graph to scan, inventory and identify all your project\u2019s dependencies and related vulnerabilities through Advisory Database. GitHub Dependency Graph: If you use AWS CI/CD platforms such as CodeCommit or CodePipeline, ensure the software supply chain security using CodeGuru Reviewer to scan the source code (for Java and Python) through the CI/CD workflows. Platforms such as CodeCommit and CodePipeline also supports third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities. GitHub Dependency Graph: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 18.4 - Only Use Up-to-Date And Trusted Third-Party Components 16.6 - Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.5 https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph 18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.11 - Leverage Vetted Modules or Services for Application Security Components The software supply chain security controls should at least include the following aspects: - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. If you manage your source code through the GitHub platform, ensure the software supply chain security through the following capability or tools from GitHub Advanced Security or GitHub\u2019s native feature: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. GitHub Dependabot: - Use Dependency Graph to scan, inventory and identify all your project\u2019s dependencies and related vulnerabilities through Advisory Database. GitHub Dependabot: Properly manage a Software Bill of Materials (SBOM) by identifying the upstream dependencies required for the service/resource development, build, integration and deployment phase. - Use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates - Use Dependabot to ensure that the vulnerable dependency is tracked and remediated, and ensure your repository automatically keeps up with the latest releases of the packages and applications it depends on. https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates Inventory and track the in-house and third-party software components for known vulnerability when there is a fix available in the upstream. For Azure DevOps, you can use third-party extensions to implement similar controls to inventory, analyze and remediate the third-party software components and their vulnerabilities - Use GitHub's native code scanning capability to scan the source code when sourcing the code externally. Assess the vulnerabilities and malware in the software components using static and dynamic application testing for unknown vulnerabilities. Identify vulnerable container images in your CI/CD workflows: - If applicable, use Microsoft Defender for Cloud to integrate vulnerability assessment for your container image in the CI/CD workflow. DevOps in AWS: Ensure the vulnerabilities and malware are mitigated using the appropriate approach. This may include source code local or upstream fix, feature exclusion and/or applying compensating controls if the direct mitigation is not available. https://docs.microsoft.com/azure/security-center/defender-for-container-registries-cicd https://aws.amazon.com/devops/ If closed source third-party components are used in your production environment, you may have limited visibility to its security posture. You should consider additional controls such as access control, network isolation and endpoint security to minimize the impact if there is a malicious activity or vulnerability associated with the component. Azure DevOps Marketplace \u2013 supply chain security: Software Bill of Materials: https://marketplace.visualstudio.com/search?term=tag%3ASupply%20Chain%20Security&target=VSTS https://www.cisa.gov/sbom DS-3 DevOps Security 18.11 - Use Standard Hardening Configuration Templates for Databases 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure CM-2: BASELINE CONFIGURATION 2.2 Secure DevOps infrastructure Ensure the DevOps infrastructure and pipeline follow security best practices across environments including your build, test, and production stages. This typically includes the security controls for following scope: As part of applying the Microsoft Cloud Security Benchmark to your DevOps infrastructure security controls, prioritize the following controls: DevSecOps controls overview \u2013 secure pipelines: As part of applying the Microsoft Cloud Security Benchmark to the security controls of your DevOps infrastructure, such as GitHub, CodeCommit, CodeArtifact, CodePipeline, CodeBuild and CodeDeploy, prioritize the following controls: AWS Well-architected Framework - security pillar: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops CM-6: CONFIGURATION SETTINGS 6.3 - Protect artifacts and the underlying environment to ensure the CI/CD pipelines don\u2019t become avenues to insert malicious code. For example, review your CI/CD pipeline to identify any misconfiguration in core areas of Azure DevOps such as Organization, Projects, Users, Pipelines (Build & Release), Connections, and Build Agent to identify any misconfigurations such as open access, weak authentication, insecure connection setup and so on. For GitHub, use similar controls to secure the Organization permission levels. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls - Refer to this guidance and the AWS Well-architected Framework security pillar to secure your DevOps environments in AWS. https://wa.aws.amazon.com/wat.pillar.security.en.html AC-2: ACCOUNT MANAGEMENT 7.1 - Artifact repositories that store source code, built packages and images, project artifacts and business data. - Ensure your DevOps infrastructure is deployed consistently across development projects. Track compliance of your DevOps infrastructure at scale by using Microsoft Defender for Cloud (such as Compliance Dashboard, Azure Policy, Cloud Posture Management) or your own compliance monitoring tools. - Protect artifacts and the underlying supporting infrastructure to ensure the CI/CD pipelines don\u2019t become avenues to insert malicious code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management AC-3: ACCESS ENFORCEMENT - Servers, services, and tooling that host CI/CD pipelines. - Configure identity/role permissions and entitlement policies in Azure AD, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. Secure your GitHub organization: - Ensure your DevOps infrastructure is deployed and sustained consistently across development projects. Track compliance of your DevOps infrastructure at scale by using AWS Config or your own compliance check solution. AC-6: LEAST PRIVILEGE - CI/CD pipeline configuration. - Avoid providing permanent \u201cstanding\u201d privileged access to the human accounts such as developers or testers by using features such as Azure managed identifies and just-in-time access. https://docs.github.com/en/code-security/getting-started/securing-your-organization - Use CodeArtifact to securely store and share software packages used for application development. You can use CodeArtifact with popular build tools and package managers such as Maven, Gradle, npm, yarn, pip, and twine. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in a key store or Azure Key Vault. - Configure identity/role permissions and permission policies in AWS IAM, native services, and CI/CD tools in your pipeline to ensure changes to the pipelines are authorized. - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Azure DevOps pipeline \u2013 Microsoft hosted agent security considerations: - Remove keys, credentials, and secrets from code and scripts used in CI/CD workflow jobs and keep them in key store or AWS KMS Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture https://docs.microsoft.com/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#security - If you run self-hosted build/deployment agents, follow Microsoft Cloud Security Benchmark controls including network security, posture and vulnerability management, and endpoint security to secure your environment. Use AWS Inspector for vulnerability scanning for vulnerabilities in EC2 or containerized environment as the build environment. Note: Refer to the Logging and Threat Detection, DS-7, and the Posture and Vulnerability Management sections to use services such as Azure Monitor and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure. Note: Refer to the Logging and Threat Detection, DS-7, and the and Posture and Vulnerability Management sections to use services such as AWS CloudTrail, CloudWatch and Microsoft Sentinel to enable governance, compliance, operational auditing, and risk auditing for your DevOps infrastructure. DS-4 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate static application security testing into DevOps pipeline Ensure static application security testing (SAST) fuzzy testing, interactive testing, mobile application testing, are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerable packages from committing into the repository, building into the packages, or deploying into the production. Integrate SAST into your pipeline (e.g., in your infrastructure as code template) so the source code can be scanned automatically in your CI/CD workflow. Azure DevOps Pipeline or GitHub can integrate the below tools and third-party SAST tools into the workflow. GitHub CodeQL: Integrate SAST into your pipeline so the source code can be scanned automatically in your CI/CD workflow. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.5 - GitHub CodeQL for source code analysis. https://codeql.github.com/docs/ https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/ - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. If using AWS CodeCommit, use AWS CodeGuru Reviewer for Python and Java source code analysis. AWS Codepipeline can also support integration of third-part SAST tools into the code deployment pipeline. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Azure DevOps Credential Scanner (Microsoft Security DevOps extension) and GitHub native secret scanning for credential scan in the source code. BinSkim Binary Analyzer: https://github.com/microsoft/binskim If using GitHub, the below tools and third-party SAST tools can be integrated into the workflow. - GitHub CodeQL for source code analysis. Azure DevOps Credential Scan: - Microsoft BinSkim Binary Analyzer for Windows and *nix binary analysis. https://secdevtools.azurewebsites.net/helpcredscan.html - GitHub native secret scanning for credential scan in the source code. - AWS CodeGuru Reviewer for Python and Java source code analysis. GitHub secret scanning: https://docs.github.com/en/code-security/secret-security/about-secret-scanning DS-5 DevOps Security 18.7 - Apply Static and Dynamic Code Analysis Tools 16.12 - Implement Code-Level Security Checks SA-11: DEVELOPER TESTING AND EVALUATION 6.3 Integrate dynamic application security testing into DevOps pipeline Ensure dynamic application security testing (DAST) are part of the gating controls in the CI/CD workflow. The gating can be set based on the testing results to prevent vulnerability from building into the packages or deploying into the production. Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in Azure DevOps or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. DAST tools in Azure DevOps marketplace: Integrate DAST into your pipeline so the runtime application can be tested automatically in your CI/CD workflow set in AWS CodePipeline or GitHub. The automated penetration testing (with manual assisted validation) should also be part of the DAST. Building end-to-end AWS DevSecOps CI/CD pipeline with open source SCA, SAST and DAST tools: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.5 https://marketplace.visualstudio.com/search?term=DAST&target=AzureDevOps&category=All%20categories https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/ Azure DevOps Pipeline or GitHub supports the integration of third-party DAST tools into the CI/CD workflow. AWS CodePipeline or GitHub supports integration of third-party DAST tools into the CI/CD workflow. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management DS-6 DevOps Security 5.2 - Deploy System Configuration Management Tools 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets CM-2: BASELINE CONFIGURATION 6.1 Enforce security of workload throughout DevOps lifecycle Ensure the workload is secured throughout the entire lifecycle in development, testing, and deployment stage. Use Microsoft Cloud Security Benchmark to evaluate the controls (such as network security, identity management, privileged access and so on) that can be set as guardrails by default or shift left prior to the deployment stage. In particular, ensure the following controls are in place in your DevOps process: Guidance for Azure VMs: Shared Image Gallery overview: Use Amazon Elastic Container Registry to share and control access to your images by different users and roles within your organization. And Use AWS IAM to ensure that only authorized users can access your custom images. AWS ECR image scanning: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 5.3 - Securely Store Master Images 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets CM-6: CONFIGURATION SETTINGS 6.2 - Automate the deployment by using Azure or third-party tooling in the CI/CD workflow, infrastructure management (infrastructure as code), and testing to reduce human error and attack surface. - Use Azure Shared Image Gallery to share and control access to your images by different users, service principals, or AD groups within your organization. Use Azure role-based access control (Azure RBAC) to ensure that only authorized users can access your custom images. https://docs.microsoft.com/azure/virtual-machines/windows/shared-image-galleries https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html 5.4 - Deploy System Configuration Management Tools 7.7 - Remediate Detected Vulnerabilities AC-2: ACCOUNT MANAGEMENT 6.3 - Ensure VMs, container images and other artifacts are secure from malicious manipulation. - Define the secure configuration baselines for the VMs to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configuration baselines through custom images, Azure Resource Manager templates, and/or Azure Policy guest configuration. Define the secure configuration baselines for the EC2 AMI images to eliminate unnecessary credentials, permissions, and packages. Deploy and enforce configurations baselines through custom AMI images, CloudFormation templates, and/or AWS Config Rules. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems 16.1 - Establish and Maintain a Secure Application Development Process AC-3: ACCESS ENFORCEMENT - Scan the workload artifacts (in other words, container images, dependencies, SAST and DAST scans) prior to the deployment in the CI/CD workflow How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations AWS Inspector: 18.1 - Establish Secure Coding Practices 16.7 - Use Standard Hardening Configuration Templates for Application Infrastructure AC-6: LEAST PRIVILEGE - Deploy vulnerability assessment and threat detection capability into the production environment and continuously use these capabilities in the run-time. Guidance for Azure container services: Use AWS Inspector for vulnerability scanning of VM's and Containerized environments, securing them from malicious manipulation. https://docs.aws.amazon.com/inspector/latest/user/getting_started_tutorial.html Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Use Azure Container Registry (ACR) to create your private container registry where granular access can be restricted through Azure RBAC, so only authorized services and accounts can access the containers in the private registry. Security considerations for Azure Container: - Use Defender for Containers for vulnerability assessment of the images in your private Azure Container Registry. In addition, you can use Microsoft Defender for Cloud to integrate the container image scans as part of your CI/CD workflows. https://docs.microsoft.com/azure/container-instances/container-instances-image-security For AWS serverless services, use AWS CodePipeline in conjunction with AWS AppConfig to adopt similar controls to ensure security controls \"shift left\" to the stage prior to deployment. AWS AppConfig: https://docs.aws.amazon.com/appconfig/latest/userguide/getting-started-with-appconfig.html For Azure serverless services, adopt similar controls to ensure security controls \"shift-left\" to the stage prior to deployment. Azure Defender for container registries: https://docs.microsoft.com/azure/security-center/defender-for-container-registries-introduction DS-7 DevOps Security 6.2 - Activate audit logging 8.2 Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging and monitoring in DevOps Ensure your logging and monitoring scope includes non-production environments and CI/CD workflow elements used in DevOps (and any other development processes). The vulnerabilities and threats targeting these environments can introduce significant risks to your production environment if they are not monitored properly. The events from the CI/CD build, test and deployment workflow should also be monitored to identify any deviations in the CI/CD workflow jobs. Enable and configure the audit logging capabilities in non-production and CI/CD tooling environments (such as Azure DevOps and GitHub) used throughout the DevOps process. Azure DevOps - audit streaming: Enable and configure AWS CloudTrail for audit logging capabilities in non-production and CI/CD tooling environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) used throughout the DevOps process. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 6.3 - Enable Detailed Logging 8.5 Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/devops/organizations/audit/auditing-streaming?view=azure-devops https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 6.5 - Central Log Management 8.9 Centralize Audit Logs AU-12: AUDIT GENERATION 10.3 Follow Microsoft Cloud Security Benchmark \u2013 Logging and Threat Detection as the guideline to implement your logging and monitoring controls for workload. The events generated from Azure DevOps and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. The events generated from the AWS CI/CD environments (such as AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, AWS CodeStar) and the GitHub CI/CD workflow, including the build, test and deployment jobs, should also be monitored to identify any anomalous results. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.6 - Deploy SIEM or Log Analytic tool 8.11 Conduct Audit Log Reviews SI-4: INFORMATION SYSTEM MONITORING 10.6 GitHub logging: GitHub Logging: 6.7 - Regularly Review Logs Ingest the above logs and events into Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Ingest the above logs and events into AWS CloudWatch, Microsoft Sentinel or other SIEM tools through a logging stream or API to ensure the security incidents are properly monitored and triaged for handling. https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization Incident preparation: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation 6.8 - Regularly Tune SIEM"},{"location":"Azure/Security/MCSB/Endpoint%20Security/","title":"MCSB_v1 - Endpoint Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: ES-1 Endpoint security 9.4 - Apply Host-Based Firewalls or Port Filtering 13.7 - Deploy a Host-Based Intrusion Prevention Solution SC-3: SECURITY FUNCTION ISOLATION 11.5 Use Endpoint Detection and Response (EDR) Enable Endpoint Detection and Response (EDR) capabilities for VMs and integrate with SIEM and security operations processes. Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) provides EDR capability to prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for servers introduction: Onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) on your EC2 instances to provide EDR capabilities to prevent, detect, investigate, and respond to advanced threats. Protect your endpoints with Defender for Cloud's integrated EDR solution: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows SI-3: MALICIOUS CODE PROTECTION Use Microsoft Defender for Cloud to deploy Microsoft Defender for servers on your endpoints and integrate the alerts to your SIEM solution such as Microsoft Sentinel. Alternatively, use Amazon GuardDuty integrated threat intelligence capability to monitor and protect your EC2 instances. Amazon GuardDuty can detect anomalous activities such as activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGAs), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials use by an external IP address, and data exfiltration using DNS. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence SI-16 MEMORY PROTECTION Microsoft Defender for Endpoint overview: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Microsoft Defender for Cloud feature coverage for machines: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows Connector for Defender for servers integration into SIEM: https://docs.microsoft.com/azure/security-center/security-center-wdatp?WT.mc_id=Portal-Microsoft_Azure_Security_CloudNativeCompute&tabs=windows ES-2 Endpoint security 8.1 - Utilize Centrally Managed Anti-malware Software 10.1 - Deploy and Maintain Anti-Malware Software SC-3: SECURITY FUNCTION ISOLATION 5.1 Use modern anti-malware software Use anti-malware solutions (also known as endpoint protection) capable of real-time protection and periodic scanning. Microsoft Defender for Cloud can automatically identify the use of a number of popular anti-malware solutions for your virtual machines and on-premises machines with Azure Arc configured and report the endpoint protection running status and make recommendations. Supported endpoint protection solutions: Onboard your AWS account into Microsoft Defender for Cloud to allow Microsoft Defender for Cloud to automatically identify the use some popular anti-malware solutions for EC2 instances with Azure Arc configured and report the endpoint protection running status and make recommendations. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-2: FLAW REMEDIATION https://docs.microsoft.com/azure/security-center/security-center-services?tabs=features-windows#supported-endpoint-protection-solutions- SI-3: MALICIOUS CODE PROTECTION Microsoft Defender Antivirus is the default anti-malware solution for Windows server 2016 and above. For Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For Linux VMs, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Deploy Microsoft Defender Antivirus which is the default anti-malware solution for Windows server 2016 and above. For EC2 instances running Windows server 2012 R2, use Microsoft Antimalware extension to enable SCEP (System Center Endpoint Protection). For EC2 instances running Linux, use Microsoft Defender for Endpoint on Linux for the endpoint protection feature. Microsoft Defender supported endpoint protection solutions: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence SI-16 MEMORY PROTECTION How to configure Microsoft Antimalware for Cloud Services and virtual machines: https://docs.microsoft.com/en-us/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers?tabs=features-windows#supported-endpoint-protection-solutions- For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. https://docs.microsoft.com/azure/security/fundamentals/antimalware For both Windows and Linux, you can use Microsoft Defender for Cloud to discover and assess the health status of the anti-malware solution. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Endpoint protection recommendations in Microsoft Defender for Clouds: Note: You can also use Microsoft Defender for Cloud's Defender for Storage to detect malware uploaded to Azure Storage accounts. Note: Microsoft Defender Cloud also supports certain third-party endpoint protection products for the discovery and health status assessment. https://docs.microsoft.com/en-us/azure/defender-for-cloud/endpoint-protection-recommendations-technical Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management ES-3 Endpoint security 8.2 - Ensure Anti-Malware Software and Signatures are Updated 10.2 - Configure Automatic Anti-Malware Signature Updates SI-2: FLAW REMEDIATION 5.2 Ensure anti-malware software and signatures are updated Ensure anti-malware signatures are updated rapidly and consistently for the anti-malware solution. Follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. How to deploy Microsoft Antimalware for Cloud Services and virtual machine: With your AWS account onboarded into Microsoft Defender for Cloud, follow recommendations in Microsoft Defender for Cloud to keep all endpoints up to date with the latest signatures. Microsoft Antimalware (for Windows) and Microsoft Defender for Endpoint (for Linux) will automatically install the latest signatures and engine updates by default. Connect your AWS accounts to Microsoft Defender for Cloud: Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security SI-3: MALICIOUS CODE PROTECTION 5.3 https://docs.microsoft.com/azure/security/fundamentals/antimalware https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. For third-party solutions, ensure the signatures are updated in the third-party anti-malware solution. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Endpoint protection assessment and recommendations in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/security-center-endpoint-protection Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management"},{"location":"Azure/Security/MCSB/Governance%20and%20Strategy/","title":"MCSB_v1 - Governance and Strategy","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle General Guidance Implementation and additional context Customer Security Stakeholders: GS-1 Governance and Strategy 17.2 - Deliver Training to Fill the Skills Gap 14.9 - Conduct Role-Specific Security Awareness and Skills Training PL-9: CENTRAL MANAGEMENT 12.4 Align organization roles, responsibilities and accountabilities N/A Ensure that you define and communicate a clear strategy for roles and responsibilities in your security organization. Prioritize providing clear accountability for security decisions, educating everyone on the shared responsibility model, and educate technical teams on technology to secure the cloud. Azure Security Best Practice 1 \u2013 People: Educate Teams on Cloud Security Journey: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions PM-10: SECURITY AUTHORIZATION PROCESS https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#1-people-educate-teams-about-the-cloud-security-journey PM-13: INFORMATION SECURITY WORKFORCE AT-1: SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Azure Security Best Practice 2 - People: Educate Teams on Cloud Security Technology: AT-3: ROLE-BASED SECURITY TRAINING https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#2-people-educate-teams-on-cloud-security-technology Azure Security Best Practice 3 - Process: Assign Accountability for Cloud Security Decisions: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud GS-2 Governance and Strategy 2.10 - Physically or Logically Segregate High Risk Applications 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.2 Define and implement enterprise segmentation/separation of duties strategy N/A Establish an enterprise-wide strategy to segment access to assets using a combination of identity, network, application, subscription, management group, and other controls. Security in the Microsoft Cloud Adoption Framework for Azure - Segmentation: Separate to protect All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 14.1 - Segment the Network Based on Sensitivity SC-7: BOUNDARY PROTECTION 6.4 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/access-control#segmentation-separate-to-protect SC-2: APPLICATION PARTITIONING Carefully balance the need for security separation with the need to enable daily operation of the systems that need to communicate with each other and access data. Security in the Microsoft Cloud Adoption Framework for Azure - Architecture: establish a single unified security strategy: Ensure that the segmentation strategy is implemented consistently in the workload, including network security, identity and access models, and application permission/access models, and human process controls. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#11-architecture-establish-a-single-unified-security-strategy GS-3 Governance and Strategy 14.1 - Segment the Network Based on Sensitivity 3.1 - Establish and Maintain a Data Management Process AC-4: INFORMATION FLOW ENFORCEMENT 3.1 Define and implement data protection strategy N/A Establish an enterprise-wide strategy for data protection in your cloud environment: Azure Security Benchmark - Data Protection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 3.7 - Establish and Maintain a Data Classification Scheme SI-4: INFORMATION SYSTEM MONITORING 3.2 - Define and apply the data classification and protection standard in accordance with the enterprise data management standard and regulatory compliance to dictate the security controls required for each level of the data classification. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-data-protection 3.12 - Segment Data Processing and Storage Based on Sensitivity SC-8: TRANSMISSION CONFIDENTIALITY AND INTEGRITY 3.3 - Set up your cloud resource management hierarchy aligned to the enterprise segmentation strategy. The enterprise segmentation strategy should also be informed by the location of sensitive or business critical data and systems. SC-12: CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 3.4 - Define and apply the applicable zero-trust principles in your cloud environment to avoid implementing trust based on network location within a perimeter. Instead, use device and user trust claims to gate access to data and resources. Cloud Adoption Framework - Azure data security and encryption best practices: SC-17: PUBLIC KEY INFRASTRUCTURE CERTIFICATES 3.5 - Track and minimize the sensitive data footprint (storage, transmission, and processing) across the enterprise to reduce the attack surface and data protection cost. Consider techniques such as one-way hashing, truncation, and tokenization in the workload where possible, to avoid storing and transmitting sensitive data in its original form. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices SC-28: PROTECTION OF INFORMATION AT REST 3.6 - Ensure you have a full lifecycle control strategy to provide security assurance of the data and access keys. RA-2: SECURITY CATEGORIZATION 3.7 Azure Security Fundamentals - Azure Data security, encryption, and storage: 4.1 https://docs.microsoft.com/azure/security/fundamentals/encryption-overview A3.2 GS-4 Governance and Strategy 12.1 - Maintain an Inventory of Network Boundaries 12.2 - Establish and Maintain a Secure Network Infrastructure AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Define and implement network security strategy N/A Establish a cloud network security strategy as part of your organization\u2019s overall security strategy for access control. This strategy should include documented guidance, policy, and standards for the following elements: Azure Security Best Practice 11 - Architecture. Single unified security strategy: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 12.4 - Establish and Maintain Architecture Diagram(s) AC-17: REMOTE ACCESS 1.2 - Design a centralized/decentralized network management and security responsibility model to deploy and maintain network resources. https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy CA-3: SYSTEM INTERCONNECTIONS 1.3 - A virtual network segmentation model aligned with the enterprise segmentation strategy. CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 1.5 - An Internet edge and ingress and egress strategy. Azure Security Benchmark - Network Security: CM-2: BASELINE CONFIGURATION 4.1 - A hybrid cloud and on-premises interconnectivity strategy. https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-network-security CM-6: CONFIGURATION SETTINGS 6.6 - A network monitoring and logging strategy. CM-7: LEAST FUNCTIONALITY 11.4 - An up-to-date network security artifacts (such as network diagrams, reference network architecture). Azure network security overview: SC-1: SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES A2.1 https://docs.microsoft.com/azure/security/fundamentals/network-overview SC-2: APPLICATION PARTITIONING A2.2 SC-5: DENIAL OF SERVICE PROTECTION A2.3 Enterprise network architecture strategy: SC-7: BOUNDARY PROTECTION A3.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) SI-4: INFORMATION SYSTEM MONITORING GS-5 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CA-1: SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 1.1 Define and implement security posture management strategy N/A Establish a policy, procedure and standard to ensure the security configuration management and vulnerability management are in place in your cloud security mandate. Azure Security Benchmark - Posture and vulnerability management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CA-8: PENETRATION TESTING 1.2 https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-posture-vulnerability-management CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 2.2 The security configuration management in cloud should include the following areas: CM-2: BASELINE CONFIGURATION 6.1 - Define the secure configuration baselines for different resource types in the cloud, such as the web portal/console, management and control plane, and resources running in the IaaS, PaaS and SaaS services. Azure Security Best Practice 9 - Establish security posture management: CM-6: CONFIGURATION SETTINGS 6.2 - Ensure the security baselines address the risks in different control areas such as network security, identity management, privileged access, data protection and so on. https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#5-process-establish-security-posture-management RA-1: RISK ASSESSMENT POLICY AND PROCEDURES 6.5 - Use tools to continuously measure, audit, and enforce the configuration to prevent configuration deviating from the baseline. RA-3: RISK ASSESSMENT 6.6 - Develop a cadence to stay updated with security features, for instance, subscribe to the service updates. RA-5: VULNERABILITY SCANNING 11.2 - Utilize a security health or compliance check mechanism (such as Secure Score, Compliance Dashboard in Microsoft Defender for Cloud) to regularly review security configuration posture and remediate the gaps identified. SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 11.3 SI-2: FLAW REMEDIATION 11.5 The vulnerability management in the cloud should include the following security aspects: SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES - Regularly assess and remediate vulnerabilities in all cloud resource types, such as cloud native services, operating systems, and application components. - Use a risk-based approach to prioritize assessment and remediation. - Subscribe to the relevant CSPM's security advisory notices and blogs to receive the latest security updates. - Ensure the vulnerability assessment and remediation (such as schedule, scope, and techniques) meet the regularly compliance requirements for your organization. GS-6 Governance and Strategy 4.5 - Use Multifactor Authentication For All Administrative Access 5.6 - Centralize Account Management AC-1: ACCESS CONTROL POLICY AND PROCEDURES 7.1 Define and implement identity and privileged access strategy N/A Establish a cloud identity and privileged access approach as part of your organization\u2019s overall security access control strategy. This strategy should include documented guidance, policy, and standards for the following aspects: Azure Security Benchmark - Identity management: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 16.2 - Configure Centralized Point of Authentication 6.5 - Require MFA for Administrative Access AC-2: ACCOUNT MANAGEMENT 7.2 - Centralized identity and authentication system (such as Azure AD) and its interconnectivity with other internal and external identity systems https://docs.microsoft.com//security/benchmark/azure/security-controls-v3-identity-management 6.7 - Centralize Access Control AC-3: ACCESS ENFORCEMENT 7.3 - Privileged identity and access governance (such as access request, review and approval) AC-4: INFORMATION FLOW ENFORCEMENT 8.1 - Privileged accounts in emergency (break-glass) situation Azure Security Benchmark - Privileged access: AC-5: SEPARATION OF DUTIES 8.2 - Strong authentication (passwordless authentication and multifactor authentication) methods in different use cases and conditions https://docs.microsoft.com/security/benchmark/azure/security-controls-v3-privileged-access AC-6: LEAST PRIVILEGE 8.3 - Secure access by administrative operations through web portal/console, command-line and API. IA-1: IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 8.4 Azure Security Best Practice 11 - Architecture. Single unified security strategy: IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.5 For exception cases, where an enterprise system isn\u2019t used, ensure adequate security controls are in place for identity, authentication and access management, and governed. These exceptions should be approved and periodically reviewed by the enterprise team. These exceptions are typically in cases such as: https://docs.microsoft.com/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy IA-4: IDENTIFIER MANAGEMENT 8.6 - Use of a non-enterprise designated identity and authentication system, such as cloud-based third-party systems (may introduce unknown risks) IA-5: AUTHENTICATOR MANAGEMENT 8.7 - Privileged users authenticated locally and/or use non-strong authentication methods Azure identity management security overview: IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) 8.8 https://docs.microsoft.com/azure/security/fundamentals/identity-management-overview IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION A3.4 SI-4: INFORMATION SYSTEM MONITORING GS-7 Governance and Strategy 6.2 -Activate audit logging 8.1 - Establish and Maintain an Audit Log Management Process AU-1: AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 10.1 Define and implement logging, threat detection and incident response strategy N/A Establish a logging, threat detection and incident response strategy to rapidly detect and remediate threats and meet compliance requirements. Security operations (SecOps / SOC) team should prioritize high quality alerts and seamless experiences so that they can focus on threats rather than log integration and manual steps. Azure Security Benchmark - Logging and threat detection: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 6.3 - Enable Detailed Logging 13.1 - Centralize Security Event Alerting IR-1: INCIDENT RESPONSE POLICY AND PROCEDURES 10.2 This strategy should include documented policy, procedure and standards for the following aspects: https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-logging-threat-detection 6.6 - Deploy SIEM or Log Analytic tool 17.2 - Establish and Maintain Contact Information for Reporting Security Incidents IR-2: INCIDENT RESPONSE TRAINING 10.3 - The security operations (SecOps) organization's role and responsibilities 6.7 - Regularly Review Logs 17.4 - Establish and Maintain an Incident Response Process IR-10: INTEGRATED INFORMATION SECURITY ANALYSIS TEAM 10.4 - A well-defined and regularly tested incident response plan and handling process aligning with NIST SP 800-61 (Computer Security Incident Handling Guide) or other industry frameworks. Azure Security Benchmark - Incident response: 19.1 - Document Incident Response Procedures 17.7 - Conduct Routine Incident Response Exercises SI-1: SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 10.5 - Communication and notification plan with your customers, suppliers, and public parties of interest. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-incident-response 19.5 - Maintain Contact Information For Reporting Security Incidents SI-5: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES 10.6 - Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation. Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk. 19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 10.7 - Preference of using extended detection and response (XDR) capabilities such as Azure Defender capabilities to detect threats in the various areas. Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud: 10.8 - Use of cloud native capability (e.g., as Microsoft Defender for Cloud) and third-party platforms for incident handling, such as logging and threat detection, forensics, and attack remediation and eradication. https://aka.ms/AzSec4 10.9 - Prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses. 12.10 - Define key scenarios (such as threat detection, incident response, and compliance) and set up log capture and retention to meet the scenario requirements. Azure Adoption Framework, logging, and reporting decision guide: A3.5 - Centralized visibility of and correlation information about threats, using SIEM, native cloud threat detection capability, and other sources. https://docs.microsoft.com/azure/cloud-adoption-framework/decision-guides/logging-and-reporting/ - Post-incident activities, such as lessons learned and evidence retention. Azure enterprise scale, management, and monitoring: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/management-and-monitoring NIST SP 800-61 Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf GS-8 Governance and Strategy 10.1 - Ensure Regular Automated Backups 11.1 - Establish and Maintain a Data Recovery Process CP-1: CONTINGENCY PLANNING POLICY AND PROCEDURES 3.4 Define and implement backup and recovery strategy N/A Establish a backup and recovery strategy for your organization. This strategy should include documented guidance, policy, and standards in the following aspects: Azure Security Benchmark - Backup and recovery: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions CP-9: INFORMATION SYSTEM BACKUP - Recovery time objective (RTO) and recovery point objective (RPO) definitions in accordance with your business resiliency objectives, and regulatory compliance requirements. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-backup-recovery CP-10: INFORMATION SYSTEM RECOVERY AND RECONSTITUTION - Redundancy design (including backup, restore and replication) in your applications and infrastructure for both in cloud and on-premises. Consider regional, region-pairs, cross-regional recovery and off-site storage location as part of your strategy. - Protection of backup from unauthorized access and tempering using controls such as data access control, encryption and network security. Azure Well-Architecture Framework - Backup and disaster recover for Azure applications: https://docs.microsoft.com/azure/architecture/framework/resiliency/backup-and-recovery - Use of backup and recovery to mitigate the risks from emerging threats, such as ransomware attack. And also secure the backup and recovery data itself from these attacks. - Monitoring the backup and recovery data and operations for audit and alerting purposes. Azure Adoption Framework-business continuity and disaster recovery: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/business-continuity-and-disaster-recovery Backup and restore plan to protect against ransomware: https://docs.microsoft.com/azure/security/fundamentals/backup-plan-to-protect-against-ransomware GS-9 Governance and Strategy 8.1 - Utilize Centrally Managed Anti-malware Software 4.4 - Implement and Manage a Firewall on Servers SI-2: FLAW REMEDIATION 5.1 Define and implement endpoint security strategy N/A Establish a cloud endpoint security strategy which includes the following aspects: Azure Security Benchmark - Endpoint security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 9.4 - Apply Host-Based Firewalls or Port-Filtering 10.1 - Deploy and Maintain Anti-Malware Software SI-3: MALICIOUS CODE PROTECTION 5.2 - Deploy the endpoint detection and response and antimalware capability into your endpoint and integrate with the threat detection and SIEM solution and security operations process. https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-endpoint-security SC-3: SECURITY FUNCTION ISOLATION 5.3 - Follow Microsoft Cloud Security Benchmark to ensure endpoint related security settings in other respective areas (such as network security, posture vulnerability management, identity and privileged access, and logging and threat detections) are also in place to provide a defense-in-depth protection for your endpoint. 5.4 - Prioritize the endpoint security in your production environment but ensure the non-production environments (such as test and build environment used in the DevOps process) are also secured and monitored, as these environment can also be used to introduce the malware and vulnerabilities into the production. Best practices for endpoint security on Azure: 11.5 https://docs.microsoft.com/azure/architecture/framework/security/design-network-endpoints GS-10 Governance and Strategy 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process SA-12: SUPPLY CHAIN PROTECTION 2.2 Define and implement DevOps security strategy N/A Mandate the security controls as part of the organization\u2019s DevOps engineering and operation standard. Define the security objectives, control requirements, and tooling specifications in accordance with enterprise and cloud security standards in your organization. Azure Security Benchmark - DevOps security: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions 18.1 - Establish Secure Coding Practices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure SA-15: DEVELOPMENT PROCESS, STANDARDS, AND TOOLS 6.1 https://docs.microsoft.com/azure/security/benchmarks/security-benchmark-v3-devops-security 18.8 - Establish a Process to Accept and Address Reports of Software Vulnerabilities 16.1 - Establish and Maintain a Secure Application Development\u00a0Process CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 6.2 Encourage the use of DevOps as an essential operating model in your organization for its benefits in rapidly identifying and remediating vulnerabilities using different type of automations (such as infrastructure as code provision, and automated SAST and DAST scan) throughout the CI/CD workflow. This \u2018shift left\u2019 approach also increases visibility and ability to enforce consistent security checks in your deployment pipeline, effectively deploying security guardrails into the environment ahead of time to avoid last minute security surprises when deploying a workload into production. 16.2 - Establish and Maintain a Process to Accept and Address Software Vulnerabilities CM-2: BASELINE CONFIGURATION 6.3 Secure DevOps: CM-6: CONFIGURATION SETTINGS 6.5 When shifting security controls left into the pre-deployment phases, implement security guardrails to ensure the controls are deployed and enforced throughout your DevOps process. This technology could include resource deployment templates (such as Azure ARM template) to define guardrails in the IaC (infrastructure as code), resource provisioning and audit to restrict which services or configurations can be provisioned into the environment. https://www.microsoft.com/securityengineering/devsecops AC-2: ACCOUNT MANAGEMENT 7.1 AC-3: ACCESS ENFORCEMENT 10.1 For the run-time security controls of your workload, follow the Microsoft Cloud Security Benchmark to design and implement effective the controls, such as identity and privileged access, network security, endpoint security, and data protection inside your workload applications and services. Cloud Adoption Framework - DevSecOps controls: AC-6: LEAST PRIVILEGE 10.2 https://docs.microsoft.com/azure/cloud-adoption-framework/secure/devsecops-controls SA-11: DEVELOPER TESTING AND EVALUATION 10.3 AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.6 AU-12: AUDIT GENERATION 12.2 SI-4: INFORMATION SYSTEM MONITORING GS-11 Governance and Strategy nan nan nan nan Define and implement multi-cloud security strategy N/A Ensure a multi-cloud strategy is defined in your cloud and security governance, risk management, and operation process which should include the following aspects: Azure hybrid and multicloud: All stakeholders: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security#security-functions - Multi-cloud adoption: For organizations that operate multi-cloud infrastructure and Educate your organization to ensure teams understand the feature difference between the cloud platforms and technology stack. Build, deploy, and/or migrate solutions that are portable. Allow for ease of movement between cloud platforms with minimum vendor lock-in while utilizing cloud native features adequately for the optimal result from the cloud adoption. https://docs.microsoft.com/en-us/hybrid/ - Cloud and security operations: Streamline security operations to support the solutions across each cloud, through a central set of governance and management processes which share common operations processes, regardless of where the solution is deployed and operated. - Tooling and technology stack: Choose the appropriate tooling that supports multi-cloud environment to help with establishing unified and centralized management platforms which may include all the security domains discussed in this security benchmark. Azure hybrid and multicloud documentation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/scenario-overview AWS to Azure services comparison: https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services Azure for AWS professionals: https://docs.microsoft.com/en-us/azure/architecture/aws-professional/"},{"location":"Azure/Security/MCSB/Identity%20Management/","title":"MCSB_v1 - Identity Management","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders: IM-1 Identity Management 16.1 - Maintain an Inventory of 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT 7.2 Use centralized identity and authentication system Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. Azure Active Directory (Azure AD) is Azure's identity and authentication management service. You should standardize on Azure AD to govern your organization's identity and authentication in: Tenancy in Azure AD: AWS IAM (Identity and Access Management) is AWS' default identity and authentication management service. Use AWS IAM to govern your AWS identity and access management. Alternatively, through AWS and Azure Sigle Sign-On (SSO), you can also use Azure AD to manage the identity and access control of AWS to avoid managing duplicate accounts separately in two cloud platforms. AWS IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys Authentication Systems 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT 8.3 - Microsoft cloud resources, such as Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html 16.2 - Configure Centralized IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. AWS supports Single Sign-On which allows you to bridge your corporate's third party identities (such as Windows Active Directory, or other identity stores) with the AWS identities to avoid creating duplicate accounts to access AWS resources. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Point of Authentication IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Your enterprise identities in Active Directory by synchronization to Azure AD to ensure a consistent and centrally managed identity strategy. How to create and configure an Azure AD instance: AWS Single Sign-On: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant https://docs.aws.amazon.com/singlesignon/index.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For the Azure services that apply, avoid use of local authentication methods and instead use Azure Active Directory to centralize your service authentications. Define Azure AD tenants: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Note: As soon as it is technically feasible, you should migrate on-premises Active Directory-based applications to Azure AD. This could be an Azure AD Enterprise Directory, Business to Business configuration, or Business to consumer configuration. https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers IM-2 Identity Management 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 8.2 Protect identity and authentication systems Secure your identity and authentication system as a high priority in your organization's cloud security practice. Common security controls include: Use the Azure AD security baseline and the Azure AD Identity Secure Score to evaluate your Azure AD identity security posture, and remediate security and configuration gaps. What is the identity secure score in Azure AD: https://docs.microsoft.com/azure/active-directory/fundamentals/identity-secure-score Use the following security best practices to secure your AWS IAM: Security Best Practice in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 4.5 - Use Multi-Factor Authentication for All Administrative Access 6.5 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.3 - Restrict privileged roles and accounts The Azure AD Identity Secure Score evaluates Azure AD for the following configurations: - Set up AWS account root user access keys for emergency access as described in PA-5 (Set up emergency access) https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) - Require strong authentication for all privileged access - Use limited administrative roles Best Practices for Securing Active Directory: - Follow least privilege principles for access assignments Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) - Monitor and audit high risk activities - Turn on user risk policy https://docs.microsoft.com/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory - Leverage IAM groups to apply policies instead of individual user(s). IAM Access Advisor: SI-4: INFORMATION SYSTEM MONITORING - Designate more than one global admin - Follow strong authentication guidance in IM-6 (Use strong authentication controls) for all users https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Enable policy to block legacy authentication What is Identity Protection? - Use AWS Organizations SCP (Service Control Policy) and permission boundaries - Ensure all users can complete multi-factor authentication for secure access https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection - Use IAM Access Advisor to audit service access IAM Credential Report: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Require MFA for administrative roles - Use IAM credential report to track user accounts and credential status https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html - Enable self-service password reset What is Microsoft Defender for Identity? - Do not expire passwords https://learn.microsoft.com/en-us/defender-for-identity/what-is Note: Follow published best practices if you have other identity and authentication systems, e.g., follow the Azure AD security baseline if you use Azure AD to manage AWS identity and access. - Turn on sign-in risk policy - Do not allow users to grant consent to unmanaged applications Use Azure AD Identity Protection to detect, investigate, and remediate identity-based risks. To similarly protect your on-premises Active Directory domain, use Defender for Identity. Note: Follow published best practices for all other identity components, including your on-premises Active Directory and any third party capabilities, and the infrastructure (such as operating systems, networks, databases) that host them. IM-3 Identity Management nan nan AC-2: ACCOUNT MANAGEMENT N/A Manage application identities securely and automatically Use managed application identities instead of creating human accounts for applications to access resources and execute code. Managed application identities provide benefits such as reducing the exposure of credentials. Automate the rotation of credentials to ensure the security of the identities. Use Azure managed identities, which can authenticate to Azure services and resources that support Azure AD authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files. Azure managed identities: Use AWS IAM roles instead of creating user accounts for resources that support this feature. IAM roles are managed by the platform at the backend and the credentials are temporary and rotated automatically. This avoids creating long-term access keys or a username/password for applications and hard-coded credentials in source code or configuration files. AWS IAM Roles: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html IA-4: IDENTIFIER MANAGEMENT For services that don't support managed identities, use Azure AD to create a service principal with restricted permissions at the resource level. It is recommended to configure service principals with certificate credentials and fall back to client secrets for authentication. You may use service-linked roles which are attached with pre-defined permission policies for access between AWS services instead of customizing your own role permissions for the IAM roles. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops IA-5: AUTHENTICATOR MANAGEMENT Services that support managed identities for Azure resources: Providing access to an AWS service: IA-9: SERVICE IDENTIFICATION AND AUTHENTICATION https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities Note: For services that don't support IAM roles, use access keys but follow the security best practice such as IM-8: Restrict the exposure of credential and secrets to secure your keys. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html Azure service principal: https://docs.microsoft.com/powershell/azure/create-azure-service-principal-azureps Create a service principal with certificates: https://docs.microsoft.com/azure/active-directory/develop/howto-authenticate-service-principal-powershell IM-4 Identity Management nan nan IA-9: SERVICE IDENTITIFICATION AND AUTHENTICATION nan Authenticate server and services Authenticate remote servers and services from your client side to ensure you are connecting to trusted server and services. The most common server authentication protocol is Transport Layer Security (TLS), where the client-side (often a browser or client device) verifies the server by verifying the server\u2019s certificate was issued by a trusted certificate authority. Many Azure services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server\u2019s certificate issued by a trusted certificate authority) in the handshake stage. Enforce Transport Layer Security (TLS) for a storage account: Many AWS services support TLS authentication by default. For services that don't support this by default or support TLS disabling, ensure it is always enabled to support the server/service authentication. Your client application should also be designed to verify server/service identity (by verifying the server\u2019s certificate issued by a trusted certificate authority) in the handshake stage. AWS Certificate Manager certificate pinning. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#use-azure-policy-to-enforce-the-minimum-tls-version https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-pinning Note: Mutual authentication can be used when both the server and the client authenticate one-another. Note: Services such as API Management and API Gateway support TLS mutual authentication. Note: Services such as API Gateway support TLS mutual authentication. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops SSL certificate for backend authentication: https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html IM-5 Identity Management 16.2 - Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) IA-4: IDENTIFIER MANAGEMENT nan Use single sign-on (SSO) for application access Use single sign-on (SSO) to simplify the user experience for authenticating to resources including applications and data across cloud services and on-premises environments. Use Azure AD for workload application workload access (customer facing) through Azure AD single sign-on (SSO), reducing the need for duplicate accounts. Azure AD provides identity and access management to Azure resources (in the management plane including CLI, PowerShell, portal), cloud applications, and on-premises applications. Understand application SSO with Azure AD: Use AWS Cognito to manage access to your customer facing workload application through single sign-on (SSO) to allow customers to bridge their third-party identities from different identity providers. AWS Single Sign-On: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on https://docs.aws.amazon.com/singlesignon/ IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Azure AD also supports SSO for enterprise identities such as corporate user identities, as well as external user identities from trusted third-party and public users. For SSO access to the AWS native resources (including AWS console access or service management and data plane level access), use AWS Sigle Sign-On to reduce the need for duplicate accounts. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys AWS Cognito Single Sign-On Adding SAML identity providers: AWS SSO also allows you to bridge corporate identities (such as identities from Azure Active Directory) with AWS identities, as well as external user identities from trusted third-party and public users. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops IM-6 Identity Management 4.2 - Change Default Passwords 6.3 - Require MFA for Externally-Exposed Applications AC-2: ACCOUNT MANAGEMENT 7.2 Use strong authentication controls Enforce strong authentication controls (strong passwordless authentication or multi-factor authentication) with your centralized identity and authentication management system for all access to resources. Authentication based on password credentials alone is considered legacy, as it is insecure and does not stand up to popular attack methods. Azure AD supports strong authentication controls through passwordless methods and multi-factor authentication (MFA). How to enable MFA in Azure: AWS IAM supports strong authentication controls through multi-factor authentication (MFA). MFA can be enforced on all users, select users, or at the per-user level based on defined conditions. Using multi-factor authentication (MFA) in AWS: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.5 - Use Multifactor Authentication For All Administrative Access 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT 8.2 - Passwordless authentication: Use passwordless authentication as your default authentication method. There are three options available in passwordless authentication: Windows Hello for Business, Microsoft Authenticator app phone sign-in, and FIDO2 security keys. In addition, customers can use on-premises authentication methods such as smart cards. https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html 12.11 - Require All Remote Logins to Use Multi-Factor Authentication IA-2: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 8.3 When deploying strong authentication, configure administrators and privileged users first, to ensure the highest level of the strong authentication method, quickly followed by rolling out the appropriate strong authentication policy to all users. - Multi-factor authentication: Azure MFA can be enforced on all users, select users, or at the per-user level based on sign-in conditions and risk factors. Enable Azure MFA and follow Microsoft Defender for Cloud identity and access management recommendations for your MFA setup. If you use corporate accounts from a third-party directory (such as Windows Active Directory) with AWS identities, follow the respective security guidance to enforce strong authentication. Refer to the Azure Guidance for this control if you use Azure AD to manage AWS access. Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 16.3 - Require Multi-Factor Authentication IA-5: AUTHENTICATOR MANAGEMENT 8.4 Introduction to passwordless authentication options for Azure Active Directory: IAM supported MFA form factors: IA-8: IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) Note: If legacy password-based authentication is required for legacy applications and scenarios, ensure password security best practices such as complexity requirements, are followed. If legacy password-based authentication is still used for Azure AD authentication, be aware that cloud-only accounts (user accounts created directly in Azure) have a default baseline password policy. And hybrid accounts (user accounts that come from on-premises Active Directory) follow the on-premises password policies. https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless Note: For third-party applications and AWS services that may have default IDs and passwords, you should disable or change them during initial service setup. https://aws.amazon.com/iam/features/mfa/ Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For third-party applications and services that may have default IDs and passwords, you should disable or change them during initial service setup. Azure AD default password policy: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts Eliminate bad passwords using Azure AD Password Protection: https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad Block legacy authentication: https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication IM-7 Identity Management 12.11 - Require All Remote Logins to Use Multi-Factor Authentication 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.2 Restrict resource access based on conditions Explicitly validate trusted signals to allow or deny user access to resources, as part of a zero-trust access model. Signals to validate should include strong authentication of user account, behavioral analytics of user account, device trustworthiness, user or group membership, locations and so on. Use Azure AD conditional access for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use MFA. Azure AD Conditional Access allows you to enforce access controls on your organization\u2019s apps based on certain conditions. Azure Conditional Access overview: Create IAM policy and define conditions for more granular access controls based on user-defined conditions, such as requiring user logins from certain IP ranges (or devices) to use multi-factor authentication. Condition settings may include single or multiple conditions as well as logic. Policies and permissions in IAM: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 12.12 - Manage All Devices Remotely Logging Into Internal Network 6.4 - Require MFA for Administrative Access AC-3: ACCESS ENFORCEMENT https://docs.microsoft.com/azure/active-directory/conditional-access/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html 14.6 - Protect Information Through Access Control Lists 13.5 - Manage Access Control for Remote Assets AC-6: LEAST PRIVILEGE Define the applicable conditions and criteria for Azure AD conditional access in the workload. Consider the following common use cases: Policies can be defined from six different dimensions: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP) , Access Control Lists(ACL), and session policies. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 16.3 - Require Multi-Factor Authentication - Requiring multi-factor authentication for users with administrative roles Common Conditional Access policies: Conditions key table: - Requiring multi-factor authentication for Azure management tasks https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html#context_keys_table Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Blocking sign-ins for users attempting to use legacy authentication protocols - Requiring trusted locations for Azure AD Multi-Factor Authentication registration Conditional Access insights and reporting: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence - Blocking or granting access from specific locations https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-insights-reporting - Blocking risky sign-in behaviors - Requiring organization-managed devices for specific applications Configure authentication session management with Conditional Access: https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime Note: Granular authentication session management controls can also be implemented through Azure AD conditional access policies such as sign-in frequency and persistent browser session. IM-8 Identity Management 18.1 - Establish Secure Coding Practices 16.9 - Train Developers in Application Security Concepts and Secure Coding IA-5: AUTHENTICATOR MANAGEMENT 3.5 Restrict the exposure of credential and secrets Ensure that application developers securely handle credentials and secrets: When using a managed identity is not an option, ensure that secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into the code and configuration files. How to setup Credential Scanner: When using an IAM role for application access is not an option, ensure that secrets and credentials are stored in secure locations such as AWS Secret Manager or Systems Manager Parameter Store, instead of embedding them into the code and configuration files. AWS IAM roles in EC2: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 18.6 - Ensure Software Development Personnel Are Trained in Secure Coding 16.12 - Implement Code-Level Security Checks 6.3 - Avoid embedding the credentials and secrets into the code and configuration files https://secdevtools.azurewebsites.net/helpcredscan.html https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html 18.7 - Apply Static and Dynamic Code Analysis Tools 8.2 - Use key vault or a secure key store service to store the credentials and secrets If you use Azure DevOps and GitHub for your code management platform: Use CodeGuru Reviewer for static code analysis which can detect the secrets hard-coded in your source code. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Scan for credentials in source code. - Implement Azure DevOps Credential Scanner to identify credentials within the code. GitHub secret scanning: AWS Secrets Manager integrated services: - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. https://docs.github.com/github/administering-a-repository/about-secret-scanning If you use the Azure DevOps and GitHub for your code management platform: https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating.html Note: This is often governed and enforced through a secure software development lifecycle (SDLC) and DevOps security process - Implement Azure DevOps Credential Scanner to identify credentials within the code. Clients such as Azure Functions, Azure Apps services, and VMs can use managed identities to access Azure Key Vault securely. See Data Protection controls related to the use of Azure Key Vault for secrets management. - For GitHub, use the native secret scanning feature to identify credentials or other forms of secrets within the code. CodeGuru Reviewer Secrets Detection: https://docs.aws.amazon.com/codeguru/latest/reviewer-ug/recommendations.html Note: Azure Key Vault provides automatic rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. Note: Secrets Manager provides automatic secrets rotation for supported services. For secrets which cannot be automatically rotated, ensure they are manually rotated periodically and purged when no longer in use. IM-9 Identity Management 12.10 Decrypt Network Traffic at Proxy 6.7 - Centralize Access Control AC-2: ACCOUNT MANAGEMENT nan Secure user access to existing applications In a hybrid environment, where you have on-premises applications or non-native cloud applications using legacy authentication, consider solutions such as cloud access security broker (CASB), application proxy, single sign-on (SSO) to govern the access to these applications for the following benefits: Protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: Azure AD Application Proxy: Follow Azure's guidance to protect your on-premises and non-native cloud applications using legacy authentication by connecting them to: AWS Marketplace Application Proxy solutions: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 16.2 Configure Centralized Point of Authentication 12.5 - Centralize Network Authentication, Authorization, and Auditing (AAA) AC-3: ACCESS ENFORCEMENT - Enforce a centralized strong authentication - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy - Azure AD Application Proxy and configure header-based authentication to allow single sign-on (SSO) access to the applications for remote users while explicitly validating the trustworthiness of both remote users and devices with Azure AD Conditional Access. If required, use a third-party Software-Defined Perimeter (SDP) solution which can offer similar functionality. https://aws.amazon.com/marketplace/search/results?searchTerms=Application+proxy SC-11: TRUSTED PATH - Monitor and control risky end-user activities - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. - Microsoft Defender for Cloud Apps which serves as a cloud access security broker (CASB) service to monitor and block user access to unapproved third-party SaaS applications. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Monitor and remediate risky legacy applications activities - Your existing third-party application delivery controllers and networks. Microsoft Cloud App Security best practices: - Your existing third-party application delivery controllers and networks. AWS Marketplace CASB solutions: - Detect and prevent sensitive data transmission https://docs.microsoft.com/cloud-app-security/best-practices https://aws.amazon.com/marketplace/search/results?searchTerms=CASB Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Note: VPNs are commonly used to access legacy applications and often only have basic access control and limited session monitoring. Azure AD secure hybrid access: https://docs.microsoft.com/azure/active-directory/manage-apps/secure-hybrid-access"},{"location":"Azure/Security/MCSB/Incident%20Response/","title":"MCSB_v1 - Incident Response","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: IR-1 Incident Response 19.1 - Document Incident Response Procedures 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 10.8 Preparation - update incident response plan and handling process Ensure your organization follows industry best practice to develop processes and plans to respond to security incidents on the cloud platforms. Be mindful about the shared responsibility model and the variances across IaaS, PaaS, and SaaS services. This will have a direct impact to how you collaborate with your cloud provider in incident response and handling activities, such as incident notification and triage, evidence collection, investigation, eradication, and recovery. Update your organization's incident response process to include the handling of incidents in the Azure platform. Based on the Azure services used and your application nature, customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. Implement security across the enterprise environment: Update your organization's incident response process to include the handling of incidents. Ensure a unified multi-cloud incident response plan is in place by updating your organization's incident response process to include the handling of incidents in the AWS platform. Based on the AWS services used and your application nature, follow the AWS Security Incident Response Guide to customize the incident response plan and playbook to ensure they can be used to respond to the incident in the cloud environment. AWS Security Incident Response Guide: https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/welcome.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 19.7 - Conduct Periodic Incident Scenario Sessions for Personnel 17.7 - Conduct Routine Incident Response Exercises IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/cloud-adoption-framework/secure/security-top-10#4-process-update-incident-response-processes-for-cloud Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Regularly test the incident response plan and handling process to ensure they're up to date. Incident response reference guide: https://docs.microsoft.com/microsoft-365/downloads/IR-Reference-Guide.pdf Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence NIST SP800-61 Computer Security Incident Handling Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf Incident response overview: https://docs.microsoft.com/en-us/security/compass/incident-response-overview IR-2 Incident Response 19.2 - Assign Job Titles and Duties for Incident Response 17.1 - Designate Personnel to Manage Incident Handling IR-4: INCIDENT HANDLING 12.1 Preparation - setup incident contact information Ensure the security alerts and incident notification from the cloud service provider's platform and your environments can be received by correct contact in your incident response organization. Set up security incident contact information in Microsoft Defender for Cloud. This contact information is used by Microsoft to contact you if the Microsoft Security Response Center (MSRC) discovers that your data has been accessed by an unlawful or unauthorized party. You also have options to customize incident alerts and notification in different Azure services based on your incident response needs. How to set the Microsoft Defender for Cloud security contact: Set up security incident contact information in AWS Systems Manager Incident Manager (the incident management center for AWS). This contact information is used for incident management communication between you and AWS through the different channels (i.e., Email, SMS, or Voice). You can define a contact's engagement plan and escalation plan to describe how and when the Incident Manager engages the contact and to escalate if the contact(s) does not response to an incident. Incident Manager Contact: https://docs.aws.amazon.com/incident-manager/latest/userguide/contacts.html Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 19.3 - Designate Management Personnel to Support Incident Handling 17.3 - Establish and Maintain an Enterprise Process for Reporting Incidents IR-8: INCIDENT RESPONSE PLAN https://docs.microsoft.com/azure/security-center/security-center-provide-security-contact-details 19.4 - Devise Organization-wide Standards for Reporting Incidents 17.6 - Define Mechanisms for Communicating During Incident Response IR-5: INCIDENT MONITORING Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation 19.5 - Maintain Contact Information For Reporting Security Incidents IR-6: INCIDENT REPORTING IR-3 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.9 - Establish and Maintain Security Incident Thresholds IR-4: INCIDENT HANDLING 10.8 Detection and analysis - create incidents based on high-quality alerts Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives. Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Microsoft Sentinel. Microsoft Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation. How to configure export: Use security tools like SecurityHub or GuardDuty and other third-party tools to send alerts to Amazon CloudWatch or Amazon EventBridge so incidents can be automatically created in Incident Manager based on the defined criteria and rule sets. You can also manually create incidents in the Incident Manager for further incident handling and tracking. Incident creation in Incident Manager: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/continuous-export https://docs.aws.amazon.com/incident-manager/latest/userguide/incident-creation.html IR-7 INCIDENT RESPONSE ASSISTANCE High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources. Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion. If you use Microsoft Defender for Cloud to monitor your AWS accounts, you can also use Microsoft Sentinel to monitor and alert the incidents identified by Microsoft Defender for Cloud on AWS resources. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation How to stream alerts into Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence IR-4 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Detection and analysis - investigate an incident Ensure the security operation team can query and use diverse data sources as they investigate potential incidents, to build a full view of what happened. Diverse logs should be collected to track the activities of a potential attacker across the kill chain to avoid blind spots. You should also ensure insights and learnings are captured for other analysts and for future historical reference. Ensure your security operations team can query and use diverse data sources that are collected from the in-scope services and systems. In addition, it sources can also include: Snapshot a Windows machine's disk: The data sources for investigation are the centralized logging sources that collect from the in-scope services and running systems, but can also include: Traffic Mirroring: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Identity and access log data: Use Azure AD logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk - Identity and access log data: Use IAM logs and workload (such as operating systems or application level) access logs for correlating identity and access events. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html Use the cloud native SIEM and incident management solution if your organization does not have an existing solution to aggregate security logs and alerts information. Correlate incident data based on the data sourced from different sources to facility the incident investigations. - Network data: Use network security groups' flow logs, Azure Network Watcher, and Azure Monitor to capture network flow logs and other analytics information. - Network data: Use VPC Flow Logs, VPC Traffic Mirrors, and Azure CloudTrail and CloudWatch to capture network flow logs and other analytics information. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation - Incident related activity data of from snapshots of the impacted systems, which can be obtained through: Snapshot a Linux machine's disk: - Snapshots of running systems, which can be obtained through: Creating EBS volume backups with AMIs and EBS snapshots: a) The azure virtual machine's snapshots capability, to create a snapshot of the running system's disk. https://docs.microsoft.com/azure/virtual-machines/linux/snapshot-copy-managed-disk a) Snapshot capability in Amazon EC2(EBS) to create a snapshot of the running system's disk. https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. b) The operating system's native memory dump capability, to create a snapshot of the running system's memory. c) The snapshot feature of the other supported Azure services or your software's own capability, to create snapshots of the running systems. Microsoft Azure Support diagnostic information and memory dump collection: c) The snapshot feature of the AWS services or your software's own capability, to create snapshots of the running systems. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/use-immutable-storage.html https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/ Microsoft Sentinel provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. If you aggregate your SIEM related data into Microsoft Sentinel, it provides extensive data analytics across virtually any log source and a case management portal to manage the full lifecycle of incidents. Intelligence information during an investigation can be associated with an incident for tracking and reporting purposes. Investigate incidents with Azure Sentinel: Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. https://docs.microsoft.com/azure/sentinel/tutorial-investigate-cases Note: When incident related data is captured for investigation, ensure there is adequate security in place to protect the data from unauthorized alteration, such as disabling logging or removing logs, which can be performed by the attackers during an in-flight data breach activity. IR-5 Incident Response 19.8 - Create Incident Scoring and Prioritization Schema 17.4 - Establish and Maintain an Incident Response Process IR-4: INCIDENT HANDLING 12.1 Detection and analysis - prioritize incidents Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization\u2019s incident response plan. Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert. Security alerts in Microsoft Defender for Cloud: For each incident created in the Incident Manager, assign an impact level based on your organization's defined criteria, such as a measure of the severity of the incident and criticality level of the assets impacted. Define your naming convention best practice: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 17.9 - Establish and Maintain Security Incident Thresholds https://docs.microsoft.com/azure/security-center/security-center-alerts-overview https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/resource-naming Additionally, mark resources using tags and create a naming system to identify and categorize your cloud resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the resources and environment where the incident occurred. Similarly, Microsoft Sentinel creates alerts and incidents with an assigned severity and other details based on analytics rules. Use analytic rule templates and customize the rules according to your organization's needs to support incident prioritization. Use automation rules in Microsoft Sentinel to manage and orchestrate threat response in order to maximize your security operation's team efficiency and effectiveness, including tagging incidents to classify them. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Create incidents from Microsoft security alerts: https://learn.microsoft.com/azure/sentinel/create-incidents-from-alerts IR-6 Incident Response nan nan IR-4: INCIDENT HANDLING 12.1 Containment, eradication and recovery - automate the incident handling Automate the manual, repetitive tasks to speed up response time and reduce the burden on analysts. Manual tasks take longer to execute, slowing each incident and reducing how many incidents an analyst can handle. Manual tasks also increase analyst fatigue, which increases the risk of human error that causes delays and degrades the ability of analysts to focus effectively on complex tasks. Use workflow automation features in Microsoft Defender for Cloud and Microsoft Sentinel to automatically trigger actions or run a playbooks to respond to incoming security alerts. Playbooks take actions, such as sending notifications, disabling accounts, and isolating problematic networks. Configure workflow automation in Security Center: If you use Microsoft Sentinel to centrally manage your incident, you can also create automated actions or run a playbooks to respond to incoming security alerts. AWS Systems Manager - runbooks and automation: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center IR-5: INCIDENT MONITORING https://docs.microsoft.com/azure/security-center/workflow-automation https://docs.aws.amazon.com/incident-manager/latest/userguide/runbooks.html IR-6: INCIDENT REPORTING Alternatively, use automation features in AWS System Manager to automatically trigger actions defined in the incident response plan, including notifying the contacts and/or running a runbook to respond to alerts, such as disabling accounts, and isolating problematic networks. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Set up automated threat responses in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/tutorial-security-incident#triage-security-alerts Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Set up automated threat responses in Microsoft Sentinel: https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook IR-7 Incident Response nan 17.8 - Conduct Post-Incident Reviews IR-4 INCIDENT HANDLING 12.1 Post-incident activity - conduct lesson learned and retain evidence Conduct lessons learned in your organization periodically and/or after major incidents, to improve your future capability in incident response and handling. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as a Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of incidents in Azure. Incident response process - Post-incident cleanup: Create incident analysis for a closed incident in Incident Manager using the standard incident analysis template or your own custom template. Use the outcome from the lessons learned activity to update your incident response plan, playbook (such as the AWS Systems Manager runbook and Microsoft Sentinel playbook) and reincorporate findings into your environments (such as logging and threat detection to address any gaps in logging) to improve your future capability in detecting, responding, and handling of the incidents in AWS. Post-incident analysis: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center https://docs.microsoft.com/security/compass/incident-response-process#2-post-incident-cleanup https://docs.aws.amazon.com/incident-manager/latest/userguide/analysis.html Based on the nature of the incident, retain the evidence related to the incident for the period defined in the incident handling standard for further analysis or legal actions. Keep the evidence collected during the \"Detection and analysis - investigate an incident step\" such as system logs, network traffic dumps and running system snapshots in storage such as an Azure Storage account for immutable retention. Keep the evidence collected during the \"Detection and analysis - investigate an incident step\" such as system logs, network traffic dumps and running system snapshot in storage such as an Amazon S3 bucket or Azure Storage account for immutable retention. Incident preparation: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-incident-preparation Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence"},{"location":"Azure/Security/MCSB/Logging%20and%20Threat%20Detection/","title":"MCSB_v1 - Logging and Threat Detection","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 AWS Config Rule (WIP) Customer Security Stakeholders: LT-1 Logging and threat detection 6.7 - Regularly Review Logs 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS Enable threat detection capabilities To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives. Use the threat detection capability of Microsoft Defender for Cloud for the respective Azure services. Introduction to Microsoft Defender for Cloud: Use Amazon GuardDuty for threat detection which analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. GuardDuty is capable of reporting on security issues such as privilege escalation, exposed credential usage , or communication with malicious IP addresses, or domains. Amazon GuardDuty: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://learn.microsoft.com/azure/defender-for-cloud/defender-for-cloud-introduction https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html AU-12: AUDIT GENERATION For threat detection not included in Microsoft Defender services, refer to Microsoft Cloud Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Ingest alerts and log data from Microsoft Defender for Cloud, Microsoft 365 Defender, and log data from other resources into your Azure Monitor or Microsoft Sentinel instances to build analytics rules, which hunt detect threats and create alerts that match specific criteria across your environment. Configure AWS Config to check rules in SecurityHub for compliance monitoring such as configuration drift, and create findings when needed. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING Microsoft Defender for Cloud security alerts reference guide: Amazon GuardDuty data sources: For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. https://docs.microsoft.com/azure/security-center/alerts-reference For threat detection not included in GuardDuty and SecurityHub, enable threat detection or security alert capabilities within the supported AWS services. Extract the alerts to your CloudTrail, CloudWatch, or Microsoft Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Microsoft Sentinel. Create custom analytics rules to detect threats: You can also use Microsoft Defender for Cloud to monitor certain services in AWS such as EC2 instances. Connect your AWS accounts to Microsoft Defender for Cloud: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Microsoft Defender for IoT to inventory assets and detect threats and vulnerabilities. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Threat indicators for cyber threat intelligence in Microsoft Sentinel: How Defender for Cloud Apps helps protect your Amazon Web Services (AWS) environment https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence https://docs.microsoft.com/en-us/defender-cloud-apps/protect-aws Security recommendations for AWS resources - a reference guide: https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws LT-2 Logging and threat detection 4.9 - Log and Alert on Unsuccessful Administrative Account Login 8.11 - Conduct Audit Log Reviews AU-3: CONTENT OF AUDIT RECORDS 10.6 Enable threat detection for identity and access management Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted. Azure AD provides the following logs that can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases: Audit activity reports in Azure AD: AWS IAM provides the following reporting the logs and reports for console user activities through IAM Access Advisor and IAM credential report: IAM credential reports: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 6.7 - Regularly Review Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.8 - Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities. https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs - Every successful sign-in and unsuccessful login attempts. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html 16.13 - Alert on Account Login Behavior Deviation AU-12: AUDIT GENERATION A3.5 - Audit logs: Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies. - Multi-factor authentication (MFA) status for each user. Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING - Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account. Enable Azure Identity Protection: - Dormant IAM user GuardDuty data source: - Users flagged for risk: A risky user is an indicator for a user account that might have been compromised. https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management For API level access monitoring and threat detection, use Amazon GuadDuty to identify the findings related to the IAM. Examples of these findings include: Azure AD also provides an Identity Protection module to detect and remediate risks related to user accounts and sign-in behaviors. Examples of risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in Azure AD Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts. Threat protection in Microsoft Defender for Cloud: - An API used to gain access to an AWS environment and was invoked in an anomalous way, or was used to evade defensive measures GuardDuty IAM finding types: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops https://docs.microsoft.com/azure/security-center/threat-protection - An API used to: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources. a) discover resources was invoked in an anomalous way Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Overview of Microsoft Defender for Identity: b) collect data from an AWS environment was invoked in an anomalous way. Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. https://learn.microsoft.com/defender-for-identity/what-is b) tamper with data or processes in an AWS environment was invoked in an anomalous way. c) gain unauthorized access to an AWS environment was invoked in an anomalous way. d) maintain unauthorized access to an AWS environment was invoked in an anomalous way. e) obtain high-level permissions to an AWS environment was invoked in an anomalous way. f) be invoked from a known malicious IP address. g) be invoked using root credentials. - AWS CloudTrail logging was disabled. - Account password policy was weakened. - Multiple worldwide successful console logins were observed. - Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from another account within AWS. - Credentials that were created exclusively for an EC2 instance through an Instance launch role are being used from an external IP address. - An API was invoked from a known malicious IP address. - An API was invoked from an IP address on a custom threat list. - An API was invoked from a Tor exit node IP address. LT-3 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.1 Enable logging for security investigation Enable logging for your cloud resources to meet the requirements for security incident investigations and security response and compliance purposes. Enable logging capability for resources at the different tiers, such as logs for Azure resources, operating systems and applications inside in your VMs and other log types. Understand logging and different log types in Azure: Use AWS CloudTrail logging for management events (control plane operations) and data events (data plane operations) and monitor these trails with CloudWatch for automated actions. Enabling logging from certain AWS services: nan Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING 10.2 https://docs.microsoft.com/azure/azure-monitor/platform/platform-logs-overview https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html 8.8 - Enable Command-Line Audit Logging 8.12 - Collect Service Provider Logs AU-12: AUDIT GENERATION 10.3 Be mindful about different types of logs for security, audit, and other operational logs at the management/control plane and data plane tiers. There are three types of the logs available at the Azure platform: The Amazon CloudWatch Logs service allows you to collect and store logs from your resources, applications, and services in near real time. There are three main categories of logs: Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center SI-4: INFORMATION SYSTEM MONITORING - Azure resource log: Logging of operations that are performed within an Azure resource (the data plane). For example, getting a secret from a key vault or making a request to a database. The content of resource logs varies by the Azure service and resource type. Understand Microsoft Defender for Cloud data collection: - Vended logs: Logs natively published by AWS services on your behalf. Currently, Amazon VPC Flow Logs and Amazon Route 53 logs are the two supported types. These two logs are enabled by default. https://docs.aws.amazon.com/whitepapers/latest/introduction-aws-security/monitoring-and-logging.html - Azure activity log: Logging of operations on each Azure resource at the subscription layer, from the outside (the management plane). You can use the Activity Log to determine what, who, and when for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. https://docs.microsoft.com/azure/security-center/security-center-enable-data-collection - Logs published by AWS services: Logs from more than 30 AWS services publish to CloudWatch. They include Amazon API Gateway, AWS Lambda, AWS CloudTrail, and many others. These logs can be enabled directly in the services and CloudWatch. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Azure Active Directory logs: Logs of the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. - Custom logs: Logs from your own application and on-premises resources. You may need to collect these logs by installing CloudWatch Agent in your operating systems and forward them to CloudWatch. https://aws.amazon.com/cloudwatch/features/ Enable and configure antimalware monitoring: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You can also use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting on Azure resources. https://docs.microsoft.com/azure/security/fundamentals/antimalware#enable-and-configure-antimalware-monitoring-using-powershell-cmdlets While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to AmazonS3 or Amazon Kinesis Data Firehose where you can use different logging storage and retention policies. Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence Operating systems and application logs inside in your compute resources: https://docs.microsoft.com/azure/azure-monitor/agents/data-sources#operating-system-guest LT-4 Logging and threat detection 6.2 - Activate Audit Logging 8.2 - Collect Audit Logs AU-3: CONTENT OF AUDIT RECORDS 10.8 Enable network logging for security investigation Enable logging for your network services to support network-related incident investigations, threat hunting, and security alert generation. The network logs may include logs from network services such as IP filtering, network and application firewall, DNS, flow monitoring and so on. Enable and collect network security group (NSG) resource logs, NSG flow logs, Azure Firewall logs, and Web Application Firewall (WAF) logs, and logs from virtual machines via the network traffic data collection agent for security analysis to support incident investigations, and security alert generation. You can send the flow logs to an Azure Monitor Log Analytics workspace and then use Traffic Analytics to provide insights. How to enable network security group flow logs: Enable and collect network logs such as VPC Flow Logs, WAF Logs, and Route53 Resolver query logs for security analysis to support incident investigations, and security alert generation. The logs can be exported to CloudWatch for monitoring or an S3 storage bucket for ingesting into the Microsoft Sentinel solution for centralized analytics. https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html nan Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center 6.3 - Enable Detailed Logging 8.5 - Collect Detailed Audit Logs AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/network-watcher/network-watcher-nsg-flow-logging-portal 7.6 - Log All URL Requests 8.6 - Collect DNS Query Audit Logs AU-12: AUDIT GENERATION Collect DNS query logs to assist in correlating other network data. Infrastructure and endpoint security 8.7 - Enable DNS Query Logging 8.7 - Collect URL Request Audit Logs SI-4: INFORMATION SYSTEM MONITORING Azure Firewall logs and metrics: 12.8 - Deploy NetFlow Collection on Networking Boundary Devices 13.6 - Collect Network Traffic Flow Logs https://docs.microsoft.com/azure/firewall/logs-and-metrics Application security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Azure networking monitoring solutions in Azure Monitor: Threat intelligence: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-threat-intelligence https://docs.microsoft.com/azure/azure-monitor/insights/azure-networking-analytics Gather insights about your DNS infrastructure with the DNS Analytics solution: https://docs.microsoft.com/azure/azure-monitor/insights/dns-analytics LT-5 Logging and threat detection 6.5 - Central Log Management 8.9 - Centralize Audit Logs AU-3: CONTENT OF AUDIT RECORDS nan Centralize security log management and analysis Centralize logging storage and analysis to enable correlation across log data. For each log source, ensure that you have assigned a data owner, access guidance, storage location, what tools are used to process and access the data, and data retention requirements. Ensure that you are integrating Azure activity logs into a centralized Log Analytics workspace. Use Azure Monitor to query and perform analytics and create alert rules using the logs aggregated from Azure services, endpoint devices, network resources, and other security systems. How to collect platform logs and metrics with Azure Monitor: Ensure that you are integrating your AWS logs into a centralized resource for storage and analysis. Use CloudWatch to query and perform analytics, and to create alert rules using the logs aggregated from AWS services, services, endpoint devices, network resources, and other security systems. Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 6.6 - Deploy SIEM or Log Analytic tool 8.11 - Conduct Audit Log Reviews AU-6: AUDIT REVIEW, ANALYSIS, AND REPORTING https://docs.microsoft.com/azure/azure-monitor/platform/diagnostic-settings https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3 6.7 - Regularly Review Logs 13.1 - Centralize Security Event Alerting AU-12: AUDIT GENERATION Use Cloud native SIEM if you don't have an existing SIEM solution for CSPs. or aggregate logs/alerts into your existing SIEM. In addition, enable and onboard data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. In addition, you can aggregate the logs in a S3 storage bucket and onboard the log data to Microsoft Sentinel which provides security information event management (SIEM) and security orchestration automated response (SOAR) capabilities. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 8.6 - Centralize Anti-Malware Logging SI-4: INFORMATION SYSTEM MONITORING How to onboard Azure Sentinel: https://docs.microsoft.com/azure/sentinel/quickstart-onboard Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint LT-6 Logging and threat detection 6.4 - Ensure Adequate Storage for Logs 8.3 - Ensure Adequate Audit Log Storage AU-11: AUDIT RECORD RETENTION 10.5 Configure log storage retention Plan your log retention strategy according to your compliance, regulation, and business requirements. Configure the log retention policy at the individual logging services to ensure the logs are archived appropriately. Logs such as Azure Activity Logs are retained for 90 days and then deleted. You should create a diagnostic setting and route the logs to another location (such as Azure Monitor Log Analytics workspace, Event Hubs or Azure Storage) based on your needs. This strategy also applies to other resource logs and resources managed by yourself such as logs in the operating systems and applications inside VMs. Change the data retention period in Log Analytics: By default, logs are kept indefinitely and never expire in CloudWatch. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a retention period between 10 years and one day. Altering CloudWatch log retention: nan Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 8.10 - Retain Audit Logs 10.7 https://docs.microsoft.com/azure/azure-monitor/platform/manage-cost-storage#change-the-data-retention-period https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html You have the log retention option as below: Use Amazon S3 for log archival from CloudWatch and apply object lifecycle management and archival policy to the bucket. You can use Azure Storage for central log archival by transferring the files from Amazon S3 to Azure Storage. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Use Azure Monitor Log Analytics workspace for a log retention period of up to 1 year or per your response team requirements. How to configure retention policy for Azure Storage account logs: Copy data from Amazon S3 to Azure Storage by using AzCopy: - Use Azure Storage, Data Explorer or Data Lake for long-term and archival storage for greater than 1 year and to meet your security compliance requirements. https://docs.microsoft.com/azure/storage/common/storage-monitor-storage-account#configure-logging https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-s3 Security operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Use Azure Event Hubs to forward logs to an external resource outside of Azure. Microsoft Defender for Cloud alerts and recommendations export: https://docs.microsoft.com/azure/security-center/continuous-export Security compliance management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Note: Microsoft Sentinel uses Log Analytics workspace as its backend for log storage. You should consider a long-term storage strategy if you plan to retain SIEM logs for longer time. LT-7 Logging and threat detection 6.1 - Utilize Three Synchronized Time Sources 8.4 - Standardize Time Synchronization AU-8: TIME STAMPS 10.4 Use approved time synchronization sources Use approved time synchronization sources for your logging time stamp which include date, time and time zone information. Microsoft maintains time sources for most Azure PaaS and SaaS services. For your compute resources operating systems, use a Microsoft default NTP server for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. How to configure time synchronization for Azure Windows compute resources: AWS maintains time sources for most AWS services. For resources or services where the operating system time setting is configured, use AWS default Amazon Time Sync Service for time synchronization unless you have a specific requirement. If you need to stand up your own network time protocol (NTP) server, ensure you secure the UDP service port 123. Set the time for a Linux instance: nan Policy and standards: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-policy-standards https://docs.microsoft.com/azure/virtual-machines/windows/time-sync https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html All logs generated by resources within Azure provide time stamps with the time zone specified by default. All logs generated by resources within AWS provide time stamps with the time zone specified by default. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops How to configure time synchronization for Azure Linux compute resources: Set the time for a Windows instance: https://docs.microsoft.com/azure/virtual-machines/linux/time-sync https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/windows-set-time.html Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint How to disable inbound UDP for Azure services: https://support.microsoft.com/help/4558520/how-to-disable-inbound-udp-for-azure-services"},{"location":"Azure/Security/MCSB/Network%20Security/","title":"MCSB_v1 - Network Security","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context: Customer Security Stakeholders: NS-1 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Establish network segmentation boundaries Ensure that your virtual network deployment aligns to your enterprise segmentation strategy defined in the GS-2 security control. Any workload that could incur higher risk for the organization should be in isolated virtual networks. Create a virtual network (VNet) as a fundamental segmentation approach in your Azure network, so resources such as VMs can be deployed into the VNet within a network boundary. To further segment the network, you can create subnets inside VNet for smaller sub-networks. Azure Virtual Network concepts and best practices: Create a Virtual Private Cloud (VPC) as a fundamental segmentation approach in your AWS network, so resources such as EC2 instances can be deployed into the VPC within a network boundary. To further segment the network, you can create subnets inside VPC for smaller sub-networks. Control traffic to EC2 instances with security groups: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.4 - Apply Host-Based Firewalls or Port Filtering 13.4 - Perform Traffic Filtering Between Network Segments SC-2: APPLICATION PARTITIONING 1.2 Examples of high-risk workload include: https://docs.microsoft.com/azure/virtual-network/concepts-and-best-practices https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html 12.3 - Deny Communications with Known Malicious IP Addresses 4.4 - Implement and Manage a Firewall on Severs SC-7: BOUNDARY PROTECTION 1.3 - An application storing or processing highly sensitive data. Use network security groups (NSG) as a network layer control to restrict or monitor traffic by port, protocol, source IP address, or destination IP address. Refer to NS-7 Simplify network security configuration to use Adaptive Network Hardening to recommend NSG hardening rules based on threat intelligence and traffic analysis result. For EC2 instances, use Security Groups, as a stateful firewall to restrict traffic by port, protocol, source IP address, or destination IP address. At the VPC subnet level, use Network Access Control List (NACL) as a stateless firewall to have explicit rules for ingress and egress traffic to the subnet. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 12.4 - Deny Communication over Unauthorized Ports - An external network-facing application accessible by the public or users outside of your organization. Add, change, or delete a virtual network subnet: Compare security groups and network ACLs: 14.1 - Segment the Network Based on Sensitivity - An application using insecure architecture or containing vulnerabilities that cannot be easily remediated. You can also use application security groups (ASGs) to simplify complex configuration. Instead of defining policy based on explicit IP addresses in network security groups, ASGs enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-subnet Note: To control VPC traffic, Internet and NAT Gateway should be configured to ensure the traffic from/to the internet are restricted. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.2 - Enable Firewall Filtering Between VLANs To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure \"deny by default, permit by exception\" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic. How to create a network security group with security rules: Internet Gateway: https://docs.microsoft.com/azure/virtual-network/tutorial-filter-network-traffic https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html Understand and use application security groups: NAT Gateway: https://docs.microsoft.com/azure/virtual-network/network-security-groups-overview#application-security-groups https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html NS-2 Network Security 14.1 - Segment the Network Based on Sensitivity 3.12 - Segment Data Processing and Storage Based on Sensitivity AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Secure cloud native services with network controls Secure cloud services by establishing a private access point for the resources. You should also disable or restrict access from public network when possible. Deploy private endpoints for all Azure resources that support the Private Link feature, to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network. Understand Azure Private Link: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network. AWS PrivateLink: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.4 - Implement and Manage a Firewall on Servers SC-2: APPLICATION PARTITIONING 1.2 https://docs.microsoft.com/azure/private-link/private-link-overview https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html SC-7: BOUNDARY PROTECTION 1.3 Note: Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform. For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management Integrate Azure services with virtual networks for network isolation: Blocking public access to your Amazon S3 storage: For certain services, you can choose to deploy VNet integration for the service where you can restrict/isolate the VNET to establish a private access point for the service. https://learn.microsoft.com/en-us/azure/virtual-network/vnet-integration-for-azure-services You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level. https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You also have the option to configure the service native network ACL rules or simply disable public network access to block access from the public network. When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet. For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network. NS-3 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Servers AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Deploy firewall at the edge of enterprise network Deploy a firewall to perform advanced filtering on network traffic to and from external networks. You can also use firewalls between internal segments to support a segmentation strategy. If required, use custom routes for your subnet to override the system route when you need to force the network traffic to go through a network appliance for security control purpose. Use Azure Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). How to deploy Azure Firewall: Use AWS Network Firewall to provide fully stateful application layer traffic restriction (such as URL filtering) and/or central management over a large number of enterprise segments or spokes (in a hub/spoke topology). AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.4 - Apply Host-Based Firewalls or Port Filtering 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/firewall/tutorial-firewall-deploy-portal https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html 12.3 - Deny Communications with Known Malicious IP Addresses 13.10 Perform Application Layer Filtering CM-7: LEAST FUNCTIONALITY 1.3 At a minimum, block known bad IP addresses and high-risk protocols, such as remote management (for example, RDP and SSH) and intranet protocols (for example, SMB and Kerberos). If you have a complex network topology, such as a hub/spoke setup, you may need to create user-defined routes (UDR) to ensure the traffic goes through the desired route. For example, you have the option to use an UDR to redirect egress internet traffic through a specific Azure Firewall or a network virtual appliance. If you have a complex network topology, such as a hub/spoke setup, you may need to create custom VPC route tables to ensure the traffic goes through the desired route. For example, you have the option to use a custom route to redirect egress internet traffic through a specific AWS Firewall or a network virtual appliance. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 12.4 - Deny Communication over Unauthorized Ports Virtual network traffic routing: AWS VPC configure custom route tables: 14.1 - Segment the Network Based on Sensitivity https://docs.microsoft.com/azure/virtual-network/virtual-networks-udr-overview https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 14.2 - Enable Firewall Filtering Between VLANs NS-4 Network Security 12.6 - Deploy Network-Based IDS Sensors 13.2 Deploy a Host-Based Intrusion Detection Solution SC-7: BOUNDARY PROTECTION 11.4 Deploy intrusion detection/intrusion prevention systems (IDS/IPS) Use network intrusion detection and intrusion prevention systems (IDS/IPS) to inspect the network and payload traffic to or from your workload. Ensure that IDS/IPS is always tuned to provide high-quality alerts to your SIEM solution. Use Azure Firewall\u2019s IDPS capability to protect your virtual network to alert on and/or block traffic to and from known malicious IP addresses and domains. Azure Firewall IDPS: Use AWS Network Firewall\u2019s IPS capability to protect your VPC to alert on and/or block traffic to and from known malicious IP addresses and domains. IPS stateful rule groups in AWS Network Firewall: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.7 - Deploy Network-Based Intrusion Prevention Systems 13.3 - Deploy a Network Intrusion Detection Solution SI-4: INFORMATION SYSTEM MONITORING https://docs.microsoft.com/azure/firewall/premium-features#idps https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html 13.7 Deploy a Host-Based Intrusion Prevention Solution For more in-depth host level detection and prevention capability, use host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as Microsoft Defender for Endpoint, at the VM level in conjunction with the network IDS/IPS. For more in-depth host-level detection and prevention capabilities, deploy host-based IDS/IPS or a host-based endpoint detection and response (EDR) solution, such as third-party solution for host-based IDS/IPS, at the VM level in conjunction with the network IDS/IPS. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 13.8 - Deploy a Network Intrusion Prevention Solution Microsoft Defender for Endpoint capability: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response https://aws.amazon.com/marketplace/search?searchTerms=IPS Note: If using a third-party IDS/IPS from marketplace, use Transit Gateway and Gateway Balancer to direct the traffic for in-line inspection. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-5 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-5: DENIAL OF SERVICE PROTECTION 1.1 Deploy DDOS protection Deploy distributed denial of service (DDoS) protection to protect your network and applications from attacks. DDoS Protection Basic is automatically enabled to protect the Azure underlying platform infrastructure (e.g., Azure DNS) and requires no configuration from the users. Manage Azure DDoS Protection Standard using the Azure portal: AWS Shield Standard is automatically enabled with standard mitigations, to protect your workload from common network and transport layer (Layer 3 and 4) DDoS attacks AWS Shield Features: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.3 - Deny Communications with Known Malicious IP Addresses SC-7: BOUNDARY PROTECTION 1.2 https://docs.microsoft.com/azure/virtual-network/manage-ddos-protection https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html 1.3 For higher levels of protection of your application layer (Layer 7) attacks such as HTTP floods and DNS floods, enable the DDoS standard protection plan on your VNet to protect resources that are exposed to the public networks. For higher levels of protection of your applications against application layer (Layer 7) attack such as HTTPS floods, and DNS floods, enable AWS Shield Advanced protection on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 6.6 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-6 Network Security 9.5 - Implement Application Firewalls 13.10 - Perform Application Layer Filtering SC-7: BOUNDARY PROTECTION 1.1 Deploy web application firewall Deploy a web application firewall (WAF) and configure the appropriate rules to protect your web applications and APIs from application-specific attacks. Use web application firewall (WAF) capabilities in Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) to protect your applications, services and APIs against application layer attacks at the edge of your network. How to deploy Azure WAF: Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services, and APIs against application layer attacks at the edge of your network. How AWS WAF works: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 12.3 - Deny Communications with Known Malicious IP Addresses 1.2 https://docs.microsoft.com/azure/web-application-firewall/overview https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html 12.9 - Deploy Application Layer Filtering Proxy Server 1.3 Set your WAF in \"detection\" or \"prevention mode,\" depending on your needs and threat landscape. Use AWS Managed Rules for WAF to deploy built-in baseline groups, and customize it to your application needs for the user-case rule groups. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 18.10 - Deploy Web Application Firewalls (WAFs) 6.6 AWS WAF Security Automations: Choose a built-in ruleset, such as OWASP Top 10 vulnerabilities, and tune it to your application needs. To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL. https://docs.aws.amazon.com/solutions/latest/aws-waf3-security-automations/welcome.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops AWS Managed Rules for AWS WAF: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html NS-7 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs AC-4: INFORMATION FLOW ENFORCEMENT 1.1 Simplify network security configuration When managing a complex network environment, use tools to simplify, centralize and enhance the network security management. Use the following features to simplify the implementation and management of the virtual network, NSG rules, and Azure Firewall rules: Adaptive Network Hardening in Microsoft Defender for Cloud: Use AWS Firewall Manager to centralize the network protection policy management across the following services. AWS Firewall Manager: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software SC-2: APPLICATION PARTITIONING 1.2 - Use Azure Virtual Network Manager to group, configure, deploy, and manage virtual networks and NSG rules across regions and subscriptions. https://docs.microsoft.com/azure/security-center/security-center-adaptive-network-hardening - AWS WAF policies https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-fms-intro.html SC-7: BOUNDARY PROTECTION 1.3 - Use Microsoft Defender for Cloud Adaptive Network Hardening to recommend NSG hardening rules that further limit ports, protocols and source IPs based on threat intelligence and traffic analysis result. - AWS Shield Advanced policies Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Use Azure Firewall Manager to centralize the firewall policy and route management of the virtual network. To simplify the firewall rules and network security groups implementation, you can also use the Azure Firewall Manager Azure Resource Manager (ARM) template. Azure Firewall Manager: - VPC security group policies https://docs.aws.amazon.com/waf/latest/developerguide/fms-findings.html https://docs.microsoft.com/azure/firewall-manager/overview - Network Firewall policies Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops AWS Firewall Manager can automatically analyze your firewall-related policies and create findings for non-compliant resources and for detected attacks and sends them to AWS Security Hub for investigation. Create an Azure Firewall and a firewall policy - ARM template https://docs.microsoft.com/azure/firewall-manager/quick-firewall-policy NS-8 Network Security 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running 4.4 - Implement and Manage a Firewall on Severs CM-2: BASELINE CONFIGURATION 4.1 Detect and disable insecure services and protocols Detect and disable insecure services and protocols at the OS, application, or software package layer. Deploy compensating controls if disabling insecure services and protocols are not possible. Use Microsoft Sentinel\u2019s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols such as SSL/TLSv1, SSHv1, SMBv1, LM/NTLMv1, wDigest, weak ciphers in Kerberos, and Unsigned LDAP Binds. Disable insecure services and protocols that do not meet the appropriate security standard. Azure Sentinel insecure protocols workbook: Enable VPC Flow Logs and use GuardDuty to analyze the VPC Flow Logs to identify the possible insecure services and protocols that do not meet the appropriate security standard. Use GuardDuty with VPC Flow Logs as the data source: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software CM-6: CONFIGURATION SETTINGS A2.1 https://docs.microsoft.com/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_vpc CM-7: LEAST FUNCTIONALITY A2.2 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through network security groups, Azure Firewall, or Azure Web Application Firewall to reduce the attack surface. If the logs in the AWS environment can be forwarded to Microsoft Sentinel, you can also use Microsoft Sentinel\u2019s built-in Insecure Protocol Workbook to discover the use of insecure services and protocols Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management A2.3 Note: If disabling insecure services or protocols is not possible, use compensating controls such as blocking access to the resources through security groups, AWS Network Firewall, or AWS Web Application Firewall to reduce the attack surface. Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops NS-9 Network Security nan 12.7 - Ensure Remote Devices Utilize a VPN and are Connecting to CA-3: SYSTEM INTERCONNECTIONS nan Connect on-premises or cloud network privately Use private connections for secure communication between different networks, such as cloud service provider datacenters and on-premises infrastructure in a colocation environment. For lightweight site-to-site or point-to-site connectivity, use Azure virtual private network (VPN) to create a secure connection between your on-premises site or end-user device and the Azure virtual network. Azure VPN overview: For lightweight site-to-site or point-to-site connectivity, use AWS VPN to create a secure connection (when IPsec overhead is not a concern) between your on-premises site or end-user device to the AWS network. AWS Direct Connect introduction: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture an Enterprise\u2019s AAA Infrastructure AC-17: REMOTE ACCESS https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html AC-4: INFORMATION FLOW ENFORCEMENT For enterprise-level high performance connections, use Azure ExpressRoute (or Virtual WAN) to connect Azure datacenters and on-premises infrastructure in a co-location environment. For enterprise-level high performance connections, use AWS Direct Connect to connect AWS VPCs and resources with your on-premises infrastructure in a co-location environment. Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management What are the ExpressRoute connectivity models: AWS VPN introduction: When connecting two or more Azure virtual networks together, use virtual network peering. Network traffic between peered virtual networks is private and is kept on the Azure backbone network. https://docs.microsoft.com/azure/expressroute/expressroute-connectivity-models You have the option to use VPC Peering or Transit Gateway to establish connectivity between two or more VPCs within or across regions. Network traffic between peered VPC is private and is kept on the AWS backbone network. When you need to join multiple VPCs to create a large flat subnet, you also have the option to use VPC Sharing. https://docs.aws.amazon.com/vpn/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Virtual network peering: Transit Gateway: https://docs.microsoft.com/azure/virtual-network/virtual-network-peering-overview https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html Create and accept VPC peering connections: https://docs.aws.amazon.com/vpc/latest/peering/create-vpc-peering-connection.html VPC Sharing: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/amazon-vpc-sharing.html NS-10 Network Security 7.7 - Use of DNS Filtering Services 4.9 - Configure Trusted DNS Servers on Enterprise Assets SC-20: SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) nan Ensure Domain Name System (DNS) security Ensure that Domain Name System (DNS) security configuration protects against known risks: Use Azure recursive DNS (usually assigned to your VM through DHCP or preconfigured in the service) or a trusted external DNS server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Azure DNS overview: Use the Amazon DNS Server (i.e. Amazon Route 53 Resolver server which is usually assigned to you through DHCP or preconfigured in the service) or a centralized trusted DNS resolver server in your workload recursive DNS setup, such as in the VM's operating system or in the application. Amazon Route 53 DNSSEC configuration: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture 9.2 - Use DNS Filtering Services SC-21: SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) - Use trusted authoritative and recursive DNS services across your cloud environment to ensure the client (such as operating systems and applications) receive the correct resolution result. https://docs.microsoft.com/azure/dns/dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-configure-dnssec.html - Separate the public and private DNS resolution so the DNS resolution process for the private network can be isolated from the public network. Use Azure Private DNS for a private DNS zone setup where the DNS resolution process does not leave the designated virtual network. Use a custom DNS to restrict the DNS resolution to only allow trusted resolution to your client. Use Amazon Route 53 to create a private hosted zone setup where the DNS resolution process does not leave the designated VPCs. Use Amazon Route 53 firewall to regulate and filter the outbound DNS/UDP traffic in your VPC for the following use cases: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management - Ensure your DNS security strategy also includes mitigations against common attacks, such as dangling DNS, DNS amplifications attacks, DNS poisoning and spoofing, and so on. Secure Domain Name System (DNS) Deployment Guide: - Prevent attacks such as DNS exfiltration in your VPC Amazon Route 53 firewall: Use Microsoft Defender for DNS for the advanced protection against the following security threats to your workload or your DNS service: https://csrc.nist.gov/publications/detail/sp/800-81/2/final - Set up allow or deny lists for the domains that your applications can query https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops - Data exfiltration from your Azure resources using DNS tunneling - Malware communicating with a command-and-control server Azure Private DNS: Configure Domain Name System Security Extensions (DNSSEC) feature in Amazon Route 53 to secure DNS traffic to protect your domain from DNS spoofing or a man-in-the-middle attack. Amazon Route 53 domain registration: - Communication with malicious domains such as as phishing and crypto mining https://docs.microsoft.com/azure/dns/private-dns-overview https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html - DNS attacks in communication with malicious DNS resolvers Amazon Route 53 also provides a DNS registration service where Route 53 can be used as the authoritative name servers for your domains. The following best practices should be followed to ensure the security of your domain names: Azure Defender for DNS: - Domain names should be automatically renewed by the Amazon Route 53 service. You can also use Microsoft Defender for App Service to detect dangling DNS records if you decommission an App Service website without removing its custom domain from your DNS registrar. https://docs.microsoft.com/azure/security-center/defender-for-dns-introduction - Domain names should have the Transfer Lock feature enabled in order to keep them secure. - he Sender Policy Framework (SPF) is should be used to stop spammers from spoofing your domain. Prevent dangling DNS entries and avoid subdomain takeover: https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover"},{"location":"Azure/Security/MCSB/Posture%20and%20Vulnerability%20Mgmt/","title":"MCSB_v1 - Posture and Vulnerability Mgmt","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: PV-1 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 1.1 Define and establish secure configurations Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment. Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources. Illustration of Guardrails implementation in Enterprise Scale Landing Zone: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources. AWS Control Tower: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 11.1 - Maintain Standard Security Configurations for Network Devices 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS 2.2 https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture#landing-zone-expanded-definition https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy. Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Working with security policies in Microsoft Defender for Cloud: AWS Config rules: https://docs.microsoft.com/azure/security-center/tutorial-security-policy https://aws.amazon.com/config/ Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Tutorial: Create and manage policies to enforce compliance: AWS landing zone https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage Azure Blueprints: https://docs.microsoft.com/azure/governance/blueprints/overview PV-2 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration. Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources. Understand Azure Policy effects: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources. Remediating Noncompliant AWS Resources by AWS Config Rules: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/governance/policy/concepts/effects https://docs.aws.amazon.com/config/latest/developerguide/remediation.html 11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources. For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Create and manage policies to enforce compliance: Detecting unmanaged configuration changes to stacks and resources: For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement. https://docs.microsoft.com/azure/governance/policy/tutorials/create-and-manage You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Get compliance data of Azure resources: AWS Config Comformance Pack: https://docs.microsoft.com/azure/governance/policy/how-to/get-compliance-data https://aws.amazon.com/about-aws/whats-new/2019/11/introducing-aws-config-conformance-packs/ PV-3 Posture and Vulnerability Management 5.1 - Establish Secure Configurations 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Define and establish secure configurations for compute resources Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template. Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline. Linux OS security configuration baseline: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline. Enable Azure Automation State Configuration: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS 11.5 https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-linux https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration. Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint Windows OS security configuration baseline: Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS. https://docs.microsoft.com/azure/governance/policy/samples/guest-configuration-baseline-windows Enable Azure Automation State Configuration: Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline. https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Security configuration recommendation for compute resources: https://docs.microsoft.com/azure/security-center/recommendations-reference Azure Automation State Configuration Overview: https://docs.microsoft.com/azure/automation/automation-dsc-overview PV-4 Posture and Vulnerability Management 5.4 - Deploy System Configuration Management Tools 4.1 - Establish and Maintain a Secure Configuration Process CM-2: BASELINE CONFIGURATION 2.2 Audit and enforce secure configurations for compute resources Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources. Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines. How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements. AWS System Manager State Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 5.5 - Implement Automated Configuration Monitoring Systems CM-6: CONFIGURATION SETTINGS https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-state.html 11.3 - Use Automated Tools to Verify Standard Device Configurations and Detect Changes Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft. You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods : Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint How to create an Azure virtual machine from an ARM template: - Onboard your AWS account into Microsoft Defender for Cloud Connect your AWS accounts to Microsoft Defender for Cloud: https://docs.microsoft.com/azure/virtual-machines/windows/ps-template - Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Azure Automation State Configuration overview: For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline. Enable Azure Automation State Configuration: https://docs.microsoft.com/azure/automation/automation-dsc-overview https://docs.microsoft.com/en-us/azure/automation/automation-dsc-onboarding#enable-physicalvirtual-windows-machines Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services. Create a Windows virtual machine in the Azure portal: https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-portal Container security in Microsoft Defender for Cloud: https://docs.microsoft.com/azure/security-center/container-security Change Tracking and Inventory overview: https://learn.microsoft.com/azure/automation/change-tracking/overview?tabs=python-2 Guest attestation for confidential VMs: https://learn.microsoft.com/azure/confidential-computing/guest-attestation-confidential-vms PV-5 Posture and Vulnerability Management 3.1 - Run Automated Vulnerability Scanning Tools 5.5 - Establish and Maintain an Inventory of Service Accounts RA-3: RISK ASSESSMENT 6.1 Perform vulnerability assessments Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on. Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) How to implement Microsoft Defender for Cloud vulnerability assessment recommendations: https://docs.microsoft.com/azure/security-center/security-center-vulnerability-assessment-recommendations Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications) Amazon Inspector: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 3.3 - Protect Dedicated Assessment Accounts 7.1 - Establish and Maintain a Vulnerability Management Process RA-5: VULNERABILITY SCANNING 6.2 https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html 3.6 - Compare Back-to-back Vulnerability Scans 7.5 - Perform Automated Vulnerability Scans of Internal Enterprise Assets 6.6 Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning. Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data. Integrated vulnerability scanner for virtual machines: Refer to control ES-1, \"Use Endpoint Detection and Response (EDR)\", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 7.6 - Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets 11.2 https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management: When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive. https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops SQL vulnerability assessment: Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool. https://docs.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning. Note: Ensure you setup email notifications in Microsoft Defender for Cloud. Exporting Microsoft Defender for Cloud vulnerability scan results: https://docs.microsoft.com/azure/security-center/built-in-vulnerability-assessment#exporting-results PV-6 Posture and Vulnerability Management 3.4 - Deploy Automated Operating System Patch Management Tools 7.2 - Establish and Maintain a Remediation Process RA-3: RISK ASSESSMENT 6.1 Rapidly and automatically remediate vulnerabilities Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority. Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically. How to configure Update Management for virtual machines in Azure: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems. AWS Systems Manager - Patch Manager: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 3.5 - Deploy Automated Software Patch Management Tools 7.3 - Perform Automated Operating System Patch Management RA-5: VULNERABILITY SCANNING 6.2 https://docs.microsoft.com/azure/automation/update-management/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html 3.7 - Utilize a Risk-rating Process 7.4 - Perform Automated Application Patch Management SI-2: FLAW REMEDIATION 6.5 Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime. For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 7.7 - Remediate Detected Vulnerabilities 11.2 Manage updates and patches for your Azure VMs: Update Management overview: https://docs.microsoft.com/azure/automation/update-management/manage-updates-for-vm For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager. https://docs.microsoft.com/en-us/azure/automation/update-management/overview Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops PV-7 Posture and Vulnerability Management 20.1 - Establish a Penetration Testing Program 18.1 - Establish and Maintain a Penetration Testing Program CA-8: PENETRATION TESTING 6.6 Conduct regular red team operations Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks. As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings. Penetration testing in Azure: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings. AWS Customer Support Policy for Penetration Testing: Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management 20.2 - Conduct Regular External and Internal Penetration Tests 18.2 - Perform Periodic External Penetration Tests RA-5: VULNERABILITY SCANNING 11.2 https://docs.microsoft.com/azure/security/fundamentals/pen-testing https://aws.amazon.com/security/penetration-testing/ 20.3 - Perform Periodic Red Team Exercises 18.3 - Remediate Penetration Test Findings 11.3 Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners. Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications. Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies. Infrastructure and endpoint security: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-infrastructure-endpoint 18.4 - Validate Security Measures Penetration Testing Rules of Engagement: 18.5 - Perform Periodic Internal Penetration Tests https://www.microsoft.com/msrc/pentest-rules-of-engagement?rtc=1 Application Security and DevOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Microsoft Cloud Red Teaming: https://download.microsoft.com/download/C/1/9/C1990DBA-502F-4C2A-848D-392B93D9B9C3/Microsoft_Enterprise_Cloud_Red_Teaming.pdf Technical Guide to Information Security Testing and Assessment: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf"},{"location":"Azure/Security/MCSB/Privileged%20Access/","title":"MCSB_v1 - Privileged Access","text":"ID Control Domain CIS Controls v7.1 ID(s) CIS Controls v8 ID(s) NIST SP800-53 r4 ID(s) PCI-DSS v3.2.1 ID(s) Recommendation Security Principle Azure Guidance Implementation and additional context AWS Guidance Implementation and additional context.1 Customer Security Stakeholders: PA-1 Privileged Access 4.3 - Ensure the Use of Dedicated Administrative Accounts 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Separate and limit highly privileged/administrative users Ensure you identify all high business impact accounts. Limit the number of privileged/administrative accounts in your cloud's control plane, management plane and data/workload plane. You must secure all roles with direct or indirect administrative access to Azure hosted resources. Administrator role permissions in Azure AD: You must secure all roles with direct or indirect administrative access to AWS hosted resources. AWS Best Practices for Root User: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 14.6 - Protect Information Through Access Control Lists 6.8 - Define and Maintain Role-Based Access Control AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html 8.1 Azure Active Directory (Azure AD) is Azure's default identity and access management service. The most critical built-in roles in Azure AD are Global Administrator and Privileged Role Administrator, because users assigned to these two roles can delegate administrator roles. With these privileges, users can directly or indirectly read and modify every resource in your Azure environment: The privileged/administrative users need to be secured include: Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture - Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD as well as services that use Azure AD identities. Use Azure Privileged Identity Management security alerts: - Root user: Root user is the highest-level privileged accounts in your AWS account. Root accounts should be highly restricted and only used in emergency situation. Refer to emergency access controls in PA-5 (Setup emergency access). - Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts - IAM identities (users, groups, roles) with the privileged permission policy: IAM identities assigned with a permission policy such as AdministratorAccess can have full access to AWS services and resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Outside of Azure AD, Azure has built-in roles that can be critical for privileged access at the resource level. Securing privileged access for hybrid and cloud deployments in Azure AD: If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, refer to the Azure guidance for managing the privileged roles in Azure AD. Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center - Owner: Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-admin-roles-secure - Contributor: Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as AWS Cognito, security tools, and system management tools with agents installed on business critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. - User Access Administrator: Lets you manage user access to Azure resources. Note: You may have other critical roles that need to be governed if you use custom roles in the Azure AD level or resource level with certain privileged permissions assigned. In addition, users with the following three roles in Azure Enterprise Agreement (EA) portal should also be restricted as they can be used to directly or indirectly manage Azure subscriptions. - Account Owner: Users with this role can manage subscriptions, including the creation and deletion of subscriptions. - Enterprise Administrator: Users assigned with this role can manage (EA) portal users. - Department Administrator: Users assigned with this role can change account owners within the department. Lastly, ensure that you also restrict privileged accounts in other management, identity, and security systems that have administrative access to your business-critical assets, such as Active Directory Domain Controllers (DCs), security tools, and system management tools with agents installed on business-critical systems. Attackers who compromise these management and security systems can immediately weaponize them to compromise business critical assets. PA-2 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT N/A Avoid standing access for user accounts and permissions Instead of creating standing privileges, use just-in-time (JIT) mechanism to assign privileged access to the different resource tiers. Enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD Privileged Identity Management (PIM). JIT is a model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. PIM can also generate security alerts when there is suspicious or unsafe activity in your Azure AD organization. Azure PIM just-in-time access deployment: Use AWS Security Token Service (AWS STS) to create temporary security credentials to access the resources through the AWS API. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: IAM Temporary credentials through AWS Security Token Service (AWS STS): Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-deployment-plan - Temporary security credentials have a short-term life, from minutes to hours. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Restrict inbound traffic to your sensitive virtual machines (VM) management ports with Microsoft Defender for Cloud's just-in-time (JIT) for VM access feature. This ensures privileged access to the VM is granted only when users need it. - Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. Security architecture: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-architecture Understanding just-in-time (JIT) VM access: https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Security Operations: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-operations-center PA-3 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-2: ACCOUNT MANAGEMENT 7.1 Manage lifecycle of identities and entitlements Use an automated process or technical control to manage the identity and access lifecycle including the request, review, approval, provision, and deprovision. Use Azure AD entitlement management features to automate access request workflows (for Azure resource groups). This enables workflows for Azure resource groups to manage access assignments, reviews, expiration, and dual or multi-stage approval. What are Azure AD access reviews: Use AWS Access Advisor to pull the access logs for the user accounts and entitlements for resources. Build a manual or automated workflow to integrate with AWS IAM to manage access assignments, reviews, and deletions. IAM Access Advisor: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 6.2 - Establish an Access Revoking Process AC-5: SEPARATION OF DUTIES 7.2 https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html AC-6: LEAST PRIVILEGE 8.1 Use Permissions Management to detect, automatically right-size, and continuously monitor unused and excessive permissions assigned to user and workload identities across multi-cloud infrastructures. Note: There are third-party solutions available on AWS Marketplace for managing the lifecycle of identities and entitlements. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops What is Azure AD entitlement management: AWS Marketplace Identity and Access Management solutions: https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview https://aws.amazon.com/marketplace/solutions/security/identity-access-management Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Overview of Permissions Management: https://learn.microsoft.com/azure/active-directory/cloud-infrastructure-entitlement-management/overview PA-4 Privileged Access 4.1 - Maintain Inventory of Administrative Accounts 5.1 - Establish and Maintain an Inventory of Accounts AC-2: ACCOUNT MANAGEMENT 7.1 Review and reconcile user access regularly Conduct regular review of privileged account entitlements. Ensure the access granted to the accounts are valid for administration of control plane, management plane, and workloads. Review all privileged accounts and the access entitlements in Azure including Azure tenants, Azure services, VM/IaaS, CI/CD processes, and enterprise management and security tools. Create an access review of Azure resource roles in Privileged Identity Management (PIM): Review all privileged accounts and the access entitlements in AWS including AWS accounts, services, VM/IaaS, CI/CD processes, and enterprise management and security tools. IAM Access Analyzer: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys 16.6 - Maintain an Inventory of Accounts 5.3 - Disable Dormant Accounts AC-6: LEAST PRIVILEGE 7.2 https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-resource-roles-start-access-review https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html 16.8 - Disable Any Unassociated Accounts 5.5 - Establish and Maintain an Inventory of Service Accounts 8.1 Use Azure AD access reviews to review Azure AD roles, Azure resource access roles, group memberships, and access to enterprise applications. Azure AD reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Use IAM Access Advisor, Access Analyzer and Credential Reports to review resource access roles, group memberships, and access to enterprise applications. IAM Access Analyzer and Credential Reports reporting can also provide logs to help discover stale accounts, or accounts which have not been used for certain amount of time. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops Disable Dormant Accounts A3.4 How to use Azure AD identity and access reviews: Credential report: 16.9 - Disable Dormant Accounts In addition, Azure AD Privileged Identity Management can be configured to alert when an excessive number of administrator accounts are created for a specific role, and to identify administrator accounts that are stale or improperly configured. https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview If you are using Azure Active Directory (Azure AD) as the identity provider for AWS, use Azure AD access review to review the privileged accounts and access entitlements periodically. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management IAM Access Advisor: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor-view-data.html PA-5 Privileged Access nan nan AC-2: ACCOUNT MANAGEMENT nan Set up emergency access Set up emergency access to ensure that you are not accidentally locked out of your critical cloud infrastructure (such as your identity and access management system) in an emergency. To prevent being accidentally locked out of your Azure AD organization, set up an emergency access account (e.g., an account with Global Administrator role) for access when normal administrative accounts cannot be used. Emergency access accounts are usually highly privileged, and they should not be assigned to specific individuals. Emergency access accounts are limited to emergency or \"break glass\"' scenarios where normal administrative accounts can't be used. Manage emergency access accounts in Azure AD: AWS \"root\" accounts should not be used for regular administrative tasks. As the \"root\" account is highly privileged, it should not be assigned to specific individuals. It's use should be limited to only emergency or \"break glass\u201d scenarios when normal administrative accounts can't be used. For daily administrative tasks, separate privileged user accounts should be used and assigned the appropriate permissions via IAM roles. Best practices to protect your account's root user: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-emergency-access https://docs.aws.amazon.com/accounts/latest/reference/best-practices-root-user.html Emergency access accounts should be rarely used and can be highly damaging to the organization if compromised, but their availability to the organization is also critically important for the few scenarios when they are required. You should ensure that the credentials (such as password, certificate, or smart card) for emergency access accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. You may also use additional controls, such dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. You should also monitor the sign-in and audit logs to ensure that emergency access accounts are only used when authorized. You should also ensure that the credentials (such as password, MFA tokens and access keys) for root accounts are kept secure and known only to individuals who are authorized to use them only in an emergency. MFA should be enabled for the root account, and you may also use additional controls, such as dual controls (e.g., splitting the credential into two pieces and giving it to separate persons) to enhance the security of this process. Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops You should also monitor the sign-in and audit logs in CloudTrail or EventBridge to ensure that root access accounts are only used when authorized. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Security Operations (SecOps): https://docs.microsoft.com//azure/cloud-adoption-framework/organize/cloud-security-operations-center PA-6 Privileged Access 4.6 - Use Dedicated Workstations For All Administrative Tasks 12.8 - Establish and Maintain Dedicated Computing Resources for All Administrative Work AC-2: ACCOUNT MANAGEMENT nan Use privileged access workstations / channel for administrative tasks Secured, isolated workstations are critically important for the security of sensitive roles like administrator, developer, and critical service operator. Use Azure Active Directory, Microsoft Defender, and/or Microsoft Intune to deploy privileged access workstations (PAW) on-premises or in Azure for privileged tasks. The PAW should be centrally managed to enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Understand privileged access workstations: Use Session Manager in AWS Systems Manager to create an access path (a connection session) to the EC2 instance or a browser session to the AWS resources for privileged tasks. Session Manager allows RDP, SSH, and HTTPS connectivity to your destination hosts through port forwarding. AWS Systems Manager Session Manager: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 11.6 - Use Dedicated Machines For All Network Administrative Tasks 13.5 Manage Access Control for Remote Assets SC-2 APPLICATION PARTITIONING https://learn.microsoft.com/en-us/security/privileged-access-workstations/overview https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html 12.12 - Manage All Devices Remotely Logging into Internal Network SC-7: BOUNDARY PROTECTION You may also use Azure Bastion which is a fully platform-managed PaaS service that can be provisioned inside your virtual network. Azure Bastion allows RDP/SSH connectivity to your virtual machines directly from the Azure portal using a web browser. You may also choose to deploy a privileged access workstations (PAW) centrally managed through Azure Active Directory, Microsoft Defender, and/or Microsoft Intune. The central management should enforce secured configuration, including strong authentication, software and hardware baselines, and restricted logical and network access. Security Operations (SecOps): https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/cloud-security-operations-center Privileged access workstations deployment: https://docs.microsoft.com/security/compass/privileged-access-deploymenthttps Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys PA-7 Privileged Access 14.6 - Protect Information Through Access Control Lists 3.3 - Configure Data Access Control Lists AC-2: ACCOUNT MANAGEMENT 7.1 Follow just enough administration (least privilege) principle Follow the just enough administration (least privilege) principle to manage permissions at fine-grained level. Use features such as role-based access control (RBAC) to manage resource access through role assignments. Use Azure role-based access control (Azure RBAC) to manage Azure resource access through role assignments. Through RBAC, you can assign roles to users, groups, service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. What is Azure role-based access control (Azure RBAC): Use AWS policy to manage AWS resource access. There are six types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policy (SCP), Access Control List, and session policies. You may use AWS managed policies for common permission use cases. However, you should be mindful that managed policies may carry excessive permissions that should not be assigned to the users. IAM access policies: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.8 - Define and Maintain Role-Based Access Control AC-3: ACCESS ENFORCEMENT 7.2 https://docs.microsoft.com/azure/role-based-access-control/overview https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html AC-6: LEAST PRIVILEGE The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges will complement the just-in-time (JIT) approach of Azure AD Privileged Identity Management (PIM), and those privileges should be reviewed periodically. If required, you can also use PIM to define a time-bound assignment, which is a condition in a role assignment where a user can only activate the role within the specified start and end dates. You may also use AWS ABAC (attribute-based access control) to assign permissions based on attributes (tags) attached to IAM resources, including IAM entities (users or roles) and AWS resources. Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management How to configure RBAC in Azure: AWS ABAC: Note: Use Azure built-in roles to allocate permissions and only create custom roles when required. https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html Posture management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-posture-management How to use Azure AD identity and access reviews: Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview Azure AD Privileged Identity Management - Time-bound assignment: https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure#what-does-it-do PA-8 Privileged Access 16.7 - Establish Process for Revoking Access 6.1 - Establish an Access Granting Process AC-4: INFORMATION FLOW ENFORCEMENT nan Determine access process for cloud provider support Establish an approval process and access path for requesting and approving vendor support request and temporary access to your data through a secure channel. In support scenarios where Microsoft needs to access your data, use Customer Lockbox to review and either approve or reject each data access request made by Microsoft. Understand Customer Lockbox: In support scenarios where AWS support teams need to access your data, create an account in the AWS Support portal to request support. Review the available options such as providing read-only data access, or the screen sharing option for AWS support to access to your data. Access permissions for AWS Support: Application security and DevSecOps: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-application-security-devsecops 6.2 - Establish an Access Revoking Process AC-2: ACCOUNT MANAGEMENT https://docs.microsoft.com/azure/security/fundamentals/customer-lockbox-overview https://docs.aws.amazon.com/awssupport/latest/user/accessing-support.html AC-3: ACCESS ENFORCEMENT Security Compliance Management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-compliance-management Identity and key management: https://docs.microsoft.com/azure/cloud-adoption-framework/organize/cloud-security-identity-keys"},{"location":"Azure/Security/MCSB/Readme/","title":"MCSB_v1 - Readme","text":"Unnamed: 0 Unnamed: 1 Unnamed: 2 nan Microsoft Cloud Security Benchmark v1 nan nan This spreadsheet is designed to provide you a private preview version of the Microsoft Cloud Security Benchmark v1. For the web version of the content, please refer to ttps://docs.microsoft.com/en-us/security/benchmark/azure/overview nan a. The control mappings between MCSB and industry benchmarks (such as NIST, CIS and PCI) only indicate that a specific Azure feature can be used to fully or partially address a control requirement defined in NIST, CIS or PCI. You should be aware that such implementation does not necessarily translate to the full compliance of the corresponding control in CIS, NIST or PCI. b. This document is developed as a reference and should not be used to define all means by which a customer can meet specific compliance requirements and regulations. Customers should seek legal support from their organization on approved customer implementations. nan nan nan nan This multi-cloud guidance follows the below principles: nan 1. The security guidance for non-Azure platforms will follow the same cloud-neutral security principles at each control level as Azure's. 2. The security guidance for non-Azure platforms will provide the same level of granularity and same scope in the technical guidance as Azure's. 3. The non-Microsoft cloud service provider\u2019s (CSP) native solution or feature will usually be recommended as the first preference for each control. However, when there is a more mature multi-cloud solution available in Azure, it'll be prioritized as the default recommendation. 4. If neither the CSP's native technology nor Azure solutions are available to satisfy a security principle, third-party solutions will be recommended from the Azure or the other CSP's Marketplace. However, Microsoft Cloud Security Benchmark will not name any specific third-party vendor product or solution. nan nan nan nan nan nan nan Guidance - Column Header Descriptions nan ID# The Microsoft Cloud Security Benchmark ID. nan Control Domain The security control domain. nan Security Principle The technology-agnostic and cloud neutral principle for various security topics in each control domains. nan Recommendation The control recommendation in summarized format. nan Azure Guidance The technical guidance for Azure platforms. nan AWS Guidance The technical guidance for Amazon Web Services platforms. nan Implementation and additional context The implementation details and other relevant context which links to the Azure or AWS service offering documentation articles."},{"location":"blog/","title":"Blog","text":""},{"location":"blog/tags/","title":"Posts by Tags","text":"

                    Following is a list of relevant tags:

                    "},{"location":"blog/tags/#azure-arc","title":"Azure ARC","text":"
                    • Azure ARC
                    • How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account
                    "},{"location":"blog/tags/#azure-communication-services","title":"Azure Communication Services","text":"
                    • Azure Communication Services
                    "},{"location":"blog/tags/#azure-container-apps","title":"Azure Container Apps","text":"
                    • Comparing Container Apps with other Azure container options
                    "},{"location":"blog/tags/#azure-functions","title":"Azure Functions","text":"
                    • Azure Functions
                    "},{"location":"blog/tags/#azure-network","title":"Azure Network","text":"
                    • Azure Network, Hub-and-Spoke Topology
                    "},{"location":"blog/tags/#azure-policy","title":"Azure Policy","text":"
                    • Azure Policy
                    • Azure Policy, defintion schema
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative with Portal
                    • Manage Azure Policy GitHub Action
                    • Enterprise Azure Policy as Code (EPAC)
                    • Azure Policy Management Best Practices
                    • Azure Policy useful queries
                    "},{"location":"blog/tags/#azure-well-architected-framework","title":"Azure Well-Architected Framework","text":"
                    • Azure Well-Architected Framework (WAF) mind maps
                    "},{"location":"blog/tags/#certifications","title":"Certifications","text":"
                    • Microsoft Azure Certifications
                    "},{"location":"blog/tags/#epac","title":"EPAC","text":"
                    • Enterprise Azure Policy as Code (EPAC)
                    "},{"location":"blog/tags/#english","title":"English","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#general","title":"General","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#hub-and-spoke","title":"Hub and Spoke","text":"
                    • Azure Network, Hub-and-Spoke Topology
                    "},{"location":"blog/tags/#management-groups","title":"Management Groups","text":"
                    • Management Groups
                    • Moving Management Groups and Subscriptions
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"
                    • Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud
                    "},{"location":"blog/tags/#onedrive-for-business","title":"OneDrive for Business","text":"
                    • Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n
                    "},{"location":"blog/tags/#pam","title":"PAM","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#role-based-access-control","title":"Role-Based Access Control","text":"
                    • Azure Role-Based Access Control (RBAC)
                    • How to create assigment Reports for Azure RBAC
                    "},{"location":"blog/tags/#security","title":"Security","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#trunk","title":"Trunk","text":"
                    • Trunk
                    "},{"location":"blog/tags/#windows-subsystem-for-linux-2","title":"Windows Subsystem for Linux 2","text":"
                    • Instalar WSL2 en Windows 11 con chocolatey
                    "},{"location":"blog/tags/#csharp","title":"csharp","text":"
                    • Starting to develop in c#
                    "},{"location":"blog/tags/#drawio","title":"draw.io","text":"
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#mkdocs","title":"mkdocs","text":"
                    • Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages
                    • Enhance your mkdocks.yml
                    "},{"location":"blog/tags/#vscode","title":"vscode","text":"
                    • Trunk
                    "},{"location":"blog/2023/10/17/hello-world-from-mkdocs-material/","title":"\"Hello world!!!\" from mkdocs-material","text":"

                    ...

                    "},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/","title":"Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages","text":"

                    A few time ago I maintained a blog with Wordpress. I was happy with it, but I wanted to try something new.

                    I tried Jekyll but it didn't convince me, I discovered mkdocs so I decided to use MkDocs and mkdocs-material. I was happy with the result, so I decided to write this post to explain how to create a blog with MkDocs, mkdocs-material and some plugins.

                    These is the first post of a serie of posts to create a blog with MkDocs, mkdocs-material and GitHub Pages and some customization.

                    Some knowledge:

                    • MkDocs is a fast, simple and downright gorgeous static site generator that's geared towards building project documentation. Documentation source files are written in Markdown, and configured with a single YAML configuration file.

                    • Material for MkDocs is a theme for MkDocs, a static site generator geared towards (technical) project documentation. It is built using Google's Material Design guidelines. Material for MkDocs provides a polished and responsive experience out of the box, and it is as easy to use for the beginner as it is for the seasoned developer.

                    • GitHub Pages is a static site hosting service that takes HTML, CSS, and JavaScript files straight from a repository on GitHub, optionally runs the files through a build process, and publishes a website. You can see more information about GitHub Pages here.

                    • This plugin generates an RSS feed for your MkDocs site. You can see more information about mkdocs-rss-plugin here.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#steps-to-deploy","title":"Steps to deploy","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-a-new-repository","title":"Create a new repository","text":"

                    Create a new repository on GitHub named username.github.io, where username is your username (or organization name) on GitHub. If the first part of the repository doesn\u2019t exactly match your username, it won\u2019t work, so make sure to get it right.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#enable-github-pages-on-your-repository","title":"Enable GitHub Pages on your repository","text":"

                    Go into the repository settings and, if you are not using GitHub Pages already, enable GitHub Pages on the gh-pages branch.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#clone-the-repository","title":"Clone the repository","text":"

                    Go to the folder where you want to store your project, and clone the new repository:

                    git clone ssh://github.com/username/username.github.io\ncd username.github.io\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-requirementstxt-in-root-folder-for-mkdocs-mkdocs-material-and-plugins","title":"Create requirements.txt in root folder for mkdocs, mkdocs-material and plugins","text":"
                    mkdocs==1.5.3\nmkdocs-material==9.4.6\nmkdocs-rss-plugin==1.8.0\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#create-a-python-virtual-environment-and-install-requirementstxt","title":"Create a Python Virtual Environment and install requirements.txt","text":"

                    In username.github.io$ path:

                    sudo apt update\nsudo apt install libcairo2\nsudo apt install python3.10-venv\npython3 -m venv mysite\nsource mysite/bin/activate\npip install -r requirements.txt\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#initialize-your-site","title":"Initialize your site","text":"
                    mkdocs new .\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#add-configuration-to-mkdocsyml-in-root-folder","title":"Add configuration to mkdocs.yml in root folder","text":"

                    For this post I am going to add the following configuration:

                    • basic configuration
                    • configuration for theme mkdocs-material
                    • some native plugins of mkdocs-material and some ones that I like
                    site_name: My Site \nsite_description: A blog about Azure, DevOps and other stuff\nsite_author: Rafael Fern\u00e1ndez\n\ntheme: \n  name: material\n  features:\n    - navigation.tabs\n    - navigation.expand\n    - navigation.sections\n    - toc.integrate\n    - toc.nested\n    - toc.smoothscroll\n    - footer\n\nplugins:\n  - search  \n  - blog\n  - tags:\n      tags_file: tags.md      \n\n  - rss:\n      match_path: blog/posts/.* \n      date_from_meta:\n        as_creation: date\n      categories:\n        - categories\n        - tags\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#add-a-new-post","title":"Add a new post","text":"

                    In blog/post folder create a new folder with the name of the post and create a new file with the name of the post and the extension .md. For example: welcome.md

                    ---\ndate: 2023-10-18\ncategories:\n  - Hello\n  - World\n---\n\n# \"Hello world!!!\" from mkdocs-material\n\n...\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#check-your-site","title":"Check your site","text":"

                    In username.github.io$ path:

                    mkdocs serve\n

                    You can check your site in http://127.0.0.1:8000/ and make live changes in your site and see the results in your browser.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#publish-your-site","title":"Publish your site","text":"

                    In username.github.io$ path:

                    mkdocs gh-deploy\n

                    After a seconds, you can check your site in https://username.github.io/

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#automate-deploy-with-github-actions","title":"Automate deploy with GitHub Actions","text":"
                    name: ci # (1)!\non:\n  push:\n    branches:      \n      - main\npermissions:\n  contents: write\njobs:\n  deploy:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: actions/setup-python@v4\n        with:\n          python-version: 3.x\n      - run: echo \"cache_id=$(date --utc '+%V')\" >> $GITHUB_ENV # (3)!\n      - uses: actions/cache@v3\n        with:\n          key: mkdocs-material-${{ env.cache_id }}\n          path: .cache\n          restore-keys: |\n            mkdocs-material-\n      - run: pip install -r requirements.txt # (4)!\n      - run: mkdocs gh-deploy --force\n
                    1. You can change the name to your liking.

                    2. At some point, GitHub renamed master to main. If your default branch is named master, you can safely remove main, vice versa.

                    3. Store the cache_id environmental variable to access it later during cache key creation. The name is case-sensitive, so be sure to align it with ${{ env.cache_id }}.

                      • The --utc option makes sure that each workflow runner uses the same time zone.
                      • The %V format assures a cache update once a week.
                      • You can change the format to %F to have daily cache updates.

                      You can read the [manual page] to learn more about the formatting options of the date command.

                    4. Add [MkDocs plugins] or Markdown extensions with pip to requirements.txt to be used during the build.

                    In the next post I will explain how to customize your site with mkdocs-material and some plugins writing mkdocs.yml.

                    That's it folks

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/18/create-a-blog-with-mkdocsmkdocs-material-mkdocs-rss-plugin-and-github-pages/#urls-for-reference","title":"urls for reference","text":"
                    • https://www.mkdocs.org/
                    • https://pages.github.com/
                    • https://squidfunk.github.io/mkdocs-material/setup/setting-up-a-blog/
                    • https://guts.github.io/mkdocs-rss-plugin/ ...
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/","title":"Enhance your mkdocks.yml","text":"

                    In the previous post I explained how to create a blog with MkDocs and mkdocs-material theme.

                    mkdocs.yml is the configuration file for MkDocs. In this file we can configure the theme, the plugins, the pages, etc.

                    In this post I am going to explain you how to create a blog with MkDocs and mkdocs-material theme, add some plugins and configure it.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#minimal-configuration-for-mkdocsyml-with-mkdocs-material","title":"Minimal configuration for mkdocs.yml with mkdocs-material","text":"
                    site_name: My Site\ntheme: \n  name: material\n#plugins:\n\n#markdown_extensions:\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#theme","title":"Theme","text":"

                    I only change the palette for now.

                    theme: \n  name: material\n  palette:\n    primary: blue\n    accent: white  \n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#plugins-for-mkdoc","title":"Plugins for mkdoc","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#glightbox","title":"glightbox","text":"

                    glightbox add image zoom functionality to your documentation.

                    requirements.txt
                    mkdocs-glightbox\n
                    mkdocs.yml
                    plugins:\n  - glightbox\n

                    Example:

                    Imagen de marymarkevich en Freepik

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mkdocs-minify-plugin","title":"mkdocs-minify-plugin","text":"

                    An MkDocs plugin to minify HTML, JS or CSS files prior to being written to disk.

                    requiremets.txt
                    mkdocs-minify-plugin\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#extensions","title":"Extensions","text":"","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#material-for-mkdocs","title":"Material for MkDocs","text":"

                    MkDocs supports a large number of Python Markdown extensions

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mermaid","title":"mermaid","text":"

                    mermaid2 is a plugin for MkDocs that allows you to embed diagrams written in mermaid.js in your Markdown documentation.

                    mkdocs.yml
                      - pymdownx.superfences:\n      custom_fences:\n        - name: mermaid\n          class: mermaid\n          format: !!python/name:pymdownx.superfences.fence_code_format\n
                    Example
                      ```mermaid\n  graph LR\n      A[Square Rect] -- Link text --> B((Circle))\n      A --> C(Round Rect)\n      B --> D{Rhombus}\n      C --> D\n  ```\n
                    graph LR\n    A[Square Rect] -- Link text --> B((Circle))\n    A --> C(Round Rect)\n    B --> D{Rhombus}\n    C --> D

                    You can find more information about mermaid.js in https://mermaid-js.github.io/mermaid/#/

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#admonitions","title":"Admonitions","text":"

                    Admonitions is a markdown extension of materials for MkDocs that allows you to add admonition blocks to your Markdown documentation.

                    mkdocs.yml
                    markdown_extensions:\n  - admonition\n  - pymdownx.details\n  - pymdownx.superfences\n

                    Example:

                    !!! Example\n    Example\n!!! Error\n    Error\n!!! Warning\n    Warning    \n!!! Success\n    Success\n!!! Info\n    Info    \n!!! Tip\n    Tip\n!!! Question\n    Question\n!!! Quote\n    Quote\n

                    Example

                    Example

                    Error

                    Error

                    Warning

                    Warning

                    Success

                    Success

                    Info

                    Info

                    Tip

                    Tip

                    Question

                    Question

                    Quote

                    Quote

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#icons-emojis","title":"Icons, Emojis","text":"

                    With material you can use more than 10000 icons and thousand of emojis in your documentation.

                    mkdocs.yml
                    markdown_extensions:  \n  - attr_list\n  - pymdownx.emoji:\n      emoji_index: !!python/name:material.extensions.emoji.twemoji\n      emoji_generator: !!python/name:material.extensions.emoji.to_svg\n

                    Example:

                    :smile:\n:man_head:\n:face_with_monocle:\n:jack_o_lantern:\n

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#annotations","title":"Annotations","text":"

                    One of the flagship features of Material for MkDocs is the ability to inject annotations \u2013 little markers that can be added almost anywhere in a document and expand a tooltip containing arbitrary Markdown on click or keyboard focus.

                    mkdocs.yml
                    markdown_extensions:\n  - attr_list\n  - md_in_html\n  - pymdownx.superfences\n

                    Examples:

                    This is a paragraph with a annotation(1).\n{ .annotate }\n\n1.  :man_raising_hand: I'm an annotation! I can contain `code`, __formatted\n    text__, images, ... basically anything that can be expressed in Markdown.\n

                    This is a paragraph with a annotation(1).

                    1. I'm an annotation! I can contain code, formatted text, images, ... basically anything that can be expressed in Markdown.
                    This is a paragraph with a annotation(1).\n{ .annotate }\n\n1.  :man_raising_hand: I'm an annotation! with a nested annotation(1)\n    { .annotate }\n\n    1. I'm a nested annotation!\n

                    This is a paragraph with a annotation(1).

                    1. I'm an annotation! with a nested annotation(1)

                      1. I'm a nested annotation!
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#buttons","title":"Buttons","text":"mkdocs.yml
                    markdown_extensions:\n  - attr_list  \n

                    Examples:

                    [This is a button](#)\n{ .md-button }\n

                    This is a button

                    [This is a button](#)\n{ .md-button .md-button--primary }\n

                    This is a button

                    [Send :fontawesome-regular-face-laugh-wink:](#){ .md-button }\n

                    Send

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#content-tabs","title":"Content tabs","text":"mkdocs.yml
                    markdown_extensions:\n  - pymdownx.superfences\n  - pymdownx.tabbed:\n      alternate_style: true \n

                    Example:

                    === \"azcli\"\n\n    ``` azcli    \n    az group create --name myResourceGroup --location westeurope\n    ```\n\n=== \"pwsh\"\n\n    ``` pwsh    \n    New-AzResourceGroup -Name myResourceGroup -Location westeurope    \n    ```\n
                    azclipwsh bubble_sort.py
                    az group create --name myResourceGroup --location westeurope\n
                    New-AzResourceGroup -Name myResourceGroup -Location westeurope    \n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#footnotes","title":"Footnotes","text":"mkdocs.yml
                    markdown_extensions:\n  - footnotes\n

                    Example:

                    This is a paragraph with a footnote[^1].\n\n[^1]: And here is the definition.\n

                    This is a paragraph with a footnote1.

                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#formatting","title":"Formatting","text":"mkdocs.yml
                    markdown_extensions:\n  - pymdownx.critic\n  - pymdownx.caret\n  - pymdownx.keys\n  - pymdownx.mark\n  - pymdownx.tilde\n

                    Example:

                    - ~~Mistaken text.~~\n- ^^Superscript^^\n- ==Marked text.==\n
                    • Mistaken text.
                    • Superscript
                    • Marked text.
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#mkdocsyml-complete","title":"mkdocs.yml complete","text":"
                    site_name: My Site\nsite_description: A blog about Azure, DevOps and other stuff\nsite_author: Rafael Fern\u00e1ndez\nsite_url: https://rfernandezdo.github.io\n\ntheme: \n  name: material\n  palette:\n    primary: blue\n    accent: white\n  features:\n    - navigation.tabs\n    - navigation.expand\n    - navigation.sections\n    - toc.integrate\n    - toc.nested\n    - toc.smoothscroll\n    - footer\n    - content.code.copy\n    - content.code.annotate\n    - content.tooltips\nextra:\n  social:\n    - icon: fontawesome/brands/linkedin\n      link: https://www.linkedin.com/in/rafaelfernandezd/\n      name: LinkedIn\n    - icon: fontawesome/brands/github\n      link: https://github.com/rfernandezdo\n      name: GitHub\n    - icon: fontawesome/solid/square-rss\n      link: https://rfernandezdo.github.io/feed_rss_created.xml\n      name: RSS feed\ncopyright: Copyright &copy; 2023-now Rafael Fern\u00e1ndez\n\nplugins:\n  - search  \n  - mermaid2\n  - blog  \n  - tags:\n      tags_file: tags.md    \n  - rss:\n      match_path: blog/posts/.* \n      date_from_meta:\n        as_creation: date\n      categories:\n        - categories\n        - tags\n  - minify:\n      minify_html: true\n      minify_js: true\n      minify_css: true\n      htmlmin_opts:\n          remove_comments: true\n      cache_safe: true\n  - glightbox:\n      zoomable: true\n      draggable: true\n      skip_classes:\n        - skip-lightbox\n    #- meta in insiders, review in next release\n  - social\nmarkdown_extensions:\n  - admonition\n  - pymdownx.details\n  - pymdownx.superfences:\n      custom_fences:\n        - name: mermaid\n          class: mermaid\n          format: !!python/name:pymdownx.superfences.fence_code_format\n  - md_in_html\n  - attr_list\n  - pymdownx.emoji:\n      emoji_index: !!python/name:material.extensions.emoji.twemoji\n      emoji_generator: !!python/name:material.extensions.emoji.to_svg\n  - pymdownx.tabbed:\n      alternate_style: true\n  - pymdownx.highlight:\n      anchor_linenums: true\n      line_spans: __span\n      pygments_lang_class: true\n  - pymdownx.inlinehilite\n  - pymdownx.snippets\n  - footnotes\n  - pymdownx.critic\n  - pymdownx.caret\n  - pymdownx.keys\n  - pymdownx.mark\n  - pymdownx.tilde\n  - def_list\n  - pymdownx.tasklist:\n      custom_checkbox: true\n
                    ","tags":["mkdocs"]},{"location":"blog/2023/10/21/enhance-your-mkdocksyml/#urls-for-reference","title":"urls for reference","text":"
                    • Font Awesome
                    • Emojis ...
                    1. And here is the definition.\u00a0\u21a9

                    ","tags":["mkdocs"]},{"location":"blog/2023/11/03/trunk/","title":"Trunk","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#what-is-trunk","title":"What is Trunk ?","text":"

                    Trunk is a tool that runs a suite of security and best practice checks against your code. It is designed to be used in CI/CD pipelines, but can also be used as a standalone tool.

                    Support for the following languages is currently available:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#installing-trunk","title":"Installing Trunk","text":"Trunk cliTrunk VSCode extension
                    curl https://get.trunk.io -fsSL | bash\n
                    code --install-extension Trunk.io  \n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks","title":"Trunk checks","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks-cli","title":"Trunk checks cli","text":"

                    Trunk detects checks to enable in function of the files in the current directory, but you can also enable and disable checks manually.

                    • trunck check list: list all available checks
                    • trunck check enable checkname: enable a check
                    • trunck check disable checkname: disable a check
                    • trunck check: run all enabled checks

                    For example, to enable the Terraform check:

                    trunk check enable terraform \n1 linter was enabled:\n  terraform 1.1.0\n

                    Info

                    You can also enable checks by modifing .trunk.yml file in your repository. See the configuration page for more information.

                    Examples:

                    trunk commnad line check example
                    trunk check   \n\nChecking 68% [====================================================================================================================================================================>                                                                              ]  38/56  9.4s \n \u21b3 checkov                                                                                                                                                                                                                                                                      \n   \u21b3 modules/webapps/linux_function_app/private_endpoint.tf [lint] \u2827                                                                                                                                                                                                            \n   \u21b3 modules/webapps/linux_function_app/variables.tf [lint] \u2827                                                                                                                                                                                                                   \n \u21b3 terrascan                                                                                                                                                                                                                                                                    \n   \u21b3 modules/webapps/linux_function_app/locals.tf [lint] \u2827                                                                                                                                                                                                                      \n   \u21b3 modules/webapps/linux_function_app/main.tf [lint] \u2827                                                                              \n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-checks-vscode","title":"Trunk checks vscode","text":"

                    In the case of the VSCode extension, you can review your checks in your IDE:

                    And you can disable checks from quick fix menu:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates","title":"Trunk updates","text":"","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates-cli","title":"Trunk updates cli","text":"

                    Trunk is updated regularly with new checks and improvements. You can update Trunk by running the following command:

                    trunk update\n
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#trunk-updates-vscode","title":"Trunk updates vscode","text":"

                    In the case of the VSCode extension, it will be updated automatically:

                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/03/trunk/#references","title":"References","text":"
                    • Trunk
                    • Trunk VSCode extension
                    ","tags":["vscode","Trunk"]},{"location":"blog/2023/11/04/starting-to-develop-in-c/","title":"Starting to develop in c#","text":"

                    First, I need to clarify that I'm not a C# developer. I'm learning C# so I can better understand the code that has to be deployed to some Azure services when .NET is used.

                    If someone that knows me is reading this post, he/she will be thinking:

                    • \"What the hell is he doing?\"
                    • \"He is crazy\"
                    • \"He is going to die trying\".
                    • The end of the world is approaching!!

                    Maybe the last thought can be really true but I have to say that I have decided to learn a programming language and that I have chosen C# because many of the examples for Azure Developers that I have seen are written in C#.

                    I repeat, I am not a developer but I'd like to share with you my experience learning C#.

                    ","tags":["csharp"]},{"location":"blog/2023/11/04/starting-to-develop-in-c/#my-first-steps","title":"My first Steps","text":"

                    You have a lot of resources for learning on Learn .NET and in c# documentation.

                    In my case I prefer to simplify and follow csharp-notebooks, these materials are designed to be used with C# 101 SERIES.

                    After that, I will follow the free course (New) Foundational C# with Microsoft.

                    And after that, I think that I will be ready to start with Tutorials for getting started with .NET and plan next steps.

                    That's all folks!!

                    ","tags":["csharp"]},{"location":"blog/2023/11/15/azure--services/","title":"Azure Services","text":"

                    I have decided to create a new category on my blog to talk about Azure services.

                    The main goal of this category is to provide a quick overview of some Azure services and some design considerations.

                    What is this category due to?

                    In some cases, it is because I am working with this Service and I think it is a good idea to share my experience with you and write it down for me, in others, it is because I am studying/reviewing an Azure Service and I think it is a good idea. Share my notes with you.

                    I hope you like it.

                    I am going to start with Azure Communication Services

                    That's all folks!, thanks for reading !

                    ","tags":["General","English"]},{"location":"blog/2023/11/18/azure-communication-services/","title":"Azure Communication Services","text":"","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#what-is-azure-communication-services","title":"What is Azure Communication Services?","text":"

                    Azure Communication Services are cloud-based services with REST APIs and client library SDKs available to help you integrate communication into your applications. You can add communication to your applications without being an expert in underlying technologies such as media encoding or telephony.

                    Azure Communication Services supports various communication formats:

                    • Voice and Video Calling
                    • Rich Text Chat
                    • SMS
                    • Email

                    And offers the following services:

                    • SMS: Send and receive SMS messages from your applications.
                    • Phone calling: Enable your applications to make and receive PSTN calls.
                    • Voice and video calling: Enable your applications to make and receive voice and video calls.
                    • Chat: Enable your applications to send and receive chat messages.
                    • Email: Send and receive emails from your applications.
                    • Network traversal: Enable your applications to connect to other clients behind firewalls and NATs.
                    • Advanced Messaging:
                      • WhatsApp(Public Preview): Enable you to send and receive WhatsApp messages using the Azure Communication Services Messaging SDK.
                    • Job Router(Public Preview): It's a tool designed to optimize the management of customer interactions across various communication applications.

                    Some Use Cases:

                    • Telemedicine: Enable patients to connect with doctors and nurses through video consultations.
                    • Remote education: Enable students to connect with teachers and other students through video classes.
                    • Financial Advisory: Enhancing global advisor and client interactions with rich capabilities such as translation for chat.
                    • Retail Notifications: Send notifications to customers about their orders via SMS or email.
                    • Professional Support: Enable customers to connect with support agents through chat, voice, or video.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#design-considerations","title":"Design considerations","text":"

                    You have some data flow diagrams to help you to understand how Azure Communication Services works here

                    Some aspects to consider:

                    • You need to apply throttling patterns to avoid overloading the service, HTTP status code 429 (Too many requests).
                    • Plan how to map users from your identity domain to Azure Communication Services identities. You can follow any kind of pattern. For example, you can use 1:1, 1:N, N:1, or M:N
                    • Check regional availability. You can see more information about regional availability here.
                    • Check the service limits. You can see more information about service limits here.
                    • Check security baseline. You can see more information about security baseline here.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#pricing","title":"Pricing","text":"

                    Azure Communication Services is a pay-as-you-go service. You only pay for what you use, and there are no upfront costs. You can see more information about pricing here.

                    The bad news are:

                    • In some services pricing vary by country.
                    • You don't have a free tier, but you have something free.
                    • You don't have Azure Reservations or equivalent.
                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/18/azure-communication-services/#conclusion","title":"Conclusion","text":"

                    Azure Communication Services is a very interesting service but you need to consider the cost of the service and the regional availability before to use it.

                    That's it folks!, thanks for reading !.

                    ","tags":["Azure Communication Services"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/","title":"Azure Well-Architected Framework (WAF) mind maps","text":"","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#microsoft-well-architected-framework-pillars-design-principles-mind-map","title":"Microsoft Well-Architected Framework Pillars Design Principles Mind Map","text":"

                    Para cuando lo renderice correctamente materials:

                    mindmap\n    root((Pillars))        \n        Reliability(Reliability)\n            DesignPrinciples(Design Principles)\n                Design for business requirements[\"**Design for business requirements:**\n                Gather business requirements with a focus on the intended utility of the workload.\"]\n                Design for resilience[\"**Design for resilience:**\n                The workload must continue to operate with full or reduced functionality.\"]\n                Design for recovery[\"**Design for recovery:**\n                The workload must be able to anticipate and recover from most failures, of all magnitudes, with minimal disruption to the user experience and business objectives.\"]\n                Design for operations[\"**Design for operations:**\n                Shift left in operations to anticipate failure conditions.\"]\n                Keep it simple[\"**Keep it simple:**\n                Avoid overengineering the architecture design, application code, and operations.\"]\n        Security(Security)\n            DesignPrinciples(Design Principles)\n                Plan your security readiness[\"**Plan your security readiness:**\n                Strive to adopt and implement security practices in architectural design decisions and operations with minimal friction.\"]\n                Design to protect confidentiality[\"**Design to protect confidentiality:**\n                Prevent exposure to privacy, regulatory, application, and proprietary information through access restrictions and obfuscation techniques.\"]\n                Design to protect integrity[\"**Design to protect integrity:**\n                Prevent corruption of design, implementation, operations, and data to avoid disruptions that can stop the system from delivering its intended utility or cause it to operate outside the prescribed limits. The system should provide information assurance throughout the workload lifecycle.\"]\n                Design to protect availability[\"**Design to protect availability:**\n                Prevent or minimize system and workload downtime and degradation in the event of a security incident by using strong security controls. You must maintain data integrity during the incident and after the system recovers.\"]\n                Sustain and evolve your security posture[\"**Sustain and evolve your security posture:**\n                 Incorporate continuous improvement and apply vigilance to stay ahead of attackers who are continuously evolving their attack strategies.\"]       \n        CostOptimization(Cost Optimization)\n            DesignPrinciples(Design Principles)\n                Develop cost-management discipline[\"**Develop cost-management discipline:**\n                Build a team culture that has awareness of budget, expenses, reporting, and cost tracking.\"]\n                Design with a cost-efficiency mindset[\"**Design with a cost-efficiency mindset:**\n                Spend only on what you need to achieve the highest return on your investments.\"]\n                Design for usage optimization[\"**Design for usage optimization:**\n                Maximize the use of resources and operations. Apply them to the negotiated functional and nonfunctional requirements of the solution.\"]\n                Design for rate optimization[\"**Design for rate optimization:**\n                Increase efficiency without redesigning, renegotiating, or sacrificing functional or nonfunctional requirements.\"]\n                Monitor and optimize over time[\"**Monitor and optimize over time:**\n                Continuously right-size investment as your workload evolves with the ecosystem.\"]\n        OperationalExcellence(Operational Excellence)\n            DesignPrinciples(Design Principles)\n               Embrace DevOps culture[\"**Embrace DevOps culture:**\n               Empower development and operations teams to continuously improve their system design and processes by working together with a mindset of collaboration, shared responsibility, and ownership.\"]\n               Establish development standards[\"**Establish development standards:**\n               Optimize productivity by standardizing development practices, enforcing quality gates, and tracking progress and success through systematic change management.\"]\n               Evolve operations with observability[\"**Evolve operations with observability:**\n                Gain visibility into the system, derive insight, and make data-driven decisions.\"]\n               Deploy with confidence[\"**Deploy with confidence:**\n               Reach the desired state of deployment with predictability.\"]\n               Automate for efficiency[\"**Automate for efficiency:**\n                Replace repetitive manual tasks with software automation that completes them quicker, with greater consistency and accuracy, and reduces risks.\"]\n               Adopt safe deployment practices[\"**Adopt safe deployment practices:**\n               Implement guardrails in the deployment process to minimize the effect of errors or unexpected conditions.\"]\n        PerformanceEfficiency(Performance Efficiency)        \n            DesignPrinciples(Design Principles)\n               Negotiate realistic performance targets[\"**Negotiate realistic performance targets:**\n               The intended user experience is defined, and there's a strategy to develop a benchmark and measure targets against the pre-established business requirements.\"]\n               Design to meet capacity requirements[\"**Design to meet capacity requirements:**\n               Provide enough supply to address anticipated demand.\"]\n               Achieve and sustain performance[\"**Achieve and sustain performance:**\n                Protect against performance degradation while the system is in use and as it evolves.\"]\n               Improve efficiency through optimization[\"**Improve efficiency through optimization:**\n                Improve system efficiency within the defined performance targets to increase workload value.\"]

                    English Mermaid Live Editor

                    Spanish Mermaid Live Editor

                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#microsoft-well-architected-framework-pillars-tradeofs-mind-map","title":"Microsoft Well-Architected Framework Pillars Tradeofs Mind Map","text":"

                    Para cuando lo renderice correctamente materials:

                    mindmap\n    root((Pillars))        \n        Reliability(Reliability)\n            Tradeoffs(Tradeoffs)\n                Reliability tradeoffs with Security[\"`**Reliability tradeoffs with Security**`\"]\n                     Tradeoff: Increased workload surface area. The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.[\"`**Tradeoff: Increased workload surface area.** The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.`\"]\n                        Tradeoff: Security control bypass. The Security pillar recommends that all controls remain active in both normal and stressed systems.[\"`**Tradeoff: Security control bypass.** The Security pillar recommends that all controls remain active in both normal and stressed systems.`\"]\n                            Tradeoff: Old software versions. The Security pillar encourages a *get current, stay current* approach to vendor security patches.[\"`**Tradeoff: Old software versions.** The Security pillar encourages a *get current, stay current* approach to vendor security patches.`\"]\n                Reliability tradeoffs with Cost Optimization[\"`**Reliability tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Increased implementation redundancy or waste. A cost-optimized workload minimizes underutilized resources and avoids over-provisioning resources.[\"`**Tradeoff: Increased implementation redundancy or waste.** A cost-optimized workload minimizes underutilized resources and avoids over-provisioning resources.`\"]\n                        Tradeoff: Increased investment in operations that aren't aligned with functional requirements. One approach to cost optimization is evaluating the value that's provided by any deployed solution.[\"`**Tradeoff: Increased investment in operations that aren't aligned with functional requirements.** One approach to cost optimization is evaluating the value that's provided by any deployed solution.`\"]\n                Reliability tradeoffs with Operational Excellence[\"`**Reliability tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Increased operational complexity. Operational Excellence, like Reliability itself, prioritizes simplicity.[\"`**Tradeoff: Increased operational complexity.** Operational Excellence, like Reliability itself, prioritizes simplicity.`\"]\n                        Tradeoff: Increased effort to generate team knowledge and awareness. The Operational Excellence pillar recommends keeping and maintaining a documentation repository for procedures and topologies. [\"`**Tradeoff: Increased effort to generate team knowledge and awareness.** The Operational Excellence pillar recommends keeping and maintaining a documentation repository for procedures and topologies.`\"]\n                Reliability tradeoffs with Performance Efficiency[\"`**Reliability tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased latency. Performance Efficiency requires a system to achieve performance targets for user and data flows.[\"`**Tradeoff: Increased latency.** Performance Efficiency requires a system to achieve performance targets for user and data flows.`\"]\n                        Tradeoff: Increased over-provisioning. The Performance Efficiency pillar discourages over-provisioning, instead recommending the use of just enough resources to satisfy demand.[\"`**Tradeoff: Increased over-provisioning.** The Performance Efficiency pillar discourages over-provisioning, instead recommending the use of just enough resources to satisfy demand.`\"]\n        Security(Security)\n            Tradeoffs(Tradeoffs)\n                Security tradeoffs with Reliability[\"`**Security tradeoffs with Reliability**`\"]\n                    Tradeoff: Increased complexity. The Reliability pillar prioritizes simplicity and recommends that points of failure are minimized.[\"`**Tradeoff: Increased complexity.** The Reliability pillar prioritizes simplicity and recommends that points of failure are minimized.`\"]\n                        Tradeoff: Increased critical dependencies. The Reliability pillar recommends minimizing critical dependencies. A workload that minimizes critical dependencies, especially external ones, has more control over its points of failure.[\"`**Tradeoff: Increased critical dependencies.** The Reliability pillar recommends minimizing critical dependencies. A workload that minimizes critical dependencies, especially external ones, has more control over its points of failure.`\"]\n                            Tradeoff: Increased complexity of disaster recovery. A workload must reliably recover from all forms of disaster.[\"`**Tradeoff: Increased complexity of disaster recovery.** A workload must reliably recover from all forms of disaster.`\"]\n                                Tradeoff: Increased rate of change. A workload that experiences runtime change is exposed to more risk of reliability impact due to that change.[\"`**Tradeoff: Increased rate of change.** A workload that experiences runtime change is exposed to more risk of reliability impact due to that change.`\"]\n                Security tradeoffs with Cost Optimization[\"`**Security tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Additional infrastructure. One approach to cost optimizing a workload is to look for ways to reduce the diversity and number of components and increase density.[\"`**Tradeoff: Additional infrastructure.** One approach to cost optimizing a workload is to look for ways to reduce the diversity and number of components and increase density.`\"]\n                        Tradeoff: Increased demand on infrastructure. The Cost Optimization pillar prioritizes driving down demand on resources to enable the use of cheaper SKUs, fewer instances, or reduced consumption.[\"`**Tradeoff: Increased demand on infrastructure.** The Cost Optimization pillar prioritizes driving down demand on resources to enable the use of cheaper SKUs, fewer instances, or reduced consumption.`\"]\n                            Tradeoff: Increased process and operational costs. Personnel process costs are part of the overall total cost of ownership and are factored into a workload's return on investment. Optimizing these costs is a recommendation of the Cost Optimization pillar.[\"`**Tradeoff: Increased process and operational costs.** Personnel process costs are part of the overall total cost of ownership and are factored into a workload's return on investment. Optimizing these costs is a recommendation of the Cost Optimization pillar.`\"]\n                Security tradeoffs with Operational Excellence[\"`**Security tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Complications in observability and serviceability. Operational Excellence requires architectures to be serviceable and observable. The most serviceable architectures are those that are the most transparent to everyone involved.[\"`**Tradeoff: Complications in observability and serviceability.** Operational Excellence requires architectures to be serviceable and observable. The most serviceable architectures are those that are the most transparent to everyone involved.`\"]\n                        Tradeoff: Decreased agility and increased complexity. Workload teams measure their velocity so that they can improve the quality, frequency, and efficiency of delivery activities over time. Workload complexity factors into the effort and risk involved in operations[\"`**Tradeoff: Decreased agility and increased complexity.** Workload teams measure their velocity so that they can improve the quality, frequency, and efficiency of delivery activities over time. Workload complexity factors into the effort and risk involved in operations`\"]\n                            Tradeoff: Increased coordination efforts. A team that minimizes external points of contact and review can control their operations and timeline more effectively.[\"`**Tradeoff: Increased coordination efforts.** A team that minimizes external points of contact and review can control their operations and timeline more effectively.`\"]             \n                Security tradeoffs with Performance Efficiency[\"`**Security tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased latency and overhead. A performant workload reduces latency and overhead.[\"`**Tradeoff: Increased latency and overhead.** A performant workload reduces latency and overhead.`\"]\n                        Tradeoff: Increased chance of misconfiguration. Reliably meeting performance targets depends on predictable implementations of the design.[\"`**Tradeoff: Increased chance of misconfiguration.** Reliably meeting performance targets depends on predictable implementations of the design.`\"]\n        Cost Optimization[\"Cost Optimization`\"]\n            Tradeoffs(Tradeoffs)\n                Cost Optimization tradeoffs with Reliability[\"`**Cost Optimization tradeoffs with Reliability**`\"]\n                    Tradeoff: Reduced resiliency. A workload incorporates resiliency measures to attempt to avoid and withstand specific types and quantities of malfunction.[\"`**Tradeoff: Reduced resiliency.** A workload incorporates resiliency measures to attempt to avoid and withstand specific types and quantities of malfunction.`\"]\n                        Tradeoff: Limited recovery strategy. A workload that's reliable has a tested incident response and recovery plan for disaster scenarios.[\"`**Tradeoff: Limited recovery strategy.** A workload that's reliable has a tested incident response and recovery plan for disaster scenarios.`\"]\n                            Tradeoff: Increased complexity. A workload that uses straightforward approaches and avoids unnecessary or overengineered complexity is generally easier to manage in terms of reliability.[\"`**Tradeoff: Increased complexity.** A workload that uses straightforward approaches and avoids unnecessary or overengineered complexity is generally easier to manage in terms of reliability.`\"]\n                Cost Optimization tradeoffs with Security[\"`**Cost Optimization tradeoffs with Security**`\"]\n                    Tradeoff: Reduced security controls. Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.[\"`**Tradeoff: Reduced security controls.** Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.`\"]\n                        Tradeoff: Increased workload surface area. The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and the management of security controls.[\"`**Tradeoff: Increased workload surface area.** The Security pillar prioritizes a reduced and contained surface area to minimize attack vectors and the management of security controls.`\"]\n                            Tradeoff: Removed segmentation. The Security pillar prioritizes strong segmentation to support the application of targeted security controls and to control the blast radius.[\"`**Tradeoff: Removed segmentation.** The Security pillar prioritizes strong segmentation to support the application of targeted security controls and to control the blast radius.`\"]\n                Cost Optimization tradeoffs with Operational Excellence[\"`**Cost Optimization tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Compromised software development lifecycle SDLC capacities. A workload's SDLC process provides rigor, consistency, specificity, and prioritization to change management in a workload.[\"`**Tradeoff: Compromised software development lifecycle capacities.** A workload's SDLC process provides rigor, consistency, specificity, and prioritization to change management in a workload.`\"]\n                        Tradeoff: Reduced observability. Observability is necessary to help ensure that a workload has meaningful alerting and successful incident response.[\"`**Tradeoff: Reduced observability.** Observability is necessary to help ensure that a workload has meaningful alerting and successful incident response.`\"]\n                            Tradeoff: Deferred maintenance. Workload teams are expected to keep code, tooling, software packages, and operating systems patched and up to date in a timely and orderly way.[\"`**Tradeoff: Deferred maintenance.** Workload teams are expected to keep code, tooling, software packages, and operating systems patched and up to date in a timely and orderly way.`\"]\n                Cost Optimization tradeoffs with Performance Efficiency[\"`**Cost Optimization tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Underprovisioned or underscaled resources. A performance-efficient workload has enough resources to serve demand but doesn't have excessive unused overhead, even when usage patterns fluctuate.[\"`**Tradeoff: Underprovisioned or underscaled resources.** A performance-efficient workload has enough resources to serve demand but doesn't have excessive unused overhead, even when usage patterns fluctuate.`\"]\n                        Tradeoff: Lack of optimization over time. Evaluating the effects of changes in functionality, changes in usage patterns, new technologies, and different approaches on the workload is one way to try to increase efficiency.[\"`**Tradeoff: Lack of optimization over time.** Evaluating the effects of changes in functionality, changes in usage patterns, new technologies, and different approaches on the workload is one way to try to increase efficiency.`\"]\n        Operational Excellence[\"Operational Excellence\"]\n            Tradeoffs(Tradeoffs)\n                Operational Excellence tradeoffs with Reliability[\"`**Operational Excellence tradeoffs with Reliability**`\"]\n                    Tradeoff: Increased complexity. Reliability prioritizes simplicity, because simple design minimizes misconfiguration and reduces unexpected interactions.[\"`**Tradeoff: Increased complexity.** Reliability prioritizes simplicity, because simple design minimizes misconfiguration and reduces unexpected interactions.`\"]\n                        Tradeoff: Increased potentially destabilizing activities. The Reliability pillar encourages the avoidance of activities or design choices that can destabilize a system and lead to disruptions, outages, or malfunctions[\"`**Tradeoff: Increased potentially destabilizing activities.** The Reliability pillar encourages the avoidance of activities or design choices that can destabilize a system and lead to disruptions, outages, or malfunctions.`\"]\n                Operational Excellence tradeoffs with Security[\"`**Operational Excellence tradeoffs with Security**`\"]\n                    Tradeoff: Increased surface area. The Security pillar recommends a reduced workload surface area in terms of components and exposure to operations. This reduction minimizes attack vectors and produces a smaller scope for security control and testing.[\"`**Tradeoff: Increased surface area.** The Security pillar recommends a reduced workload surface area in terms of components and exposure to operations. This reduction minimizes attack vectors and produces a smaller scope for security control and testing.`\"]\n                        Tradeoff: Increased desire for transparency. A secure workload is based on designs that protect the confidentiality of data that flows through the components of the system.[\"`**Tradeoff: Increased desire for transparency.** A secure workload is based on designs that protect the confidentiality of data that flows through the components of the system.`\"]\n                            Tradeoff: Reduced segmentation. A key security approach for isolating access and function is to design a strong segmentation strategy. This design is implemented through resource isolation and identity controls.[\"`**Tradeoff: Reduced segmentation.** A key security approach for isolating access and function is to design a strong segmentation strategy. This design is implemented through resource isolation and identity controls.`\"]                    \n                Operational Excellence tradeoffs with Cost Optimization[\"`**Operational Excellence tradeoffs with Cost Optimization**`\"]\n                     Tradeoff: Increased resource spending. A major cost driver for a workload is the cost of its resources. Deploying fewer resources, right-sizing resources, and reducing consumption generally helps keep costs low.[\"`**Tradeoff: Increased resource spending.** A major cost driver for a workload is the cost of its resources. Deploying fewer resources, right-sizing resources, and reducing consumption generally helps keep costs low.`\"]\n                        Tradeoff: Decreased focus on delivery activities. Workload team members deliver increased workload value by efficiently performing tasks that are aligned to their capabilities.[\"`**Tradeoff: Decreased focus on delivery activities.** Workload team members deliver increased workload value by efficiently performing tasks that are aligned to their capabilities.`\"]\n                            Tradeoff: Increased tooling demands and diversity. The Cost Optimization pillar recommends the reduction of tooling sprawl, consolidation of vendors, and a right-sized approach to all tooling purchases.[\"`**Tradeoff: Increased tooling demands and diversity.** The Cost Optimization pillar recommends the reduction of tooling sprawl, consolidation of vendors, and a right-sized approach to all tooling purchases.`\"]\n                Operational Excellence tradeoffs with Performance Efficiency[\"`**Operational Excellence tradeoffs with Performance Efficiency**`\"]\n                    Tradeoff: Increased resource utilization. The Performance Efficiency pillar recommends the allocation of as much of the available compute and network as possible to the requirements of the workload.[\"`**Tradeoff: Increased resource utilization.** The Performance Efficiency pillar recommends the allocation of as much of the available compute and network as possible to the requirements of the workload.`\"]\n                        Tradeoff: Increased latency. To create performant workloads, teams look for ways to reduce the time and resources that workloads consume to perform their tasks.[\"`**Tradeoff: Increased latency.** To create performant workloads, teams look for ways to reduce the time and resources that workloads consume to perform their tasks.`\"]\n        Performance Efficiency(\"Performance Efficiency\")\n            Tradeoffs(Tradeoffs)\n                Performance Efficiency tradeoffs with Reliability[\"`**Performance Efficiency tradeoffs with Reliability**`\"]\n                    Tradeoff: Reduced replication and increased density. A cornerstone of reliability is ensuring resilience by using replication and limiting the blast radius of malfunctions.[\"`**Tradeoff: Reduced replication and increased density.** A cornerstone of reliability is ensuring resilience by using replication and limiting the blast radius of malfunctions.`\"]\n                        Tradeoff: Increased complexity. Reliability prioritizes simplicity.[\"`**Tradeoff: Increased complexity.** Reliability prioritizes simplicity.`\"]\n                            Tradeoff: Testing and observation on active environments. Avoiding the unnecessary use of production systems is a self-preservation approach for reliability.[\"`**Tradeoff: Testing and observation on active environments.** Avoiding the unnecessary use of production systems is a self-preservation approach for reliability.`\"]                  \n                Performance Efficiency tradeoffs with Security[\"`**Performance Efficiency tradeoffs with Security**`\"]\n                    Tradeoff: Reduction of security controls. Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth[\"`**Tradeoff: Reduction of security controls.** Security controls are established across multiple layers, sometimes redundantly, to provide defense in depth.`\"]\n                        Tradeoff: Increased workload surface area. Security prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.[\"`**Tradeoff: Increased workload surface area.** Security prioritizes a reduced and contained surface area to minimize attack vectors and reduce the management of security controls.`\"]\n                            Tradeoff: Removing segmentation. The Security pillar prioritizes strong segmentation to enable fine-grained security controls and reduce blast radius.[\"`**Tradeoff: Removing segmentation.** The Security pillar prioritizes strong segmentation to enable fine-grained security controls and reduce blast radius.`\"]                   \n                Performance Efficiency tradeoffs with Cost Optimization[\"`**Performance Efficiency tradeoffs with Cost Optimization**`\"]\n                    Tradeoff: Too much supply for demand. Both Cost Optimization and Performance Efficiency prioritize having just enough supply to serve demand.[\"`**Tradeoff: Too much supply for demand.** Both Cost Optimization and Performance Efficiency prioritize having just enough supply to serve demand.`\"]\n                        Tradeoff: More components. One cost optimization technique is to consolidate with a smaller number of resources by increasing density, removing duplication, and co-locating functionality.[\"`**Tradeoff: More components.** One cost optimization technique is to consolidate with a smaller number of resources by increasing density, removing duplication, and co-locating functionality.`\"]\n                        Tradeoff: Increased investment on items that aren't aligned with functional requirements. One approach to cost optimization is evaluating the value provided by any solution that's deployed.[\"`**Tradeoff: Increased investment on items that aren't aligned with functional requirements.** One approach to cost optimization is evaluating the value provided by any solution that's deployed.`\"]                    \n                Performance Efficiency tradeoffs with Operational Excellence[\"`**Performance Efficiency tradeoffs with Operational Excellence**`\"]\n                    Tradeoff: Reduced observability. Observability is necessary to provide a workload with meaningful alerting and help ensure successful incident response.[\"`**Tradeoff: Reduced observability.** Observability is necessary to provide a workload with meaningful alerting and help ensure successful incident response.`\"]\n                        Tradeoff: Increased complexity in operations. A complex environment has more complex interactions and a higher likelihood of a negative impact from routine, ad hoc, and emergency operations.[\"`**Tradeoff: Increased complexity in operations.** A complex environment has more complex interactions and a higher likelihood of a negative impact from routine, ad hoc, and emergency operations.`\"]\n                            Tradeoff: Culture stress. Operational Excellence is rooted in a culture of blamelessness, respect, and continuous improvement.[\"`**Tradeoff: Culture stress.** Operational Excellence is rooted in a culture of blamelessness, respect, and continuous improvement.`\"]\n\n

                    English Mermaid Live Editor

                    Spanish Mermaid live editor

                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/21/azure-well-architected-framework-waf-mind-maps/#references","title":"References","text":"
                    • Microsoft Well-Architected Framework pillars
                    ","tags":["Azure Well-Architected Framework"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/","title":"Comparing Container Apps with other Azure container options","text":"","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/#container-option-comparisons","title":"Container option comparisons","text":"Service Primary Use Advantages Disadvantages Azure Container Apps Building serverless microservices and jobs based on containers Optimized for general purpose containers. Provides a fully managed experience based on best-practices. Doesn't provide direct access to Kubernetes APIs. Azure App Service Fully managed hosting for web applications including websites and web APIs Integrated with other Azure services. Ideal option for building web apps. Might not be suitable for non-web applications. Azure Container Instances Provides a single isolated container on demand It's a great solution for any scenario that can operate in isolated containers, including simple applications, task automation, and build jobs. Concepts like scale, load balancing, and certificates are not provided. Azure Kubernetes Service Provides a fully managed Kubernetes option in Azure Supports any Kubernetes workload. Complete control over cluster configurations and operations. Requires management of the full cluster within your subscription. Azure Functions Serverless Functions-as-a-Service (FaaS) solution Optimized for running event-driven applications using the functions programming model. Limited to ephemeral functions deployed as either code or containers. Azure Spring Apps Fully managed service for Spring developers Service manages the infrastructure of Spring applications allowing developers to focus on their code. Only suitable for running Spring-based applications. Azure Red Hat OpenShift Jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated product and support experience Offers built-in solutions for automated source code management, container and application builds, deployments, scaling, health management. Dependent on OpenShift. If your team or organization is not using OpenShift, this may not be the ideal option.

                    Please note that the advantages and disadvantages may vary according to specific use cases.

                    ","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/comparing-container-apps-with-other-azure-container-options/#references","title":"References","text":"
                    • Azure Container Apps https://learn.microsoft.com/en-us/azure/container-apps/compare-options
                    ","tags":["Azure Container Apps"]},{"location":"blog/2023/11/30/azure-updates-rss-feed/","title":"Azure updates RSS feed","text":"

                    All the Azure updates in one place.

                    • All
                    "},{"location":"blog/2023/11/30/azure-updates-rss-feed/#by-category","title":"By category","text":"
                    • Featured

                    • AI + Machine Learning

                    • Analytics

                    • Blockchain

                    • Compute

                    • Containers

                    • Databases

                    • Developer Tools

                    • DevOps

                    • Hybrid + multicloud

                    • Identity

                    • Integration

                    • Internet of Things

                    • Management

                    • Media

                    • Migration

                    • Mixed Reality

                    • Mobile

                    • Networking

                    • Security

                    • Storage

                    • Virtual desktop infrastructure

                    • Web

                    "},{"location":"blog/2023/11/30/azure-updates-rss-feed/#custom","title":"Custom","text":"

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=category1%2Ccategory2%2Ccategory3

                    For example:

                    https://azurecomcdn.azureedge.net/en-gb/updates/feed/?category=featured%2Cai-machine-learning%2Canalytics

                    "},{"location":"blog/2023/12/01/azure-functions/","title":"Azure Functions","text":"","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#introduction","title":"Introduction","text":"

                    Azure Functions is a serverless compute service provided by Microsoft Azure. This analysis aims to provide a comprehensive understanding of Azure Functions, its architecture, deployment, scalability, security, and more.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#service-overview","title":"Service Overview","text":"

                    Azure Functions allows developers to run small pieces of code (called \"functions\") without worrying about application infrastructure. With Azure Functions, the cloud infrastructure provides all the up-to-date servers needed to keep your applications running at scale.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#architecture-and-components","title":"Architecture and Components","text":"

                    Azure Functions is built on an event-driven, compute-on-demand experience that extends the existing Azure application platform with capabilities to implement code triggered by events occurring in Azure or third-party services.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#deployment-and-configuration","title":"Deployment and Configuration","text":"

                    Azure Functions can be deployed using the Azure portal, Azure Resource Manager (ARM) templates, or the Azure Command-Line Interface (CLI). Configuration settings can be managed through environment variables and application settings.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#scalability-and-performance","title":"Scalability and Performance","text":"

                    Azure Functions supports auto-scaling based on the load, ensuring optimal performance. It also provides features like load balancing to distribute incoming traffic across multiple instances of a function app.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#security-and-compliance","title":"Security and Compliance","text":"

                    Azure Functions provides built-in authentication and authorization support. It also supports network isolation with Azure Virtual Network (VNet) and encryption of data at rest and in transit. Azure Functions complies with key international and industry-specific compliance standards like ISO, SOC, and GDPR.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#monitoring-and-logging","title":"Monitoring and Logging","text":"

                    Azure Functions integrates with Azure Monitor and Application Insights for monitoring and logging. It provides real-time information on how your function app is performing and where your application is spending its time.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#use-cases-and-examples","title":"Use Cases and Examples","text":"

                    Azure Functions is commonly used for processing data, integrating systems, working with the internet-of-things (IoT), and building simple APIs and microservices.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#best-practices-and-tips","title":"Best Practices and Tips","text":"

                    When using Azure Functions, it's recommended to keep functions small and focused on a single task. Also, avoid long-running functions as they may cause unexpected timeout issues.

                    If you are using long-running functions, consider using Durable Functions, which are an extension of Azure Functions that lets you write stateful functions in a serverless environment.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/01/azure-functions/#conclusion","title":"Conclusion","text":"

                    Azure Functions is a powerful service for running event-driven applications at scale. It offers a wide range of features and capabilities that can meet the needs of almost any application. We encourage you to explore Azure Functions further and see how it can benefit your applications.

                    ","tags":["Azure Functions"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/","title":"Instalar WSL2 en Windows 11 con chocolatey","text":"","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#introduccion","title":"Introducci\u00f3n","text":"

                    Windows Subsystem for Linux (WSL) es una caracter\u00edstica de Windows 11 que permite ejecutar un entorno de Linux en Windows. WSL2 es la segunda versi\u00f3n de WSL que ofrece un kernel de Linux completo y un mejor rendimiento en comparaci\u00f3n con WSL1. Este an\u00e1lisis proporciona una gu\u00eda paso a paso para instalar WSL2 en Windows 11.

                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#pasos-a-seguir","title":"Pasos a seguir","text":"","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#1-instalar-chocolatey","title":"1. Instalar Chocolatey","text":"

                    Chocolatey es un administrador de paquetes para Windows que facilita la instalaci\u00f3n y gesti\u00f3n de software. Para instalar Chocolatey, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar Chocolatey:

                    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))\n
                    1. Espere a que se complete la instalaci\u00f3n de Chocolatey.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#2-instalar-wsl2","title":"2. Instalar WSL2","text":"

                    Para instalar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para instalar WSL2:

                    choco install wsl2\n
                    3. Espere a que se complete la instalaci\u00f3n de WSL2.

                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#3-configurar-wsl2","title":"3. Configurar WSL2","text":"

                    Para configurar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell como administrador.

                    2. Ejecute el siguiente comando para configurar WSL2 como la versi\u00f3n predeterminada:

                    wsl --set-default-version 2\n
                    1. Reinicie su computadora para aplicar los cambios.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#4-instalar-una-distribucion-de-linux","title":"4. Instalar una distribuci\u00f3n de Linux","text":"

                    Para instalar una distribuci\u00f3n de Linux en WSL2, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Busque la distribuci\u00f3n de Linux que desea instalar (por ejemplo, Ubuntu, Debian, Fedora)

                    wsl --list --online\n
                    1. Ejecute el siguiente comando para instalar la distribuci\u00f3n de Linux seleccionada:
                    wsl --install -d <nombre de la distribuci\u00f3n>\n
                    1. Espere a que se complete la instalaci\u00f3n de la distribuci\u00f3n de Linux.
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#5-iniciar-wsl2","title":"5. Iniciar WSL2","text":"

                    Para iniciar WSL2 en Windows 11, siga los siguientes pasos:

                    1. Abra PowerShell.

                    2. Ejecute el siguiente comando para iniciar la distribuci\u00f3n de Linux instalada:

                    wsl\n
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/04/instalar-wsl2-en-windows-11-con-chocolatey/#referencias","title":"Referencias","text":"
                    • Chocolatey
                    • What is the Windows Subsystem for Linux?
                    ","tags":["Windows Subsystem for Linux 2"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/","title":"Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n","text":"

                    Necesitas WSL2

                    Para poder seguir este tutorial necesitas tener instalado WSL2 en tu equipo, si no lo tienes, puedes seguir este tutorial Instalar WSL2 en Windows 11 con chocolatey

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#introduccion","title":"Introducci\u00f3n","text":"

                    Llevo unos d\u00edas con sync pending en algunos ficheros en mi OneDrive for Business sin ninguna raz\u00f3n aparente, por lo que he decidido investigar un poco y compartir como he resuelto el problema.

                    Lo primero es seguir la siguiente documentaci\u00f3n de Microsoft que puede ser \u00fatil para alguien que tenga problemas de sincronizaci\u00f3n con OneDrive:

                    Fix OneDrive sync problems

                    Pero si no funciona, se puede obtener m\u00e1s informaci\u00f3n de los logs de OneDrive.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#pasos-a-seguir","title":"Pasos a seguir","text":"","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#1-acceder-a-los-logs-de-onedrive","title":"1. Acceder a los logs de OneDrive","text":"

                    Para acceder a los logs de OneDrive, se debe seguir los siguientes pasos:

                    1. Abrir el Explorador de archivos.
                    2. Hacer clic en la flecha hacia arriba en la barra de direcciones.
                    3. Pegar la siguiente ruta en la barra de direcciones y presionar Enter:
                    BusinessPersonal
                    %localappdata%\\Microsoft\\OneDrive\\logs\\Business1\n
                    %localappdata%\\Microsoft\\OneDrive\\logs\\Personal\n

                    Ahora es necesario seleccionar los archivos de log m\u00e1s recientes y copiarlos a un directorio, los archivos pueden tener extensi\u00f3n .odl,.odlgz, .odlsent o .aold, tambi\u00e9n se debe incluir el fichero ObfuscationStringMap.txt o general.keystore.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#2-instalar-el-visor-de-logs-de-onedrive","title":"2. Instalar el visor de logs de OneDrive","text":"

                    Para instalar el visor de logs de OneDrive, se debe seguir los siguientes pasos:

                    Descarga https://raw.githubusercontent.com/ydkhatri/OneDrive/main/odl.py y ejecuta el siguiente comando:

                    pip3 install pycryptodome\npip3 install construct\npython odl.py -o <ruta de salida>/fichero.csv <ruta de los logs>\n

                    Por ejemplo:

                    python3 odl.py -o output/fichero.csv input/\nWARNING: Multiple instances of some keys were found in the ObfuscationMap.\nRead 40493 items from map\nRecovered Unobfuscation key Churreradenumneros, version=1, utf_type=utf16\nSearching  /mnt/c/Users/userdemo/Escritorio/input/SyncEngine-2023-09-04.0637.32.2.odl\nWrote 821 rows\nSearching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.13536.1.odlgz\nWrote 203 rows\nSearching  /mnt/c/Users/userdemo/Escritorio/input/FileCoAuth-2023-09-03.0804.14112.1.odlgz\n.......\n............\n...............\nWrote 872 rows\nFinished processing files, output is at output/fichero.csv\nuserdemo@DESKTOP:/mnt/c/Users/userdemo/Escritorio$\n
                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#3-analizar-los-logs","title":"3. Analizar los logs","text":"

                    Una vez que se ha generado el fichero CSV, se puede abrir con Excel o cualquier editor de texto para analizar los logs y detectar problemas de sincronizaci\u00f3n, busca error o warn para averiguar que puede estar provocando el problema.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#solucion","title":"Soluci\u00f3n","text":"

                    En mi caso, tras poder leer los logs de OneDrive, he descubierto que OneDrive no pod\u00eda escribir varios ficheros en disco, luego record\u00e9 que el otro d\u00eda mi equipo no se apag\u00f3 bien.

                    Tras un chkdsk c: /F /R, fin de la historia, ahora todo funciona, espero que le resulte \u00fatil a alguien.

                    ","tags":["OneDrive for Business"]},{"location":"blog/2023/12/05/depurar-logs-de-onedrive-para-detectar-problemas-de-sincronizaci%C3%B3n/#referencias","title":"Referencias","text":"
                    • https://github.com/ydkhatri/OneDrive/tree/main
                    ","tags":["OneDrive for Business"]},{"location":"blog/2024/02/24/azure-policy/","title":"Azure Policy","text":"

                    Azure Policy serves as a powerful tool for implementing governance across your Azure environment. It helps ensure resource consistency, regulatory compliance, security, cost management, and efficient operations

                    As organizations leverage the power of Azure for their cloud infrastructure, ensuring governance, compliance, and security becomes paramount. Azure Policy, along with policies and initiatives, provides a robust framework to enforce and assess compliance with organizational standards and regulatory requirements. Let's delve into these concepts to understand how they work together.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#azure-policy-overview","title":"Azure Policy Overview","text":"

                    Azure Policy is a service in Azure that allows you to create, assign, and manage policies. These policies enforce different rules and effects over resources, so those resources stay compliant with corporate standards and service-level agreements.

                    Azure Policy helps to address questions like:

                    • Are all virtual machines encrypted using Azure Disk Encryption?
                    • Are resources deployed only in certain Azure regions?
                    • Are specific tags applied to resources for tracking and organization?

                    Policies in Azure Policy are defined using JSON-based policy definitions. These definitions can be simple or complex, depending on the requirements. Once a policy is created, it can be assigned to specific scopes within Azure, such as subscriptions, resource groups, or even individual resources.

                    Info

                    It's important to recognize that with the introduction of Azure Arc, you can extend your policy-based governance across different cloud providers and even to your local datacenters.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#policies","title":"Policies","text":"

                    Policies in Azure Policy are rules that enforce different requirements and effects on resources. These policies can be related to security, compliance, or management. For instance, you can have a policy that ensures all publicly accessible storage accounts are secured with a firewall or a policy that enforces a specific naming convention for virtual machines.

                    Key attributes of policies include: - Effect: Determines what happens when the condition in the policy is met (e.g., deny the action, audit the action, append a tag). - Condition: Defines when the policy is enforced based on properties of the resource being evaluated. - Action: Specifies what happens when a resource violates the policy (e.g., deny deployment, apply audit).

                    Policies can be built-in (provided by Azure) or custom (defined by the organization). They play a vital role in maintaining compliance and security standards across Azure environments.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#initiatives","title":"Initiatives","text":"

                    Initiatives in Azure Policy are collections of policies that are grouped together as a single unit. This simplifies the process of assigning multiple policies to different scopes simultaneously. Initiatives help in enforcing complex requirements and compliance standards by grouping related policies together.

                    graph TD;\n    A[Azure Policy] -->|Contains| B1[Policy 1]\n    A[Azure Policy] -->|Contains| B2[Policy 2]\n    A[Azure Policy] -->|Contains| B3[Policy 3]\n    A[Azure Policy] -->|Contains| B4[Policy 4]\n    B1[Policy 1] -->|Belongs to| C[Initiative 1]\n    B2[Policy 2] -->|Belongs to| C[Initiative 1]\n    B3[Policy 3] -->|Belongs to| D[Initiative 2]\n\n\n    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;\n    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;\n    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;\n\n    class A,B1,B2,B3,B4 azurePolicy;\n    class C,D initiative;\n    class D1,D2,E1,E2 policy;

                    Initiatives allow you to:

                    • Apply multiple policies at once to a scope (like a subscription or management group).
                    • Monitor compliance against a set of defined standards or regulations.
                    • Streamline governance by organizing policies logically.

                    By using initiatives, you can efficiently manage and enforce compliance with regulatory standards (e.g., CIS benchmarks, PCI DSS) or organizational best practices.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#assignments","title":"Assignments","text":"

                    Assignments in Azure Policy are the mechanism to apply policies or initiatives to specific scopes within Azure. You can assign policies to subscriptions, resource groups, or even individual resources. Assignments help in enforcing governance and compliance standards across your Azure environment.

                    graph TD;\n    A[Azure Policy] -->|Contains| B1[Policy 1]\n    A[Azure Policy] -->|Contains| B2[Policy 2]\n    A[Azure Policy] -->|Contains| B3[Policy 3]\n    A[Azure Policy] -->|Contains| B4[Policy 4]\n    B1[Policy 1] -->|Belongs to| C[Initiative 1]\n    B2[Policy 2] -->|Belongs to| C[Initiative 1]\n    B3[Policy 3] -->|Belongs to| D[Initiative 2]\n    C[Initiative 1] -->|Assigned to| E[Subscription 1]\n    D[Initiative 2] -->|Assigned to| F[Resource Group 1]\n    B4[Policy 4] -->|Assigned to| G[Management Group 1]\n\n    classDef azurePolicy fill:#f9f,stroke:#333,stroke-width:2px;\n    classDef policy fill:#fc9,stroke:#333,stroke-width:2px;\n    classDef initiative fill:#9cf,stroke:#333,stroke-width:2px;\n    classDef assignment fill:#9f9,stroke:#333,stroke-width:2px;\n\n    class A,B1,B2,B3,B4 azurePolicy;\n    class C,D initiative;\n    class E,F,G assignment;\n    class D1,D2,E1,E2 policy;\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#conclusion","title":"Conclusion","text":"

                    In conclusion, Azure Policy, policies, and initiatives are fundamental components of Azure's governance framework. They enable organizations to define and enforce rules for Azure resources, ensuring adherence to compliance standards, security protocols, and operational guidelines. By leveraging these capabilities, Azure users can maintain control over their cloud environment while promoting consistency and security across deployments. If you're looking to enhance governance and compliance within Azure, exploring Azure Policy, policies, and initiatives is a crucial step forward.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/24/azure-policy/#references","title":"References","text":"
                    • Azure Policy overview
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/","title":"Azure Policy, defintion schema","text":"

                    This is the schema for the Azure Policy definition:

                    {\n    \"properties\": {\n        \"displayName\": {\n            \"type\": \"string\",\n            \"description\": \"The display name of the policy definition.\"\n        },\n        \"policyType\": {\n            \"type\": \"string\",\n            \"description\": \"The policy type of the policy definition.\"\n        },\n        \"mode\": {\n            \"type\": \"string\",\n            \"description\": \"The mode of the policy definition.\"\n        },\n        \"description\": {\n            \"type\": \"string\",\n            \"description\": \"The description of the policy definition.\"\n        },\n        \"mode\": {\n            \"type\": \"string\",\n            \"description\": \"The mode of the policy definition.\"\n        },\n        \"metadata\": {\n            \"type\": \"object\",\n            \"description\": \"The metadata of the policy definition.\"\n        },\n        \"parameters\": {\n            \"type\": \"object\",\n            \"description\": \"The parameters of the policy definition.\"\n        },\n        \"policyRule\": {\n            \"type\": \"object\",\n            \"description\": \"The policy rule of the policy definition. If/then rule.\"\n        }       \n\n    }\n}\n

                    You can see other elements in the schema like id, type, and name, It's depens of how you want to deploy the policy definition.

                    Full schema is in Azure Policy definition schema.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#example","title":"Example","text":"

                    Here is an example of a policy definition:

                    {\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                \"exists\": \"false\"\n            },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n}\n

                    This policy definition requires a specific tag and its value. If the tag does not exist, the policy denies the action.

                    How you can see, the most important part of the policy definition is the policy rule.

                    Note

                    The policy rule is where you describe the logic that enforces the policy.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#conclusion","title":"Conclusion","text":"

                    Understanding the schema for Azure Policy definitions is essential for creating and managing policies effectively. By defining the necessary attributes and rules, you can enforce compliance, security, and operational standards across your Azure environment. Leveraging the Azure Policy definition schema allows you to tailor policies to your organization's specific requirements and ensure consistent governance practices.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/azure-policy-defintion-schema/#references","title":"References","text":"
                    • Azure Policy definition schema
                    • Azure Policy
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/","title":"Writing Your First Policy in Azure with Portal","text":"

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                    In this post, we'll walk through the steps of creating your first policy in Azure.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#prerequisites","title":"Prerequisites","text":"
                    1. An active Azure subscription.
                    2. Access to Azure portal.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-1-open-azure-policy","title":"Step 1: Open Azure Policy","text":"
                    • Login to the Azure Portal.
                    • In the left-hand menu, click on All services.
                    • In the All services blade, search for Policy.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-2-create-a-new-policy-definition","title":"Step 2: Create a New Policy Definition","text":"
                    • Click on Definitions under the Authoring section.
                    • Click on + Policy definition.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-3-fill-out-the-policy-definition","title":"Step 3: Fill Out the Policy Definition","text":"

                    You will need to fill out several fields:

                    • Definition location: The location where the policy is stored.
                    • Name: This is a unique name for your policy.
                    • Description: A detailed description of what the policy does.
                    • Category: You can categorize your policy for easier searching and filtering.

                    The most important part of the policy definition is the policy rule itself. The policy rule is where you describe the logic that enforces the policy.

                    Here's an example of a simple policy rule that ensures all indexed resources have tags and deny creation or update if they do not.

                    {\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n

                    But, in portal, you can add properties directly in the form but you can't add displayName, policyType and metadata because they are added by portal itself, so you can add only mode,parameters and policyRule, Policy definition could be like this:

                    • Definition location: Tenant Root Group
                    • Name: Require a tag and its value
                    • Description: This policy requires a specific tag and its value.
                    • Category: Tags
                    • POLICY RULE:
                    {\n\n        \"mode\": \"Indexed\", \n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n}\n

                    Once you've filled out all the fields and written your policy rule, click on Save.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/26/writing-your-first-policy-in-azure-with-portal/#step-4-assign-the-policy","title":"Step 4: Assign the Policy","text":"
                    • Go back to the Policy service in the Azure portal.
                    • Click on Assignments under the Authoring section.
                    • Click on + Assign Policy.
                    • In Basics, fill out the following fields:
                      • Scope
                        • Scope: Select the scope where you want to assign the policy.
                        • Exclusions: Add any exclusions if needed.
                      • Basics
                        • Policy definition: Select the policy you created.
                        • Assignment name: A unique name for the assignment.
                        • Description: A detailed description of the assignment.
                        • Policy enforcement: Enabled.
                    • In Parameters: Fill out any parameters needed for the policy.
                    • In Non-compliance message: A message to display when a resource is non-compliant.
                    • Click on Review + create: Review the assignment and click on Create.

                    Congratulations! You've just created and assigned your first policy in Azure. It will now evaluate any new or existing resources within its scope.

                    Remember, Azure Policy is a powerful tool for maintaining compliance and managing your resources at scale. Happy coding!

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/","title":"Writing Your First Initiative with Portal","text":"

                    Azure Policy is a service in Azure that you use to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.

                    In this post, we'll walk through the steps of creating your first initiative in Azure.

                    Info

                    You need to have a good understanding of Azure Policy before creating an initiative. If you're new to Azure Policy, check out our post on Azure Policy and Writing Your First Policy in Azure with Portal.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#prerequisites","title":"Prerequisites","text":"
                    1. An active Azure subscription.
                    2. Access to Azure portal.
                    3. Azure Policy defined in your subscription, if you don't have one, you can follow the steps in Writing Your First Policy in Azure with Portal.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-1-open-azure-policy","title":"Step 1: Open Azure Policy","text":"
                    • Login to the Azure Portal.
                    • In the left-hand menu, click on All services.
                    • In the All services blade, search for Policy.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-2-create-a-new-initiative-definition","title":"Step 2: Create a New Initiative Definition","text":"
                    • Click on Defitinions under the Authoring section.
                    • Click on + Initiative definition.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-3-fill-out-the-initiative-definition","title":"Step 3: Fill Out the Initiative Definition","text":"

                    You will need to fill out several fields:

                    • Basics:
                    • Initiative location: The location where the initiative is stored.
                    • Name: This is a unique name for your initiative.
                    • Description: A detailed description of what the initiative does.
                    • Category: You can categorize your initiative for easier searching and filtering.
                    • Policies:
                    • Add policy definition(s): Here you can add the policies that will be part of the initiative.
                    • Initiative parameters:
                    • Add parameter: Here you can add parameters that will be used in the initiative.
                    • Policy parameters:
                    • Add policy parameter: Here you can add parameters that will be used in the policies that are part of the initiative. You can use the parameters defined in the initiative as value for different policies.

                    • Click on Review + create: Review the assignment and click on Create.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#step-4-assign-the-initiative","title":"Step 4: Assign the Initiative","text":"
                    • Go to Policy again.
                    • Go to Assignments under the Authoring section.
                    • Click on + Assign initiative.

                    You will need to fill out several fields: - Basics: - Scope: Select the scope where you want to assign the initiative. - Basics: - Initiative definition: Select the initiative you just created. - Assignment name: A unique name for the assignment. - Description: A detailed description of what the assignment does. - Policy enforcement: Choose the enforcement mode for the assignment. - Parameters: - Add parameter: Initialize parameters that will be used in the initiative. - Remediation: - Auto-remediation: Enable or disable auto-remediation. That means that if a resource is not compliant, it will be remediated automatically. In other post it will be explained how to create a remediation task. - Non-compliance messages: - Non-compliance message: Define a message that will be shown when a resource is not compliant.

                    • Click on Review + create: Review the assignment and click on Create.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/25/writing-your-first-initiative-with-portal/#conclusion","title":"Conclusion","text":"

                    Creating an initiative in Azure Policy is a powerful way to group policies together and enforce them across your Azure environment. By defining initiatives, you can streamline governance, simplify compliance management, and ensure consistent application of policies to your resources. Start creating initiatives today to enhance the security, compliance, and operational efficiency of your Azure environment.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/","title":"Manage Azure Policy GitHub Action","text":"

                    It's recommended to review:

                    • Azure Policy
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative in Azure with Portal
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#overview","title":"Overview","text":"

                    The Manage Azure Policy GitHub Action empowers you to enforce organizational standards and assess compliance at scale using Azure policies. With this action, you can seamlessly integrate policy management into your CI/CD pipelines, ensuring that your Azure resources adhere to the desired policies.

                    Info

                    This project does not have received any updates since some time, but it is still a simple option to develop your Azure Policies. As everything cannot be good to say that this deployment method has a major drawback, deletions must be done by hand :S

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#key-features","title":"Key Features","text":"
                    1. Customizable Workflows: GitHub workflows are highly customizable. You have complete control over the sequence in which Azure policies are rolled out. This flexibility enables you to follow safe deployment practices and catch regressions or bugs well before policies are applied to critical resources.

                    2. Azure Login Integration: The action assumes that you've already authenticated using the Azure Login action. Make sure you've logged in using an Azure service principal with sufficient permissions to write policies on selected scopes. Refer to the full documentation of Azure Login Action for details on permissions.

                    3. Policy File Structure: Your policy files should be organized in a specific directory structure within your GitHub repository. Here's how it should look:

                      |- policies/\n   |- <policy1_name>/\n      |- policy.json\n      |- assign.<name1>.json\n      |- assign.<name2>.json\n      ...\n   |- <policy2_name>/\n      |- policy.json\n      |- assign.<name1>.json\n      |- assign.<name2>.json\n      ...\n
                      • Each policy resides in a subfolder under the policies/ directory.
                      • The policy.json file contains the policy definition.
                      • Assignment files (e.g., assign.<name1>.json) specify how the policy is applied.
                    4. Inputs for the Action:

                      • Paths: Specify the mandatory path(s) to the directory containing your Azure policy files.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#sample-workflow","title":"Sample Workflow","text":"

                    Here's an example of how you can apply policies at the Management Group scope using the Manage Azure Policy action:

                    name: 'Test Policy'\non:\n  push:\n    branches: \n    - \"*\" \n    paths: \n     - 'policies/**'\n     - 'initiatives/**'\n  workflow_dispatch:\n\njobs:\n  apply-azure-policy:    \n    runs-on: ubuntu-latest\n    steps:\n    # Azure Login\n    - name: Login to Azure\n      uses: azure/login@v1\n      with:\n        creds: ${{ secrets.AZURE_CREDENTIALS }}\n        allow-no-subscriptions: true\n\n    - name: Checkout\n      uses: actions/checkout@v2 \n\n    - name: Create or Update Azure Policies\n      uses: azure/manage-azure-policy@v0\n      with:      \n        paths:  |                \n          policies/**\n          initiatives/**\n        assignments:  |\n          assign.*_testRG_*.json\n

                    Remember to replace the placeholder values (such as secrets.AZURE_CREDENTIALS) with your actual configuration, you can follow this instructions to create a service principal and get the credentials: Create a service principal and get the credentials

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#example-of-use-for-policy","title":"Example of use for Policy","text":"

                    In this example we define all our policies and initiatives at management group level and assign to resource group, and we have a policy that requires a specific tag and its value.

                    You need to create a folder structure like this:

                    |- policies/\n   |- require-tag-and-its-value/\n      |- policy.json\n      |- assign.testRG_testazurepolicy.json\n|- initiatives/\n   |- initiative1/\n      |- policyset.json\n      |- assign.testRG_testazurepolicy.json\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policies","title":"policies","text":"

                    Info

                    • The policy.json file contains the policy definition, and the assign.<name>.json file specifies how the policy is applied.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policyjson","title":"policy.json","text":"

                    Info

                    • The id value specifies where you are going to define the policy.
                    policy.json
                    {\n    \"id\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"name\": \"requite-tag-and-its-value\",\n    \"properties\": {\n        \"displayName\": \"Require a tag and its value\",\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"description\": \"This policy requires a specific tag and its value.\",\n        \"metadata\": {\n            \"category\": \"Tags\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"not\": {\n                    \"field\": \"[concat('tags[', parameters('tagName'), ']')]\",\n                    \"equals\": \"[parameters('tagValue')]\"\n                    }\n                },\n            \"then\": {\n                \"effect\": \"deny\"\n            }\n        }\n    }\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#assigntestrg_testazurepolicyjson","title":"assign.testRG_testazurepolicy.json","text":"

                    Info

                    • Change the id and scope values in the assign.<name>.json file to match your Azure subscription and resource group.
                    • id specifies where you are going to deploy the assignment.
                    • id and name are related, name can not be any value, it should be the same as the last part of the id. You can generete a new GUID and use it as name with (1..24 | %{ '{0:x}' -f (Get-Random -Max 16) }) -join ''
                    • name and id are related.
                    • The policyDefinitionId value should match the id value in the policy.json file.
                    assign.testRG_testazurepolicy.json
                    {\n    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/599a2c3a1a3b1f8b8e547b3e\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"name\": \"599a2c3a1a3b1f8b8e547b3e\",     \n    \"properties\": {\n        \"description\": \"This policy audits the presence of a specific tag and its value.\",\n        \"displayName\": \"Require a tag and its value\",\n        \"parameters\": {\n            \"tagName\": {\n              \"value\": \"environment\"\n            },\n            \"tagValue\": {\n              \"value\": \"production\"\n            }\n          },\n          \"nonComplianceMessages\": [\n            {\n              \"message\": \"This resource is not compliant with the policy. Please apply the required tag and its value.\"\n            }\n          ],\n          \"enforcementMode\": \"Default\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n          \"scope\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy\"\n    }    \n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#initiatives","title":"initiatives","text":"

                    Info

                    • The policyset.json file contains the policy definition, and the assign.<name>.json file specifies how the initiative is applied.
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#policysetjson","title":"policyset.json","text":"

                    Info

                    • The id value specifies where you are going to define the initiative.
                    • The policyDefinitions array contains the policy definitions that are part of the initiative.
                    • The parameters object defines the parameters that can be passed to the policies within the initiative.
                    • The policyDefinitionId value should match the id value in the policy.json file of the policy.
                    policyset.json
                    {\n    \"id\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/initiative1\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"name\": \"initiative1\",\n    \"properties\": {\n        \"displayName\": \"Initiative 1\",\n        \"description\": \"This initiative contains a set of policies for testing.\",\n        \"metadata\": {\n            \"category\": \"Test\"\n        },\n        \"parameters\": {\n            \"tagName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Name\",\n                    \"description\": \"Name of the tag, such as 'environment'\"\n                }\n            },\n            \"tagValue\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Tag Value\",\n                    \"description\": \"Value of the tag, such as 'production'\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/requite-tag-and-its-value\",\n                \"parameters\": {\n                    \"tagName\": {\n                        \"value\": \"[parameters('tagName')]\"\n                    },\n                    \"tagValue\": {\n                        \"value\": \"[parameters('tagValue')]\"\n                    },\n                    \"effect\": {\n                        \"value\": \"Deny\"\n                    }\n                }\n            }\n        ]\n    }\n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#assigntestrg_testazurepolicysetjson","title":"assign.testRG_testazurepolicyset.json","text":"assign.testRG_testazurepolicyset.json
                    {\n    \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy/providers/Microsoft.Authorization/policyAssignments/ada0f4a34b09cf6ad704cc62\",\n    \"type\": \"Microsoft.Authorization/policyAssignments\",\n    \"name\": \"ada0f4a34b09cf6ad704cc62\",     \n    \"properties\": {\n        \"description\": \"This initiative audits the presence of a specific tag and its value.\",\n        \"displayName\": \"Require a tag and its value\",\n        \"parameters\": {\n            \"tagName\": {\n              \"value\": \"environment\"\n            },\n            \"tagValue\": {\n              \"value\": \"production\"\n            }\n          },\n          \"nonComplianceMessages\": [\n            {\n              \"message\": \"This resource is not compliant with the policy. Please apply the required tag and its value.\"\n            }\n          ],\n          \"enforcementMode\": \"Default\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policySetDefinitions/requite-tag-and-its-value\",\n          \"scope\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-testazurepolicy\"\n    }    \n}\n
                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/28/manage-azure-policy-github-action/#conclusion","title":"Conclusion","text":"

                    By incorporating the Manage Azure Policy action into your GitHub workflows, you can seamlessly enforce policies, maintain compliance, and ensure the robustness of your Azure resources, although it has its drawbacks, it is one more step compared to a portal. Later we will see the deployment with a more robust tool: EPAC

                    Learn more about Azure Policies and explore the action on the GitHub Marketplace.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/","title":"Enterprise Azure Policy as Code (EPAC)","text":"

                    Enterprise Azure Policy as Code (EPAC) is a powerful tool that allows organizations to manage Azure Policies as code in a git repository. It's designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#key-features-of-epac","title":"Key Features of EPAC","text":"
                    • Single and multi-tenant policy deployment: EPAC supports both single and multi-tenant policy deployments, making it versatile for different organizational structures.
                    • Easy CI/CD Integration: EPAC can be easily integrated with any CI/CD tool, which makes it a great fit for DevOps environments.
                    • Operational scripts: EPAC includes operational scripts to simplify operational tasks.
                    • Integration with Azure Landing Zones: EPAC provides a mature integration with Azure Landing Zones. Utilizing Azure Landing Zones together with EPAC is highly recommended.
                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#who-should-use-epac","title":"Who Should Use EPAC?","text":"

                    EPAC is designed for medium and large organizations with a larger number of Policies, Policy Sets, and Assignments, and/or complex deployment scenarios. However, smaller organizations implementing fully-automated DevOps deployments of every Azure resource (known as Infrastructure as Code) can also benefit from EPAC.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#how-does-epac-work","title":"How Does EPAC Work?","text":"

                    EPAC works by deploying all policies and policy assignments defined in the EPAC repository to the deploymentRootScope and its children. It takes possession of all Policy Resources at the deploymentRootScope and its children.

                    The process depicted in the image involves three key scripts that manage a deployment sequence. Here's a breakdown of the process:

                    1. Definition Files: The process begins with various definition files in JSON, CSV, or XLSX formats. These files contain policy definitions, policy set (initiative) definitions, assignments, exemptions, and global settings.

                    2. Planning Script: The Build-DeploymentPlans.ps1 script uses these definition files to create a deployment plan. This script requires Resource Policy Reader privileges.

                    3. Deployment Scripts: The deployment plan is then used by two deployment scripts:

                    4. Deploy-PolicyPlan.ps1: This script deploys Policy resources using the policy-plan.json file from the deployment plan. It requires Resource Policy Contributor privileges.
                    5. Deploy-RolesPlan.ps1: This script deploys Role Assignments using the roles-plan.json file from the deployment plan. It requires User Access Administrator privileges.

                    The process includes optional approval gates after each deployment step. These are typically used in production environments to ensure each deployment step is reviewed and approved before moving to the next.

                    Warning

                    EPAC is a true desired state deployment technology. It takes possession of all Policy Resources at the deploymentRootScope and its children. It will delete any Policy resources not defined in the EPAC repo.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#conclusion","title":"Conclusion","text":"

                    EPAC is a robust solution for managing Azure Policies as code. It offers a high level of assurance in highly controlled and sensitive environments, and a means for the development, deployment, management, and reporting of Azure policy at scale.

                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/02/29/enterprise-azure-policy-as-code-epac/#references","title":"References","text":"
                    • EPAC Documentation
                    ","tags":["Azure Policy","EPAC"]},{"location":"blog/2024/03/02/azure-policy-management-best-practices/","title":"Azure Policy Management Best Practices","text":"
                    1. Version Control: Store your policy definitions in a version-controlled repository. This practice ensures that you can track changes, collaborate effectively, and roll back to previous versions if needed.

                    2. Automated Testing: Incorporate policy testing into your CI/CD pipelines. Automated tests can help you catch policy violations early in the development process, reducing the risk of non-compliance.

                    3. Policy Documentation: Document your policies clearly, including their purpose, scope, and expected behavior. This documentation helps stakeholders understand the policies and their impact on Azure resources.

                    4. Policy Assignment: Assign policies at the appropriate scope (e.g., Management Group, Subscription, Resource Group) based on your organizational requirements. Avoid assigning policies at a broader scope than necessary to prevent unintended consequences.

                    5. Policy Exemptions: Use policy exemptions judiciously. Document the reasons for exemptions and periodically review them to ensure they are still valid.

                    6. Policy Enforcement: Monitor policy compliance regularly and take corrective action for non-compliant resources. Use Azure Policy's built-in compliance reports and alerts to track policy violations.

                    7. Policy Remediation: Implement automated remediation tasks for policy violations where possible. Azure Policy's remediation tasks can help bring non-compliant resources back into compliance automatically.

                    8. Policy Monitoring: Continuously monitor policy effectiveness and adjust policies as needed. Regularly review policy violations, exemptions, and compliance trends to refine your policy implementation.

                    9. Policy Governance: Establish a governance framework for Azure Policy that includes policy creation, assignment, monitoring, and enforcement processes. Define roles and responsibilities for policy management to ensure accountability.

                    10. Policy Lifecycle Management: Define a policy lifecycle management process that covers policy creation, testing, deployment, monitoring, and retirement. Regularly review and update policies to align with changing organizational requirements.

                    11. Unique source of truth: Use EPAC, terraform, ARM,.... but use an unique source of truth for your policies.

                    By following these best practices, you can effectively manage Azure policies and ensure compliance with organizational standards across your Azure environment. Azure Policy plays a crucial role in maintaining governance, security, and compliance, and adopting these practices can help you maximize its benefits.

                    ","tags":["Azure Policy"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/","title":"Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services","text":"

                    Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:

                    \ngraph LR;\n    A[Phase 1: Set Policy] \n    C[Phase 2: The Process of Discovery]\n    E[Phase 3: Protect Credentials]\n    G[Phase 4: Secure Privileged Access]\n    I[Phase 5: Least Privilege]\n    K[Phase 6: Control All Applications]\n    M[Phase 7: Detect and Respond]\n\n    A-->C\n    C-->E\n    E-->G\n    G-->I\n    I-->K\n    K-->M\n    M-->A\n\n    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;\n    class A,C,E,G,I,K,M phase;\n\n

                    Info

                    Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-1-set-policy","title":"Phase 1: Set Policy","text":"

                    The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

                    • Define clear access control policies.
                    • Establish guidelines for password management and multi-factor authentication.
                    • Regularly review and update the policy to reflect changes in the organization.

                    How to implement this:

                    • Use Azure Policy to define and manage policies for your Azure environment.
                    • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-2-the-process-of-discovery","title":"Phase 2: The Process of Discovery","text":"

                    In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

                    • Use automated tools to identify all privileged accounts across the organization.
                    • Regularly update the inventory of privileged accounts.
                    • Identify any accounts that are no longer in use and deactivate them.

                    How to implement this:

                    • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-3-protect-credentials","title":"Phase 3: Protect Credentials","text":"

                    Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

                    • Store credentials in a secure vault.
                    • Implement regular password rotation.
                    • Use unique passwords for each account.

                    How to implement this:

                    • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
                    • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-4-secure-privileged-access","title":"Phase 4: Secure Privileged Access","text":"

                    Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

                    • Limit the number of privileged accounts.
                    • Implement just-in-time access, where access is granted only for the duration of a task.
                    • Use session recording and monitoring for privileged access.

                    How to implement this:

                    • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
                    • Implement Microsoft Entra Privileged Identity Management for just-in-time access.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-5-least-privilege","title":"Phase 5: Least Privilege","text":"

                    The principle of least privilege involves giving users the minimum levels of access \u2014 or permissions \u2014 they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

                    • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Regularly review user roles and access rights.
                    • Implement a process for revoking access when it's no longer needed.

                    How to implement this:

                    • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
                    • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-6-control-all-applications","title":"Phase 6: Control All Applications","text":"

                    In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

                    • Implement application control policies that dictate what applications can be run on systems.
                    • Monitor application usage and block unauthorized applications.
                    • Regularly update and patch all applications to reduce vulnerabilities.

                    How to implement this:

                    • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
                    • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
                    • Implement Microsoft Intune to manage and secure your devices and applications.
                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/04/privileged-access-management-pam-strategy-with-microsoft-entra-id-and-some-azure-services/#phase-7-detect-and-respond","title":"Phase 7: Detect and Respond","text":"

                    The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

                    • Set up alerts for unusual activity.
                    • Regularly audit access logs.
                    • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

                    How to implement this:

                    • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
                    • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

                    By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

                    Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.

                    ","tags":["Security","PAM"]},{"location":"blog/2024/04/05/microsoft-azure-certifications/","title":"Microsoft Azure Certifications","text":"

                    Microsoft offers a wide range of certifications for IT professionals who want to demonstrate their expertise in Microsoft technologies. These certifications cover a variety of topics, including Azure, Office 365, Windows Server, and more.

                    Microsoft divide this certifications into different categories, such as:

                    • Infrastructure
                    • Data and AI
                    • Digital app and innovation
                    • Modern work
                    • Business applications
                    • Security

                    Inside of each category, you can find different certification levels:

                    • Fundamentals: This level is designed for individuals who are new to the technology and want to demonstrate their knowledge of the basics.
                    • Role-based: This level is designed for individuals who want to demonstrate their expertise in a specific role, such as Azure Administrator or Data Engineer.
                    • Specialty: This level is designed for individuals who want to demonstrate their expertise in a specific skill, such as Azure Virtual Desktop or Azure SAP.

                    In the case of role-based certifications, Microsoft offers different levels of certification, such as:

                    • Associate: This level is designed for individuals who have some experience in the technology and want to demonstrate their expertise in a specific role.
                    • Expert: This level is designed for individuals who have extensive experience in the technology and want to demonstrate their expertise in a specific role.

                    Allways is a good idea to start with the fundamentals certifications, and then move on to the role-based certifications that are relevant to your career goals.

                    In the majority of cases, you need associate certifications to get expert certifications.

                    ","tags":["Certifications"]},{"location":"blog/2024/04/05/microsoft-azure-certifications/#azure-certifications","title":"Azure Certifications","text":"

                    Here's a table summarizing the Azure Certifications and their description:

                    Certification Exam required Description url Azure Administrator Associate AZ-104 The Azure Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure resources. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Azure solutions. https://learn.microsoft.com/en-us/certifications/azure-administrator Azure Developer Associate AZ-204 The Azure Developer certification is designed for individuals who want to demonstrate their expertise in developing applications on Azure. This certification is ideal for software developers who want to build and deploy cloud-based applications using Azure services. https://learn.microsoft.com/en-us/certifications/azure-developer Azure Data Engineer Associate DP-203 The Azure Data Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing data solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining data pipelines and data warehouses on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-engineer Azure Database Administrator Associate DP-300 The Azure Database Administrator certification is designed for individuals who want to demonstrate their expertise in managing Azure databases. This certification is ideal for database administrators who are responsible for designing, implementing, and maintaining databases on Azure. https://learn.microsoft.com/en-us/certifications/azure-database-administrator DevOps Engineer Expert AZ-400 The Azure DevOps Engineer certification is designed for individuals who want to demonstrate their expertise in implementing DevOps practices on Azure. This certification is ideal for IT professionals who are responsible for building, testing, and deploying applications using Azure DevOps. https://learn.microsoft.com/en-us/certifications/devops-engineer Azure Security Engineer Associate AZ-500 The Azure Security Engineer certification is designed for individuals who want to demonstrate their expertise in securing Azure resources. This certification is ideal for IT professionals who are responsible for implementing security controls and monitoring security events on Azure. https://learn.microsoft.com/en-us/certifications/azure-security-engineer Azure Network Engineer Associate AZ-700 The Azure Network Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing network solutions on Azure. This certification is ideal for network engineers who are responsible for building and maintaining network infrastructure on Azure. https://learn.microsoft.com/en-us/certifications/azure-network-engineer Windows Server Hybrid Administrator Associate AZ-800 AZ-801 The Windows Server Hybrid Administrator certification is designed for individuals who want to demonstrate their expertise in managing Windows Server resources on Azure. This certification is ideal for IT professionals who are responsible for implementing, monitoring, and maintaining Windows Server solutions on Azure. https://learn.microsoft.com/en-us/certifications/windows-server-hybrid-administrator Fabric Analytics Engineer Associate DP-600 The Fabric Analytics Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing analytics solutions on Azure. This certification is ideal for data professionals who are responsible for building and maintaining analytics solutions on Azure. https://learn.microsoft.com/en-us/certifications/fabric-analytics-engineer Azure AI Engineer Associate AI-102 The Azure AI Engineer certification is designed for individuals who want to demonstrate their expertise in designing and implementing AI solutions on Azure. This certification is ideal for data scientists and AI developers who want to build and deploy AI models using Azure services. https://learn.microsoft.com/en-us/certifications/azure-ai-engineer Azure Data Scientist Associate DP-100 The Azure Data Scientist certification is designed for individuals who want to demonstrate their expertise in designing and implementing data science solutions on Azure. This certification is ideal for data scientists who are responsible for building and maintaining data science solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-data-scientist Azure Enterprise Data Analyst Associate DP-500 The Azure Enterprise Data Analyst certification is designed for individuals who want to demonstrate their expertise in designing and implementing data analysis solutions on Azure. This certification is ideal for data analysts who are responsible for building and maintaining data analysis solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-enterprise-data-analyst Azure Solutions Architect Expert AZ-305 The Azure Solutions Architect certification is designed for individuals who want to demonstrate their expertise in designing and implementing solutions on Azure. This certification is ideal for IT professionals who are responsible for designing and implementing cloud-based solutions using Azure services. https://learn.microsoft.com/en-us/certifications/azure-solutions-architect Azure for SAP Workloads Specialty AZ-120 The Azure for SAP Workloads certification is designed for individuals who want to demonstrate their expertise in deploying and managing SAP workloads on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining SAP solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-for-sap-workloads Azure Virtual Desktop Specialty AZ-140 The Azure Virtual Desktop certification is designed for individuals who want to demonstrate their expertise in deploying and managing virtual desktop solutions on Azure. This certification is ideal for IT professionals who are responsible for implementing and maintaining virtual desktop solutions on Azure. https://learn.microsoft.com/en-us/certifications/azure-virtual-desktop Azure Cosmos DB Developer Specialty DP-420 The Azure Cosmos DB Developer certification is designed for individuals who want to demonstrate their expertise in developing applications that use Azure Cosmos DB. This certification is ideal for software developers who want to build and deploy applications that use Azure Cosmos DB. https://learn.microsoft.com/en-us/certifications/azure-cosmos-db-developer Azure Fundamentals AZ-900 The Azure Fundamentals certification is designed for individuals who are new to Azure and want to demonstrate their knowledge of the platform. This certification is a great starting point for anyone who wants to learn more about Azure and how it can help them build and deploy applications in the cloud. https://learn.microsoft.com/en-us/certifications/azure-fundamentals Azure AI Fundamentals AI-900 The Azure AI Fundamentals certification is designed for individuals who want to demonstrate their knowledge of AI concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about AI and how it can be used to build intelligent applications. https://learn.microsoft.com/en-us/certifications/azure-ai-fundamentals Azure Data Fundamentals DP-900 The Azure Data Fundamentals certification is designed for individuals who want to demonstrate their knowledge of data concepts and how they can be applied to Azure services. This certification is ideal for anyone who wants to learn more about data and how it can be used to build data-driven applications. https://learn.microsoft.com/en-us/certifications/azure-data-fundamentals

                    You can find more information about Microsoft certifications on the Microsoft Certification Poster and in the Microsoft Learning website.

                    ","tags":["Certifications"]},{"location":"blog/2024/04/06/azure-arc/","title":"Azure ARC","text":"

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC enables you to manage and govern your resources consistently across all environments, providing a unified control plane for your hybrid cloud infrastructure. Let's explore how Azure ARC works and how you can leverage it to manage your resources effectively.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-overview","title":"Azure ARC Overview","text":"

                    Azure ARC is a service that extends Azure management capabilities to any infrastructure. It allows you to manage resources running outside of Azure using the same Azure management tools, security, and compliance policies that you use in Azure. Azure ARC provides a unified control plane for managing resources across on-premises, multi-cloud, and edge environments, enabling you to govern your resources consistently.

                    Azure ARC enables you to:

                    • Manage resources: Azure ARC allows you to manage resources running on-premises, at the edge, or in multi-cloud environments using Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce security and compliance policies consistently.
                    • Security: Azure ARC extends Azure security capabilities to resources running outside of Azure, enabling you to protect your resources with Azure security features like Azure Security Center and Azure Defender.
                    • Compliance: Azure ARC enables you to enforce compliance policies across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-components","title":"Azure ARC Components","text":"

                    Azure ARC consists of the following components:

                    • Azure ARC-enabled servers: Azure ARC-enabled servers allow you to manage and govern servers running on-premises or at the edge using Azure management tools. You can connect your servers to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled Kubernetes clusters: Azure ARC-enabled Kubernetes clusters allow you to manage and govern Kubernetes clusters running on-premises or in other clouds using Azure management tools. You can connect your Kubernetes clusters to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure ARC-enabled data services: Azure ARC-enabled data services allow you to manage and govern data services running on-premises or in other clouds using Azure management tools. You can connect your data services to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • SQL Server enabled by Azure Arc: SQL Server enabled by Azure Arc allows you to run SQL Server on any infrastructure using Azure management tools. You can connect your SQL Server instances to Azure ARC to manage them using Azure Policy, Azure Monitor, and Microsoft Defender for Cloud.
                    • Azure Arc-enabled private clouds: Azure Arc resource bridge hosts other components such as custom locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#azure-arc-use-cases","title":"Azure ARC Use Cases","text":"

                    Azure ARC can be used in a variety of scenarios to manage and govern resources across on-premises, multi-cloud, and edge environments. Some common use cases for Azure ARC include:

                    • Hybrid cloud management: Azure ARC enables you to manage resources consistently across on-premises, multi-cloud, and edge environments using the same Azure management tools and policies.
                    • Security and compliance: Azure ARC allows you to enforce security and compliance policies consistently across all environments, ensuring that your resources meet regulatory requirements and organizational standards.
                    • Resource governance: Azure ARC provides a unified control plane for managing and governing resources across all environments, enabling you to enforce policies and monitor resource health and performance.
                    • Application modernization: Azure ARC enables you to manage and govern Kubernetes clusters and data services running on-premises or in other clouds, allowing you to modernize your applications and infrastructure.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#getting-started-with-azure-arc","title":"Getting Started with Azure ARC","text":"

                    To get started with Azure ARC, you need to:

                    1. Connect your resources: Connect your servers, Kubernetes clusters, or data services to Azure ARC using the Azure ARC agent.
                    2. Manage your resources: Use Azure management tools like Azure Policy, Azure Monitor, and Microsoft Defender for Cloud to manage and govern your resources consistently across all environments.
                    3. Enforce security and compliance: Use Azure security features like Microsoft Defender for Cloud to protect your resources and enforce security and compliance policies.

                    By leveraging Azure ARC, you can manage and govern your resources consistently across on-premises, multi-cloud, and edge environments, providing a unified control plane for your hybrid cloud infrastructure. Azure ARC enables you to enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/06/azure-arc/#conclusion","title":"Conclusion","text":"

                    Azure ARC is a powerful service that extends Azure management capabilities to any infrastructure, enabling you to manage and govern resources consistently across on-premises, multi-cloud, and edge environments. By leveraging Azure ARC, you can enforce security and compliance policies consistently, ensuring that your resources meet regulatory requirements and organizational standards. Azure ARC provides a unified control plane for managing and governing resources, enabling you to manage your hybrid cloud infrastructure effectively.

                    For more information on Azure ARC, visit the Azure ARC documentation.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/","title":"How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account","text":"

                    In this demo we will show how to use Azure ARC-enabled servers with managed identity to access to Azure Storage Account.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#prerequisites","title":"Prerequisites","text":"
                    • An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#required-permissions","title":"Required permissions","text":"

                    You'll need the following Azure built-in roles for different aspects of managing connected machines:

                    • To onboard machines, you must have the\u00a0Azure Connected Machine Onboarding\u00a0or\u00a0Contributor\u00a0role for the resource group where you're managing the servers.
                    • To read, modify, and delete a machine, you must have the\u00a0Azure Connected Machine Resource Administrator\u00a0role for the resource group.
                    • To select a resource group from the drop-down list when using the\u00a0Generate script\u00a0method, you'll also need the\u00a0Reader\u00a0role for that resource group (or another role that includes\u00a0Reader\u00a0access).
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#register-azure-resource-providers","title":"Register Azure resource providers","text":"

                    To use Azure Arc-enabled servers with managed identity, you need to register the following resource providers:

                    az account set --subscription \"{Your Subscription Name}\"\naz provider register --namespace 'Microsoft.HybridCompute'\naz provider register --namespace 'Microsoft.GuestConfiguration'\naz provider register --namespace 'Microsoft.HybridConnectivity'\naz provider register --namespace 'Microsoft.AzureArcData'\n

                    Info

                    Microsoft.AzureArcData (if you plan to Arc-enable SQL Servers) Microsoft.Compute (for Azure Update Manager and automatic extension upgrades)

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#networking-requirements","title":"Networking requirements","text":"

                    The Azure Connected Machine agent for Linux and Windows communicates outbound securely to Azure Arc over TCP port 443. In this demo, we have use Azure Private Link.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#azure-arc-enabled-enabled-server","title":"Azure ARC-enabled enabled server","text":"

                    We use Use Azure Private Link to securely connect networks to Azure Arc-enabled servers to achieve this.

                    Some tips:

                    • If you have any issue registerin de VM: generate a script to register a machine with Azure Arc following that instructions here

                    • If you have an error that says \"Path C:\\ProgramData\\AzureConnectedMachineAgent\\Log\\himds.log is busy. Retrying...\" you can use the following command to resolve it if you know that you are doing:

                     (get-wmiobject -class win32_product | where {$_.name -like \"Azure *\"}).uninstall() \n
                    - Review /etc/hosts file and add the following entries:

                    $Env:PEname = \"myprivatelink\"\n$Env:resourceGroup = \"myResourceGroup\"\n$file = \"C:\\Windows\\System32\\drivers\\etc\\hosts\"\n\n$gisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query '[0].privateDnsZoneConfigs[0].recordSets[0].fqdn' -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[0].ipAddresses[0] -o json).replace(\"`\"\",\"\")\n$hisfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$hisIP = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[0].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$agentfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$agentIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gasfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$gasIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[1].recordSets[1].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$dpfqdn = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].fqdn -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n$dpIp = (az network private-endpoint dns-zone-group list --endpoint-name $Env:PEname --resource-group $Env:resourceGroup -o json --query [0].privateDnsZoneConfigs[2].recordSets[0].ipAddresses[0] -o json).replace('.privatelink','').replace(\"`\"\",\"\")\n\n$hostfile += \"$gisIP $gisfqdn\"\n$hostfile += \"$hisIP $hisfqdn\"\n$hostfile += \"$agentIP $agentfqdn\"\n$hostfile += \"$gasIP $gasfqdn\"\n$hostfile += \"$dpIP $dpfqdn\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#storage-account-configuration","title":"Storage Account configuration","text":"","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#create-a-storage-account-with-static-website-enabled","title":"Create a Storage Account with static website enabled","text":"
                    $resourceGroup = \"myResourceGroup\"\n$location = \"eastus\"\n$storageAccount = \"mystorageaccount\"\n$indexDocument = \"index.html\"\naz group create --name $resourceGroup --location $location\naz storage account create --name $storageAccount --resource-group $resourceGroup --location $location --sku Standard_LRS\naz storage blob service-properties update --account-name $storageAccount --static-website --index-document $indexDocument\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#add-private-endpoints-to-the-storage-accoun-for-blob-and-static-website","title":"Add private endpoints to the storage accoun for blob and static website","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$privateEndpointName = \"myprivatelink\"\n$location = \"eastus\"\n$vnetName = \"myVnet\"\n$subnetName = \"mySubnet\"\n$subscriptionId = \"{subscription-id}\"\naz network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id \"/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\" --group-id blob --connection-name $privateEndpointName --location $location\naz network private-endpoint create --name $privateEndpointName --resource-group $resourceGroup --vnet-name $vnetName --subnet $subnetName --private-connection-resource-id \"/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\" --group-id web --connection-name $privateEndpointName --location $location\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#disable-public-access-to-the-storage-account-except-for-your-ip","title":"Disable public access to the storage account except for your ip","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$ipAddress = \"myIpAddress\"\naz storage account update --name $storageAccount --resource-group $resourceGroup --bypass \"AzureServices,Logging,Metrics\" --default-action Deny\naz storage account network-rule add --account-name $storageAccount --resource-group $resourceGroup --ip-address $ipAddress\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#assign-the-storage-blob-data-contributor-role-to-the-managed-identity-of-the-azure-arc-enabled-server","title":"Assign the Storage Blob Data Contributor role to the managed identity of the Azure ARC-enabled server","text":"
                    $resourceGroup = \"myResourceGroup\"\n$storageAccount = \"mystorageaccount\"\n$serverName = \"myserver\"\n$managedIdentity = az resource show --resource-group $resourceGroup --name $serverName --resource-type \"Microsoft.HybridCompute/machines\" --query \"identity.principalId\" --output tsv\naz role assignment create --role \"Storage Blob Data Contributor\" --assignee-object-id $managedIdentity --scope \"/subscriptions/{subscription-id}/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccount\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#download-azcopy-install-it-and-copy-something-to-web-in-the-storage-account","title":"Download azcopy, install it and copy something to $web in the storage account","text":"","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#download-azcopy-in-the-vm","title":"Download azcopy in the vm","text":"
                    Invoke-WebRequest -Uri \"https://aka.ms/downloadazcopy-v10-windows\" -OutFile AzCopy.zip\n\nExpand-Archive AzCopy.zip -DestinationPath $env:ProgramFiles\n\n$env:Path += \";$env:ProgramFiles\\azcopy\"\n
                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/07/how-to-use-azue-arc-enabled-servers-with-managed-identity-to-access-to-azure-storage-account/#copy-something-to-web-in-the-storage-account","title":"Copy something to $web in the storage account","text":"
                    $storageAccount = \"mystorageaccount\"\n$source = \"C:\\Users\\Public\\Documents\\myFile.txt\"\n$destination = \"https://$storageAccount.blob.core.windows.net/\\$web/myFile.txt\"\nazcopy login --identity\nazcopy copy $source $destination\n

                    Now you can check the file in the static website of the storage account.

                    ","tags":["Azure ARC"]},{"location":"blog/2024/04/17/cambio-de-nombres-de-los-niveles-de-servicio-de-microsoft-defender-para-cloud/","title":"Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud","text":"

                    No es nuevo pero me gustar\u00eda recordar que Microsoft ha cambiado los nombres de los niveles de servicio de Microsoft Defender para Cloud. A continuaci\u00f3n, se muestra una tabla con los nombres anteriores y los nuevos nombres de los niveles de servicio de Microsoft Defender para Cloud:

                    Nombre ANTERIOR del nivel de servicio\u00a02 Nombre NUEVO del nivel de servicio\u00a02 Nivel de servicio: nivel de servicio\u00a04 (sin cambios) Advanced Data Security Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para SQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para registros de contenedor Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para DNS Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Key Vault Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Kubernetes Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para MySQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para PostgreSQL Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Resource Manager Advanced Threat Protection Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Storage Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Administraci\u00f3n de superficie expuesta a ataques externos de Defender Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para Azure Cosmos\u00a0DB Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para contenedores Azure Defender Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender for MariaDB Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para App Service Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Defender para servidores Security Center Microsoft\u00a0Defender\u00a0for\u00a0Cloud Administraci\u00f3n de la posici\u00f3n de seguridad en la nube de Defender","tags":["Microsoft Defender for Cloud"]},{"location":"blog/2024/04/17/azure-policy-useful-queries/","title":"Azure Policy useful queries","text":"","tags":["Azure Policy"]},{"location":"blog/2024/04/17/azure-policy-useful-queries/#policy-assignments-and-information-about-each-of-its-respective-definitions","title":"Policy assignments and information about each of its respective definitions","text":"
                    // Policy assignments and information about each of its respective definitions\n// Gets policy assignments in your environment with the respective assignment name,definition associated, category of definition (if applicable), as well as whether the definition type is an initiative or a single policy.\n\npolicyResources\n| where type =~'Microsoft.Authorization/PolicyAssignments'\n| project policyAssignmentId = tolower(tostring(id)), policyAssignmentDisplayName = tostring(properties.displayName), policyAssignmentDefinitionId = tolower(properties.policyDefinitionId)\n| join kind=leftouter(\n policyResources\n | where type =~'Microsoft.Authorization/PolicySetDefinitions' or type =~'Microsoft.Authorization/PolicyDefinitions'\n | project definitionId = tolower(id), category = tostring(properties.metadata.category), definitionType = iff(type =~ 'Microsoft.Authorization/PolicysetDefinitions', 'initiative', 'policy')\n) on $left.policyAssignmentDefinitionId == $right.definitionId\n
                    • Original Gist
                    ","tags":["Azure Policy"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/","title":"Azure Network, Hub-and-Spoke Topology","text":"

                    Hub and Spoke is a network topology where a central Hub is connected to multiple Spokes. The Hub acts as a central point of connectivity and control, while the Spokes are isolated networks that connect to the Hub. This topology is common in Azure to simplify the connectivity and management of virtual networks.

                    graph TD\n    HUB((\"Central Hub\"))\n    SPOKE1[Spoke1]\n    SPOKE2[Spoke2]\n    SPOKE3[Spoke3]\n    SPOKEN[Spoke...]\n    HUB --- SPOKE1\n    HUB --- SPOKE2\n    HUB --- SPOKE3\n    HUB --- SPOKEN
                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#key-features-of-the-hub-and-spoke-topology","title":"Key Features of the Hub and Spoke Topology","text":"
                    1. Centralized Connectivity: The Hub centralizes the connectivity between the Spoke networks. This simplifies the administration and maintenance of the network.

                    2. Traffic Control: The Hub acts as a traffic control point between the Spoke networks. This allows for centralized application of security and routing policies.

                    3. Scalability: The Hub and Spoke topology is highly scalable and can grow to meet the organization's connectivity needs.

                    4. Resilience: The Hub and Spoke topology provides redundancy and resilience in case of network failures.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#how-to-use-the-hub-and-spoke-topology-in-azure","title":"How to Use the Hub and Spoke Topology in Azure","text":"

                    To implement the Hub and Spoke topology in Azure, follow these steps:

                    # Step 1: Create a virtual network for the Hub\naz network vnet create --name HubVnet --resource-group MyResourceGroup --location eastus --address-prefix\n\n# Step 2: Create virtual networks for the Spokes\naz network vnet create --name Spoke1Vnet --resource-group MyResourceGroup --location eastus --address-prefix\naz network vnet create --name Spoke2Vnet --resource-group MyResourceGroup --location eastus --address-prefix\naz network vnet create --name Spoke3Vnet --resource-group MyResourceGroup --location eastus --address-prefix\n\n# Step 3: Connect the Spokes to the Hub\naz network vnet peering create --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet HubVnet --allow-vnet-access\naz network vnet peering create --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --remote-vnet HubVnet --allow-vnet-access\naz network vnet peering create --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --remote-vnet HubVnet --allow-vnet-access\n\n# Step 4: Configure routing between the Hub and the Spokes\naz network vnet peering update --name Spoke1ToHub --resource-group MyResourceGroup --vnet-name Spoke1Vnet --set virtualNetworkGateway:AllowGatewayTransit=true\naz network vnet peering update --name Spoke2ToHub --resource-group MyResourceGroup --vnet-name Spoke2Vnet --set virtualNetworkGateway:AllowGatewayTransit=true\naz network vnet peering update --name Spoke3ToHub --resource-group MyResourceGroup --vnet-name Spoke3Vnet --set virtualNetworkGateway:AllowGatewayTransit=true\n\n# Step 5: Configure routing in the Hub\naz network vnet peering update --name HubToSpoke1 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true\naz network vnet peering update --name HubToSpoke2 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true\naz network vnet peering update --name HubToSpoke3 --resource-group MyResourceGroup --vnet-name HubVnet --set virtualNetworkGateway:UseRemoteGateways=true\n
                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#variant-of-the-hub-and-spoke-topology","title":"Variant of the Hub and Spoke Topology","text":"

                    A variant of the Hub and Spoke topology is the Hub and Spoke with peering between spokes that is generally used to allow direct connectivity between the Spoke networks without going through the Hub. This can be useful in scenarios where direct connectivity between the Spoke networks is required, such as data replication or application communication.

                    graph TD\n    HUB((\"Central Hub\"))\n    SPOKE1[Spoke1]\n    SPOKE2[Spoke2]\n    SPOKE3[Spoke3]\n    SPOKEN[Spoke...]\n    HUB --- SPOKE1\n    HUB --- SPOKE2\n    HUB --- SPOKE3\n    HUB --- SPOKEN\n    SPOKE1 -.- SPOKE2    
                    In this case, it would be connecting the Spoke networks to each other via virtual network peering, for example:

                    # Connect Spoke1 to Spoke2\naz network vnet peering create --name Spoke1ToSpoke2 --resource-group MyResourceGroup --vnet-name Spoke1Vnet --remote-vnet Spoke2Vnet --allow-vnet-access\n
                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#scalability-and-performance","title":"Scalability and Performance","text":"

                    The Hub and Spoke topology in Azure is highly scalable and can handle thousands of virtual networks and subnets. In terms of performance, the Hub and Spoke topology provides efficient and low-latency connectivity between the Spoke networks and the Hub.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#security-and-compliance","title":"Security and Compliance","text":"

                    The Hub and Spoke topology in Azure provides centralized control over network security and compliance. Security and routing policies can be applied centrally at the Hub, ensuring consistency and compliance with the organization's network policies.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#monitoring-and-logging","title":"Monitoring and Logging","text":"

                    Use Network Watcher to monitor and diagnose network problems in the Hub and Spoke topology. Network Watcher provides the following tools:

                    • Monitoring
                      • Topology view shows you the resources in your virtual network and the relationships between them.
                      • Connection monitor allows you to monitor connectivity and latency between endpoints within and outside of Azure.
                    • Network diagnostic tools
                      • IP flow verify helps you detect traffic filtering issues at the virtual machine level.
                      • NSG diagnostics helps you detect traffic filtering issues at the virtual machine, virtual machine scale set, or application gateway level.
                      • Next hop helps you verify traffic routes and detect routing issues.
                      • Connection troubleshoot enables a one-time check of connectivity and latency between a virtual machine and the Bastion host, application gateway, or another virtual machine.
                      • Packet capture allows you to capture traffic from your virtual machine.
                      • VPN troubleshoot runs multiple diagnostic checks on your gateways and VPN connections to help debug issues.
                    • Traffic
                      • Network security group flow logs and virtual network flow logs let you log network traffic passing through your network security groups (NSGs) and virtual networks respectively.
                      • Traffic analytics processes data from your network security group flow log allowing you to visualize, query, analyze, and understand your network traffic.

                    Virtual network flow logs have recently been released which allows for monitoring network traffic in Azure virtual networks.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#use-cases-and-examples","title":"Use Cases and Examples","text":"

                    The Hub and Spoke topology is ideal for organizations that require centralized connectivity and traffic control between multiple virtual networks in Azure. For example, an organization with multiple branches or departments can use the Hub and Spoke topology to securely and efficiently connect their virtual networks in the cloud.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#best-practices-and-tips","title":"Best Practices and Tips","text":"

                    When implementing the Hub and Spoke topology in Azure, it is recommended to follow these best practices:

                    • Security: Apply consistent security policies at the Hub and Spokes to ensure network protection.
                    • Resilience: Configure redundancy and resilience in the topology to ensure network availability in case of failures.
                    • Monitoring: Use monitoring tools like Azure Monitor to monitor network traffic and detect potential performance issues.
                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#conclusion","title":"Conclusion","text":"

                    The Hub and Spoke topology is an effective way to simplify the connectivity and management of virtual networks in Azure. It provides centralized control over network connectivity and traffic, making it easier to implement security and routing policies consistently across the network. By following the recommended best practices and tips, organizations can make the most of the Hub and Spoke topology to meet their cloud connectivity needs.

                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-network-hub-and-spoke-topology/#references","title":"References","text":"
                    • Network Watcher frequently asked questions (FAQ)
                    • Azure Topology
                    ","tags":["Azure Network","Hub and Spoke"]},{"location":"blog/2024/04/19/azure-role-based-access-control-rbac/","title":"Azure Role-Based Access Control (RBAC)","text":"

                    Azure Role-Based Access Control (RBAC) is a system that provides fine-grained access management of resources in Azure. This allows administrators to grant only the amount of access that users need to perform their jobs.

                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/19/azure-role-based-access-control-rbac/#overview","title":"Overview","text":"

                    In Azure RBAC, you can assign roles to user accounts, groups, service principals, and managed identities at different scopes. The scope could be a management group, subscription, resource group, or a single resource.

                    Here are some key terms you should know:

                    • Role: A collection of permissions. For example, the \"Virtual Machine Contributor\" role allows the user to create and manage virtual machines.
                    • Scope: The set of resources that the access applies to.
                    • Assignment: The act of granting a role to a security principal at a particular scope.
                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/19/azure-role-based-access-control-rbac/#built-in-roles","title":"Built-in Roles","text":"

                    Azure provides several built-in roles that you can assign to users, groups, service principals, and managed identities. Here are a few examples:

                    • Owner: Has full access to all resources including the right to delegate access to others.
                    • Contributor: Can create and manage all types of Azure resources but can\u2019t grant access to others.
                    • Reader: Can view existing Azure resources.
                    {\n  \"Name\": \"Contributor\",\n  \"Id\": \"b24988ac-6180-42a0-ab88-20f7382dd24c\",\n  \"IsCustom\": false,\n  \"Description\": \"Lets you manage everything except access to resources.\",\n  \"Actions\": [\n    \"*\"\n  ],\n  \"NotActions\": [\n    \"Microsoft.Authorization/*/Delete\",\n    \"Microsoft.Authorization/*/Write\",\n    \"Microsoft.Authorization/elevateAccess/Action\"\n  ],\n  \"DataActions\": [],\n  \"NotDataActions\": [],\n  \"AssignableScopes\": [\n    \"/\"\n  ]\n}\n
                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/19/azure-role-based-access-control-rbac/#custom-roles","title":"Custom Roles","text":"

                    If the built-in roles don't meet your specific needs, you can create your own custom roles. Just like built-in roles, you can assign permissions to custom roles and then assign those roles to users.

                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/19/azure-role-based-access-control-rbac/#conclusion","title":"Conclusion","text":"

                    Azure RBAC is a powerful tool for managing access to your Azure resources. By understanding its core concepts and how to apply them, you can ensure that users have the appropriate level of access for their job.

                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/","title":"How to create assigment Reports for Azure RBAC","text":"

                    Role-Based Access Control (RBAC) is a key feature of Azure that allows you to manage access to Azure resources. With RBAC, you can grant permissions to users, groups, and applications at a certain scope, such as a subscription, resource group, or resource. RBAC uses role assignments to determine what actions a user, group, or application can perform on a resource.

                    In this article, we will show you how to create reports for role assignments in Azure using PowerShell and the ImportExcel module. We will generate separate Excel files for role assignments at the subscription and management group levels, including information such as the role, principal, scope, and whether the assignment is inherited.

                    This is the PowerShell script that generates the role assignment reports:

                    # Parameters setup\nparam (\n    [Parameter(Mandatory=$false)]\n    [string]$SubscriptionId,\n\n    [Parameter(Mandatory=$false)]\n    [string]$ManagementGroupName,\n\n    [Parameter(Mandatory=$false)]\n    [bool]$GetSubscriptions = $false,\n\n    [Parameter(Mandatory=$false)]\n    [bool]$GetManagementGroups = $true\n)\n\n\n# Install the ImportExcel module if not already installed\nif (!(Get-Module -ListAvailable -Name ImportExcel)) {\n    Install-Module -Name ImportExcel -Scope CurrentUser\n}\n\n# Define the path to your Excel file for Managing Group role assignments\n$managementGroupPath = \".\\AzRoleAssignmentMg.xlsx\"\n# Define the path to your Excel file for Subscription role assignments\n$subscriptionPath = \".\\AzRoleAssignmentSub.xlsx\"\n\n# Initialize an empty array to hold all role assignments\n$subscriptionRoleAssignments = @()\n$managementGroupRoleAssignments = @()\n\n# Get all management groups\n$managementGroups = Get-AzManagementGroup\n\n# Loop through each management group\nforeach ($mg in $managementGroups) {\n    # Get role assignments for the current management group\n    $roleAssignments = Get-AzRoleAssignment -Scope \"/providers/Microsoft.Management/managementGroups/$($mg.Name)\"\n\n    # Add these role assignments to the management group role assignments array\n    $managementGroupRoleAssignments += $roleAssignments\n\n    # Add 'GroupName' and 'IsInherited' properties to each role assignment object\n    $roleAssignments | ForEach-Object { \n        $_ | Add-Member -NotePropertyName 'GroupDisplayName' -NotePropertyValue $mg.DisplayName\n        $_ | Add-Member -NotePropertyName 'GroupName' -NotePropertyValue $mg.Name \n        # If the Scope of the role assignment is equal to the Id of the management group,\n        # then the role assignment is not inherited; otherwise, it is inherited.\n        if ($_.Scope -eq $mg.Id) {\n            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false\n        } else {\n            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true\n        }\n    }\n\n    # Export the role assignments to a new sheet in the Excel file\n    $roleAssignments | Export-Excel -Path $managementGroupPath -WorksheetName $mg.DisplayName -AutoSize -AutoFilter\n}\n\nif ($GetSubscriptions) {   \n    # Check if SubscriptionId is provided\n    if ($SubscriptionId) {\n        # Get role assignments for the specified subscription\n        $roleAssignments = Get-AzRoleAssignment -Scope \"/subscriptions/$SubscriptionId\"\n\n        # Add these role assignments to the subscription role assignments array\n        $subscriptionRoleAssignments += $roleAssignments\n\n        # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object\n        $roleAssignments | ForEach-Object { \n            $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue (Get-AzSubscription -SubscriptionId $SubscriptionId).Name \n            $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false\n        }\n\n        # Export the role assignments to a new sheet in the Excel file\n        $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName (Get-AzSubscription -SubscriptionId $SubscriptionId).Name -AutoSize -AutoFilter\n    } else {\n        # Get all subscriptions\n        $subscriptions = Get-AzSubscription\n\n        # Loop through each subscription\n        foreach ($sub in $subscriptions) {\n            # Get role assignments for the current subscription\n            $roleAssignments = Get-AzRoleAssignment -Scope \"/subscriptions/$($sub.SubscriptionId)\"\n\n            # Add these role assignments to the subscription role assignments array\n            $subscriptionRoleAssignments += $roleAssignments\n\n            # Add 'SubscriptionName' and 'IsInherited' properties to each role assignment object\n            $roleAssignments | ForEach-Object { \n                $_ | Add-Member -NotePropertyName 'SubscriptionName' -NotePropertyValue $sub.Name\n                 # If the Scope of the role assignment is equal to the subscription Id,\n                 # then the role assignment is not inherited; otherwise, it is inherited.\n                if ($_.Scope -eq \"/subscriptions/$($sub.Id)\") {\n                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $false\n                } else {\n                    $_ | Add-Member -NotePropertyName 'IsInherited' -NotePropertyValue $true                }\n\n            }\n\n            # Export the role assignments to a new sheet in the Excel file\n            $roleAssignments | Export-Excel -Path $subscriptionPath -WorksheetName $sub.Name -AutoSize -AutoFilter\n        }\n    }\n}\n
                    ","tags":["Role-Based Access Control"]},{"location":"blog/2024/04/22/management-groups/","title":"Management Groups","text":"","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#what-are-management-groups","title":"What are Management Groups?","text":"

                    Management Groups are a way to manage access, policies, and compliance for multiple subscriptions. They provide a way to manage access, policies, and compliance for multiple subscriptions. Management groups are containers that help you manage access, policy, and compliance for multiple subscriptions. You organize subscriptions into containers called \"management groups\" and apply your governance conditions to the management groups. All subscriptions within a management group automatically inherit the conditions applied to the management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-groups-hierarchy","title":"Management Groups Hierarchy","text":"

                    The management group hierarchy is a level of management groups that represent the different levels of your organization. The hierarchy starts with a single root management group, which represents the Microsoft Entra ID tenant. The root management group is the highest level in the hierarchy. All other management groups are subgroups of the root management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-design-considerations","title":"Management group design considerations","text":"

                    When designing your management group hierarchy, consider the following:

                    • How does your organization differentiate services that are managed or run by particular teams?

                    • Are there any specific operations that need to be isolated due to business or regulatory compliance requirements?

                    • Management groups can be utilized to consolidate policy and initiative assignments through Azure Policy.

                    • A management group hierarchy can accommodate up to six nested levels. The tenant root level and the subscription level are not included in this count.

                    • Any principal, be it a user or service principal, within a Microsoft Entra tenant has the authority to establish new management groups. This is due to the fact that Azure role-based access control (RBAC) authorization for managing group activities is not activated by default. For additional details, refer to the guide on safeguarding your resource hierarchy.

                    • By default, all newly created subscriptions will be assigned to the tenant root management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-recommendations","title":"Management group recommendations","text":"
                    • Maintain a relatively flat management group hierarchy, ideally with three to four levels maximum. This practice minimizes managerial complexity and overhead.

                    • Refrain from mirroring your organizational structure into a deeply nested management group hierarchy. Utilize management groups primarily for policy assignment rather than billing. This strategy aligns with the Azure landing zone conceptual architecture, which applies Azure policies to workloads that need similar security and compliance at the same management group level.

                    • Establish management groups under your root-level group representing different types of workloads you will host. These groups should reflect the security, compliance, connectivity, and feature requirements of the workloads. By doing this, you can apply a set of Azure policies at the management group level for all workloads with similar needs.

                    • Leverage resource tags for querying and horizontally traversing across the management group hierarchy. Resource tags, enforced or appended via Azure Policy, allow you to group resources for search purposes without relying on a complex management group hierarchy.

                    • Set up a top-level sandbox management group. This allows users to immediately experiment with Azure and try out resources not yet permitted in production environments. The sandbox provides isolation from your development, testing, and production settings.

                    • Create a platform management group beneath the root management group to support common platform policy and Azure role assignments. This ensures distinct policies can be applied to subscriptions used for your Azure foundation and centralizes billing for common resources in one foundational subscription set.

                    • Minimize the number of Azure Policy assignments made at the root management group scope. This reduces the debugging of inherited policies in lower-level management groups.

                    • Implement policies to enforce compliance requirements either at the management group or subscription scope to achieve policy-driven governance.

                    • Ensure only privileged users have operational access to management groups in the tenant. Enable Azure RBAC authorization in the management group hierarchy settings to fine-tune user privileges. By default, all users are authorized to create their own management groups under the root management group.

                    • Set up a default, dedicated management group for new subscriptions. This prevents any subscriptions from being placed under the root management group. This is particularly important if there are users eligible for Microsoft Developer Network (MSDN) or Visual Studio benefits and subscriptions. A sandbox management group could be a suitable candidate for this type of management group. For more information, see Setting - default management group.

                    • Avoid creating management groups for production, testing, and development environments. If needed, separate these groups into different subscriptions within the same management group.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#management-group-structure-in-the-enterprise-scale-landing-zone","title":"Management Group Structure in the Enterprise Scale Landing Zone","text":"

                    This is the common structure for the Management Groups in the Enterprise Scale Landing Zone:

                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]
                    1. Root Management Group
                      • Intermediary-Management-Group
                        • Decommissioned: This could be where resources that are being phased out or decommissioned are managed.
                        • Sandboxes: This could be an area where developers can test and experiment without affecting production systems.
                        • Landing Zones
                          • Corp: This could represent corporate resources or applications.
                          • Online: This could represent online or customer-facing applications.
                        • Platform
                          • Connectivity: This could manage resources related to network connectivity.
                          • Identity: This could manage resources related to identity and access management.
                          • Management: This could manage resources related to overall platform management.

                    This structure allows for clear segmentation of resources based on their purpose and lifecycle. For example, decommissioned resources are separated from active ones, like Sandbox, and resources within the 'Platform' are further categorized based on their function (Connectivity, Identity, Management). The 'Landing Zones' group appears to separate resources based on their use case or environment (Corp, Online).

                    The exact interpretation would depend on the specific context and conventions of your organization.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#bad-examples","title":"Bad Examples","text":"","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-1-deeply-nested-hierarchy","title":"Example 1: Deeply Nested Hierarchy","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    B --> C[Group 2]\n    C --> D[Group 3]\n    D --> E[Group 4]\n    E --> F[Group 5]\n    F --> G[Group 6]

                    Why it's bad: This hierarchy is too deep. It becomes difficult to manage and increases complexity. Azure supports up to six levels of nested management groups but it's recommended to keep the hierarchy as flat as possible for simplicity.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-2-unorganized-structure","title":"Example 2: Unorganized Structure","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    A --> C[Group 2]\n    B --> D[Group 3]\n    C --> E[Group 4]\n    D --> F[Group 5]\n    E --> G[Group 6]

                    Why it's bad: The structure is not well-organized and doesn't follow a logical grouping or hierarchy. This can lead to confusion and difficulty in managing resources and policies.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-3-single-level-hierarchy","title":"Example 3: Single Level Hierarchy","text":"
                    graph TD\n    A[Root Management Group] --> B[Group 1]\n    A --> C[Group 2]\n    A --> D[Group 3]\n    A --> E[Group 4]\n    A --> F[Group 5]\n    A --> G[Group 6]

                    Why it's bad: Although this structure is simple, it lacks the ability to group related subscriptions together under a common management group. This makes it harder to apply consistent policies across related subscriptions.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#example-4-environment-based-hierarchy","title":"Example 4: Environment-Based Hierarchy","text":"
                    \ngraph TD\n    A[Root Management Group] --> B[Production Management Group]\n    A[Root Management Group] --> C[Development Management Group]\n    A[Root Management Group] --> D[Testing Management Group]

                    Why it's bad: This structure separates environments into different management groups, which can lead to duplication of policies and increased complexity. It's better to use subscriptions within the same management group to separate environments and apply policies accordingly.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#good-examples","title":"Good examples","text":"
                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]
                    ","tags":["Management Groups"]},{"location":"blog/2024/04/22/management-groups/#references","title":"References","text":"
                    • https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups
                    • https://learn.microsoft.com/en-us/azure/governance/management-groups/overview
                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/","title":"Moving Management Groups and Subscriptions","text":"

                    Managing your Azure resources efficiently often involves moving management groups and subscriptions. Here's a brief guide on how to do it:

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/#moving-management-groups","title":"Moving Management Groups","text":"

                    To move a management group, you need to have the necessary permissions. You must be an owner of the target parent management group and have Management Group Contributor role at the group you want to move.

                    Here's the step-by-step process:

                    1. Navigate to the Azure portal.
                    2. Go to Management groups.
                    3. Select the management group you want to move.
                    4. Click Details.
                    5. Under Parent group, click Change.
                    6. Choose the new parent group from the list and click Save.

                    Remember, moving a management group will also move all its child resources including other management groups and subscriptions.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/23/moving-management-groups-and-subscriptions/#moving-subscriptions","title":"Moving Subscriptions","text":"

                    You can move a subscription from one management group to another or within the same management group. To do this, you must have the Owner or Contributor role at the target management group and Owner role at the subscription level.

                    Follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Select the management group where the subscription currently resides.
                    4. Click on Subscriptions.
                    5. Find the subscription you want to move and select ...\" (More options).
                    6. Click Change parent.
                    7. In the pop-up window, select the new parent management group and click Save.

                    Note

                    Moving subscriptions could affect the resources if there are policies or permissions applied at the management group level. It's important to understand the implications before making the move. Also, keep in mind that you cannot move the Root management group or rename it.

                    In conclusion, moving management groups and subscriptions allows for better organization and management of your Azure resources. However, it should be done carefully considering the impact on resources and compliance with assigned policies.

                    ","tags":["Management Groups"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/","title":"How to create a Management Group diagram with draw.io","text":"

                    I nedd to create a diagram of the Management Groups in Azure, and I remembered a project that did something similar but with PowerShell: https://github.com/PowerShellToday/new-mgmgroupdiagram.

                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#export-your-management-group-structure-from-azure-portal-or-ask-for-it","title":"Export your Management Group structure from Azure Portal or ask for it","text":"

                    If you can access the Azure Portal, you can export the Management Group structure to a CSV file. To do this, follow these steps:

                    1. Go to the Azure portal.
                    2. Navigate to Management groups.
                    3. Click on Export.
                    4. Save the CSV file to your local machine.

                    If you don't have access to the Azure Portal, you can ask your Azure administrator to export the Management Group structure for you.

                    The file has the following columns:

                    • id: The unique identifier of the Management Group or subscription.
                    • displayName: The name of the Management Group or subscription.
                    • itemType: The type of the item (Management Group or subscription).
                    • path: The path to the management or subscription group, its parent.
                    • accessLevel: Your access level.
                    • childSubscriptionCount: The number of child subscriptions at this level.
                    • totalSubscriptionCount: The total number of subscriptions.
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#create-a-csv-to-be-imported-into-drawio","title":"Create a CSV to be imported into draw.io","text":"
                    1. Import the CSV file to excel, rename the sheet to \"Export_Portal\"
                    2. Create a second sheet with the following columns:
                      • id: reference to the id in the first sheet
                      • displayName: reference to the displayName in the first sheet
                      • itemType: reference to the itemType in the first sheet
                      • Parent: Use the following formula to get the parent of the current item:
                        =IF(ISERROR(FIND(\",\"; Export_Portal!D2)); Export_Portal!D2; TRIM(RIGHT(SUBSTITUTE(Export_Portal!D2; \",\"; REPT(\" \"; LEN(Export_Portal!D2))); LEN(Export_Portal!D2))))\n
                    3. Export the second sheet to a CSV file.
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#import-the-csv-file-into-drawio","title":"Import the CSV file into draw.io","text":"
                    1. Go to draw.io and create a new diagram.
                    2. Click on Arrange > Insert > Advanced > CSV.
                    3. Insert the header for the columns: id, displayName, itemType, Parent:

                          #label: %displayName%\n    #stylename: itemType\n    #styles: {\"Management Group\": \"label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];\",\\\n    #\"Subscription\": \"label;image=img/lib/azure2/general/Subscriptions.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#d6b656;fillColor=#fff2cc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];imageWidth=26;\"}\n    #\n    #\n    #namespace: csvimport-\n    #\n    #connect: {\"from\": \"ParentId\", \"to\": \"displayName\", \"invert\": true, \"style\": \"curved=1;endArrow=blockThin;endFill=1;fontSize=11;edgeStyle=orthogonalEdgeStyle;\"}\n    #\n    ## Node width and height, and padding for autosize\n    #width: auto\n    #height: auto\n    #padding: -12\n    #\n    ## ignore: id,image,fill,stroke,refs,manager\n    #\n    ## Column to be renamed to link attribute (used as link).\n    ## link: url\n    #\n    ## Spacing between nodes, heirarchical levels and parallel connections.\n    #nodespacing: 40\n    #levelspacing: 100\n    #edgespacing: 40\n    #\n    ## layout: auto\n    #layout: verticaltree\n    #\n    ## ---- CSV below this line. First line are column names. ----\n
                      4. Paste the content of the CSV file and click on Import.

                    You should see a diagram with the Management Groups and Subscriptions.

                    For example:

                    This is the common structure for the Management Groups in the Enterprise Scale Landing Zone, now Accelerator Landing Zone:

                        graph TD\n        A[Root Management Group] --> B[Intermediary-Management-Group]\n        B --> C[Decommissioned]\n        B --> D[Landing Zones]\n        B --> E[Platform]\n        B --> F[Sandboxes]\n        D --> G[Corp]\n        D --> H[Online]\n        E --> I[Connectivity]\n        E --> J[Identity]\n        E --> K[Management]        

                    And this is the CSV file to import into draw.io:

                    #label: %displayName%\n#stylename: itemType\n#styles: {\"Management Group\": \"label;image=img/lib/azure2/general/Management_Groups.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#6c8ebf;fillColor=#dae8fc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];\",\\\n#\"Subscription\": \"label;image=img/lib/azure2/general/Subscriptions.svg;whiteSpace=wrap;html=1;rounded=1; fillColor=%fill%;strokeColor=#d6b656;fillColor=#fff2cc;points=[[0.5,0,0,0,0],[0.5,1,0,0,0]];imageWidth=26;\"}\n#\n#\n#namespace: csvimport-\n#\n#connect: {\"from\": \"ParentId\", \"to\": \"displayName\", \"invert\": true, \"style\": \"curved=1;endArrow=blockThin;endFill=1;fontSize=11;edgeStyle=orthogonalEdgeStyle;\"}\n#\n## Node width and height, and padding for autosize\n#width: auto\n#height: auto\n#padding: -12\n#\n## ignore: id,image,fill,stroke,refs,manager\n#\n## Column to be renamed to link attribute (used as link).\n## link: url\n#\n## Spacing between nodes, heirarchical levels and parallel connections.\n#nodespacing: 40\n#levelspacing: 100\n#edgespacing: 40\n#\n## layout: auto\n#layout: verticaltree\n#\n## ---- CSV below this line. First line are column names. ----\nid,displayName,itemType,ParentId\n1,Tenant Root Group,Management Group,\n2,Intermediary Management Group,Management Group,Tenant Root Group\n3,Decommissioned,Management Group,Intermediary Management Group\n4,Landing Zones,Management Group,Intermediary Management Group\n5,Platform,Management Group,Intermediary Management Group\n6,Sandboxes,Management Group,Landing Zones\n7,Corp,Management Group,Landing Zones\n8,Online,Management Group,Landing Zones\n9,Connectivity,Management Group,Platform\n10,Identity,Management Group,Platform\n11,Management,Management Group,Platform\n12,subcr-1,Subscription,Decommissioned\n13,subcr-2,Subscription,Sandboxes\n14,subcr-3,Subscription,Corp\n15,subcr-4,Subscription,Online\n16,subcr-5,Subscription,Connectivity\n17,subcr-6,Subscription,Identity\n18,subcr-7,Subscription,Management\n
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#make-your-diagram-animated-and-interactive","title":"Make your diagram animated and interactive","text":"

                    You can make your diagram animated and interactive by following these steps:

                    1. File > Export as > URL
                    2. Add &p=ex after the first ? in the URL.

                    For example, the URL should look like this:

                    https://viewer.diagrams.net/?&p=ex&tags=%7B%7D&highlight=0000ff&layers=1&nav=1&title=MGs.drawio#R7Zxbc5s4FMc%2FjR%2BbAQkEPK7dJHWn3XbW6exMX3ZkkLFakDxCvvXTr7jFxrZi1k0Wg5lxYnR0QfqfHxqOBB7AUbx5FHgx%2F8wDEg2AEWwG8P0AAGAgQ32llm1uMU0X5pZQ0KCw7QwT%2BosUxqJiuKQBSSoFJeeRpIuq0eeMEV9WbFgIvq4Wm%2FGoetYFDsmRYeLj6Nj6Nw3kvBwG8nYZHwgN58WpXeDkGTEuCxcjSeY44Os9E7wfwJHgXOZH8WZEolS9Upe83oMm97ljgjB5osK3hIgv0x%2BpJsCI8FQ5Jis0AHZAk0WEt3%2FimKhU3k7Z7HBLxq7x42mcwOHy%2B0dn9PCRvIOFz%2FYrZqWfCMMsPcFf6TCA8Sj4clE0KEn8tF0UBT9jpoSKCTso9TXr%2Fjgo%2B5YNKcI%2BmStHEbHvvKoMidyWLioGN6Rx7ksah0qFiE7Vf%2FxrKUgqSkgYEVjVfNh15Z%2BsI8ldsgpV9fVcdXmyUOdWbawVzso2l3Eqm6kOVVEWkKBIpSjRKBrxiIusF3aaTNWEw0QK%2FpPssiDyXTKdqZxqFRhg4s58ZV9wymQ2VnuoPsadcsrIqPzZqsLoOc88zFOftFOpfCsiJNloIdnX8pHwmEixVUWKCpYD7goituU1nCfXO%2FqB4ea2%2BR74dmHDhc%2FC57Z3TKqDwoFlco%2FS16fW0lA7ZpKImAQUZ0PXsXkJwS9cED3WDWINnQOsTegec%2B20g2tbw%2FV74vM4pklCOVMuvRjimtdHD3RzQJezcjlJ2%2BiIZtNrB81IQ%2FMnzALKFCLGd4Vz0uPcYZyhZ57nuSWzs6Ph%2BWuE5YyLuAe5wyB7rn0eZKsdILsakCdqYp7yze9MySfn9p7bBu8nAKxwCx3rmFvUDm49DbcjLn4jsuuRvTJkLWieRxa0AlnL0CD7hUWUkR7azkBre955aGE7oDW182y2FE9XVG4vR7d6u9wz2xyzjuN05d7AAhpmx4ESo%2Be1E7wexmBtnmN1G2%2F7TPbEtp1Y00Q1wq92rH9Zul23ZDn1xTvzFK%2BT5TTxBV1IytkpUk9tbLwxr%2FtdentWAzRFNjpmdTabAf8VWc0GXz7HANAr3dPWmG5bEofpdtZydsEl7B6slvXYXgu2wKrOuZYHWsutbg8t5xZewu1utaxH9lqQPVzyajOyum2yHFnrEmT3V8t6aK8FWmRYnYFWtyWWQ2tfAu3xalmP7rWg63hOZ9DV7Yrl6KJL0K0umvXYXgu2nmd0BVtbtzOWY%2Btcgu3h2lkP7rWAa5qu2yS5Ry9ZnGayGNcKR0tSog2qjPhLsXp2IGHBH%2BmrKCo5jbj%2F82lOWW5%2BSB2ZF5pxJovXX8ysUhCSSdEgF3LOQ85wdL%2BzFoKn5V6WW3WML4VPXhhS%2BYKHxCIk8qWC1mkHChJhdQ9T7cl%2FcEZN5UH3lLfqKm83qjy8YeVRo8pbN6y806jydveUR3WVdxtVHt2w8l6jyju3q3z%2BFF5jyrvdU96pq7wmLPiflPduWHnQpPLlrwPcpPKwUeU7GMPadZVvNIZFHYxh3brKNxrDog7GsF5d5RuNYVH3YtjylY3zyjcaw6LuxbDlewfnlW80hkXdi2HLp%2BfPK99oDIu6F8Naddfn7TeKYVVy90tVWd7eD37B%2B38B#%7B%22pageId%22%3A%22UGUHswWqf16rUITyRAQM%22%7D\n

                    You can check it here

                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/24/how-to-create-a-management-group-diagram-with-drawio/#references","title":"References","text":"
                    • Automatically create draw.io diagrams from CSV files
                    • Animation and Automatic Layout: Explore Complex Diagrams
                    ","tags":["Management Groups","draw.io"]},{"location":"blog/2024/04/","title":"2024/04","text":""},{"location":"blog/2024/03/","title":"2024/03","text":""},{"location":"blog/2024/02/","title":"2024/02","text":""},{"location":"blog/2023/12/","title":"2023/12","text":""},{"location":"blog/2023/11/","title":"2023/11","text":""},{"location":"blog/2023/10/","title":"2023/10","text":""},{"location":"blog/category/azure-services/","title":"Azure Services","text":""},{"location":"blog/category/azure/","title":"Azure","text":""},{"location":"blog/category/learning/","title":"Learning","text":""},{"location":"blog/category/security/","title":"Security","text":""},{"location":"blog/category/tools/","title":"Tools","text":""},{"location":"blog/category/microsoft-365/","title":"Microsoft 365","text":""},{"location":"blog/category/windows/","title":"Windows","text":""},{"location":"blog/category/azure-updates/","title":"Azure Updates","text":""},{"location":"blog/category/azure-frameworks/","title":"Azure Frameworks","text":""},{"location":"blog/category/development/","title":"Development","text":""},{"location":"blog/category/devops/","title":"DevOps","text":""},{"location":"blog/category/english/","title":"English","text":""},{"location":"blog/category/hello_world/","title":"Hello_World","text":""},{"location":"blog/page/2/","title":"Blog","text":""},{"location":"blog/page/3/","title":"Blog","text":""},{"location":"blog/page/4/","title":"Blog","text":""},{"location":"blog/2024/04/page/2/","title":"2024/04","text":""},{"location":"blog/category/azure-services/page/2/","title":"Azure Services","text":""},{"location":"blog/tags/","title":"Posts by Tags","text":"

                    Following is a list of relevant tags:

                    "},{"location":"blog/tags/#azure-arc","title":"Azure ARC","text":"
                    • Azure ARC
                    • How to use Azue ARC-enabled servers with managed identity to access to Azure Storage Account
                    "},{"location":"blog/tags/#azure-communication-services","title":"Azure Communication Services","text":"
                    • Azure Communication Services
                    "},{"location":"blog/tags/#azure-container-apps","title":"Azure Container Apps","text":"
                    • Comparing Container Apps with other Azure container options
                    "},{"location":"blog/tags/#azure-functions","title":"Azure Functions","text":"
                    • Azure Functions
                    "},{"location":"blog/tags/#azure-network","title":"Azure Network","text":"
                    • Azure Network, Hub-and-Spoke Topology
                    "},{"location":"blog/tags/#azure-policy","title":"Azure Policy","text":"
                    • Azure Policy
                    • Azure Policy, defintion schema
                    • Writing Your First Policy in Azure with Portal
                    • Writing Your First Initiative with Portal
                    • Manage Azure Policy GitHub Action
                    • Enterprise Azure Policy as Code (EPAC)
                    • Azure Policy Management Best Practices
                    • Azure Policy useful queries
                    "},{"location":"blog/tags/#azure-well-architected-framework","title":"Azure Well-Architected Framework","text":"
                    • Azure Well-Architected Framework (WAF) mind maps
                    "},{"location":"blog/tags/#certifications","title":"Certifications","text":"
                    • Microsoft Azure Certifications
                    "},{"location":"blog/tags/#epac","title":"EPAC","text":"
                    • Enterprise Azure Policy as Code (EPAC)
                    "},{"location":"blog/tags/#english","title":"English","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#general","title":"General","text":"
                    • Azure Services
                    "},{"location":"blog/tags/#hub-and-spoke","title":"Hub and Spoke","text":"
                    • Azure Network, Hub-and-Spoke Topology
                    "},{"location":"blog/tags/#management-groups","title":"Management Groups","text":"
                    • Management Groups
                    • Moving Management Groups and Subscriptions
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#microsoft-defender-for-cloud","title":"Microsoft Defender for Cloud","text":"
                    • Cambio de nombres de los niveles de servicio de Microsoft Defender para Cloud
                    "},{"location":"blog/tags/#onedrive-for-business","title":"OneDrive for Business","text":"
                    • Depurar logs de OneDrive para detectar problemas de sincronizaci\u00f3n
                    "},{"location":"blog/tags/#pam","title":"PAM","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#role-based-access-control","title":"Role-Based Access Control","text":"
                    • Azure Role-Based Access Control (RBAC)
                    • How to create assigment Reports for Azure RBAC
                    "},{"location":"blog/tags/#security","title":"Security","text":"
                    • Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services
                    "},{"location":"blog/tags/#trunk","title":"Trunk","text":"
                    • Trunk
                    "},{"location":"blog/tags/#windows-subsystem-for-linux-2","title":"Windows Subsystem for Linux 2","text":"
                    • Instalar WSL2 en Windows 11 con chocolatey
                    "},{"location":"blog/tags/#csharp","title":"csharp","text":"
                    • Starting to develop in c#
                    "},{"location":"blog/tags/#drawio","title":"draw.io","text":"
                    • How to create a Management Group diagram with draw.io
                    "},{"location":"blog/tags/#mkdocs","title":"mkdocs","text":"
                    • Create a blog with MkDocs,mkdocs-material, mkdocs-rss-plugin and GitHub Pages
                    • Enhance your mkdocks.yml
                    "},{"location":"blog/tags/#vscode","title":"vscode","text":"
                    • Trunk
                    "}]} \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml index a3f86e9..92fb4e1 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -220,6 +220,21 @@ 2024-04-25 daily + + https://rfernandezdo.github.io/blog/2024/04/19/azure-network-hub-and-spoke-topology/ + 2024-04-25 + daily + + + https://rfernandezdo.github.io/blog/2024/04/19/azure-role-based-access-control-rbac/ + 2024-04-25 + daily + + + https://rfernandezdo.github.io/blog/2024/04/19/how-to-create-assigment-reports-for-azure-rbac/ + 2024-04-25 + daily + https://rfernandezdo.github.io/blog/2024/04/22/management-groups/ 2024-04-25 @@ -270,6 +285,11 @@ 2024-04-25 daily + + https://rfernandezdo.github.io/blog/category/azure/ + 2024-04-25 + daily + https://rfernandezdo.github.io/blog/category/learning/ 2024-04-25 @@ -335,6 +355,16 @@ 2024-04-25 daily + + https://rfernandezdo.github.io/blog/page/4/ + 2024-04-25 + daily + + + https://rfernandezdo.github.io/blog/2024/04/page/2/ + 2024-04-25 + daily + https://rfernandezdo.github.io/blog/category/azure-services/page/2/ 2024-04-25 diff --git a/sitemap.xml.gz b/sitemap.xml.gz index d1b71c8..bc397d9 100644 Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ