When reviewing for the section on managing compliance in Azure focus on how Azure policy is used to enforce standards across your environment. Start by understanding why it’s best to apply policies at the highest scope like at the Management Group level. And from there allowing them to cascade down.
Knowing the timing of policy evaluations is very important also as part of your overall study.
You’ll also need to decide how to handle non compliant resources. What are non compliant resources? Should they be locked, flagged, or automatically remediated? And if so, how do you do each one of those things? Understand how remediation tasks can fix issues without manual intervention.
So I would recommend that you go in and practice creating manual remediation tasks. Policy compliance dashboards is another thing. Keep in mind this is where you audit and track compliance across your environment.
Finally study how Azure policy works alongside RBAC. RBAC controls who can do what while Policies control what can be done. Together these are going to be very important things so practice these in your lab so you’re prepared for any questions related to them.
When to use Azure Policy
Helps to enforce organizational standards and to assess compliance at-scale
There’s a large number of built-in policies and you can create your custom ones
Examples:
Allow only certain SKus of VMs to be created in a determined subscription
Ensure all resources are correctly tagged – if not, apply the tag
Recommend system updates on your servers
Enable MFA for all subscription accounts
Considerations:
Apply policies at the highest scope possible
Know when policies are evaluated
Decide what to do if a resource is non-compliant
Consider when to automatically remediate non-compliant resources
Use the Azure Policy Compliance Dashboard for auditgin and review
Effectivelly combine Azure Policy with RBAC
Use Cases
Regulatory Compliance
Meeting industry regulation (HIPAA, PCI DSS) by enfonrcing policies related to data storage, encryption, and access
Security Posture
implementing security best practices like requiring encryption, enabling logging or restricting access to specific ports
Cost Management
Controlling spending by limiting resource types, enforcing tagging for cost allocation or preventing the creation of certain expensive resources
Operational Efficiency
Enforcing naming convention, resource group structures and deployment patterns.
Design for role-based access control (RBAC)
Use Cases
Granular Access Control
Allow different users or groups to manage specific resources only
Compliance Auditing
Segregation of Duties
Layered Security
Comprehensive Governance
Design for Azure landing zones
A landing zone provides an infrastructure environment for hosting your workloads.
Implements key foundational principles of governance, security, networking, management, and identity
· Pre-provisions the environment through code
· Good for both migrations and green field situations
· You can transition existing architectures
. Part of the Cloud Adoption Framework Ready phase
https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies