Demystifying Azure Security - Creating a Custom Policy - Part 1 - Viewing Definition of an existing Policy

@20aman    Dec 29, 2017

This blog post is part of the Demystifying Azure Security series. All posts in the series can be found here: Demystifying Azure Security - Series Index

Creating a custom policy to enforce your custom requirements in the Azure environment is very easy. This provides you with granular control over what a policy should perform and what should be allowed and what should be denied.

Policies are writing in JSON format. It is always good to base your custom policy definition on one of the built-in policies if one exists which is closer to what you are trying to do.

Viewing Definition of Existing Policies

You have two options to view the definition of an existing policy.

  1. Using PowerShell
  2. Using Azure Portal

Using PowerShell

Using PowerShell run the below cmdlet to view all the policies in your environment.

Get-AzureRmPolicyDefinition

Then go through the list and find the policy that you want to use. Find the ResourceId of that policy and then run the below cmdlet to fetch the details of that policy.

Get-AzureRmPolicyDefinition -Id "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c"

Using Azure Portal

Using Azure Portal to view the Definition is also very easy. Simply navigate to:

  • the Subscription section in the Azure Portal
  • Select your subscription
  • Click on "Policies" under settings.
  • Within the Policies blade, click on "Definitions"

Within the Policy Definitions, select the Policy from the list for which you want to view the definition. Click on the 3 dots to the right. From the context menu select "View definition".

Policy Definitions

This will open up another blade. Click on the "Json" tab at the top and this will show you the rule part of the definition of the policy. the rule is the most important part of the policy. We will look at other components of the policies later as well.

Policy Definition Details

E.g. The JSON for "Allowed storage account SKUs" built-in policy looks as shown below.

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Storage/storageAccounts"
      },
      {
        "not": {
          "field": "Microsoft.Storage/storageAccounts/sku.name",
          "in": "[parameters('listOfAllowedSKUs')]"
        }
      }
    ]
  },
  "then": {
    "effect": "Deny"
  }
}

Next, we will dissect and understand the Policy structure in details.





Comments powered by Disqus