DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Updated on

Implement subscription security

Create Azure resource locks

  • Management locks help you prevent accidental deletion or modification of your Azure resources
  • You can manage these locks from within the Azure portal
  • To view, add, or delete locks, go to the RESOURCE MANAGEMENT section of any resource's settings blade
  • When you apply a lock at a parent scope, all resources within that scope inherit the same lock

Configure resource-level access policies

  • Azure Policy is a service in Azure that you use to create, assign, and manage policies
  • Unlike RBAC, Azure Policy is a default allow and explicit deny system
  • Azure Policy has several permissions, known as operations, in two resource providers:
    • Microsoft.Authorization
    • Microsoft.PolicyInsights
  • Several built-in roles grant permission to Azure Policy resources
  • If none of the built-in roles have the required permissions, you can create a custom role

Configure subscription-level policies in Azure Policy

  • An Azure subscription is a logical unit of Azure services that is linked to an Azure account
  • Azure management groups provide a level of scope above subscriptions
  • Management groups enable:
    • Organizational alignment for your Azure subscriptions through custom hierarchies and grouping
    • Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies
    • Compliance and cost reporting by organization (business/teams)
  • All subscriptions within a management group automatically inherit the conditions applied to the management group

Top comments (0)