Azure Policy

Missing Allowed Locations Policy

Risk Level: Low

Description

This plugin ensures that the deployed resources and resource groups belong to the list set in the allowed locations for resource groups policy in the MS Azure Cloud. This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. In turn, excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.

About the Service

Azure Policy:

Azure Policy is a service in Azure that allows you to create policies that enforce and control the properties of a resource. When these policies are used they enforce different rules and effects over your resources, so those resources stay compliant with your IT governance standards. A security policy defines the set of controls that are recommended for resources within the specified subscription. In Azure Security Center, you define policies for your Azure subscriptions according to your company's security requirements and the type of applications or sensitivity of the data in each subscription. For more information, click here.

Impact

This arrangement empowers you to confine the areas your association can indicate while sending assets. Use to uphold your geo-consistence necessities. Bars asset gatherings, Microsoft.AzureActiveDirectory/b2cDirectories, and assets that utilization the 'worldwide' district. The allowed locations policy is not configured for the resource groups. Thus, as a result of rectification, there is a need to ensure that all services contain policy definitions that defined allowed locations.

Steps to Reproduce

In order to determine if the Allowed locations policy is configured or not for the resource groups, follow the steps given below:

Using Azure Console-

  1. Firstly, sign in to the Azure Management Console with your registered organization email address.
  2. Under Azure Services, choose Subscriptions.
  3. A new Subscription page will be opened up. Choose the subscription for which the issue has to be examined.
  4. Now, in the Filter Type Box under the All Services, search for Policy.
  5. Click on the Policy nav link. A policy page in your selected subscription will be displayed on the screen.
  6. In the left navigation panel, under the Authorising section click on the Assignments Blade.
  7. A new page with the list of all the Assignments under Azure Policy will appear on the screen.
  8. Click on the Assignment Name, for which you want to examine. A new page with all the details about that assignment will be displayed.
  9. Click on the View Definition nav link available at the top navbar.
  10. A new page about the Policy Definition will be displayed. Check the name of the definition. If the definition title is “Allowed Locations for Resource Groups” for any one of the assignments, then the vulnerability does not exist.
  11. Follow the steps above, for other Azure Policy Assignment in the current subscription as well as in other subscriptions in your Azure Cloud.

Steps for Remediation

In order to configure the allowed locations policy is for the resource groups in your Azure cloud account, follow the steps given below:

Using Azure Console-

  1. Firstly, sign in to the Azure Management Console with your registered organization email address.
  2. Under Azure Services, choose Subscriptions.
  3. A new Subscription page will be opened up. Choose the subscription for which the issue has to be examined.
  4. Now, in the Filter Type Box under the All Services, search for Policy.
  5. Click on the Policy nav link. A policy page in your selected subscription will be displayed on the screen.
  6. In the left navigation panel, under the Authorising section click on the Assignments Blade.
  7. A new page with the list of all the Assignments under Azure Policy will appear on the screen.
  8. Now, click on the Assign Policy nav link available at the top navigation bar.
  9. A new Assign Policy page will be displayed. Click on the Basics tab under Assign Policy.
  10. In the Policy Definition, click on the three dots to view the available definitions.
     
  11. In the Available Definitions page, search for “Allowed Locations for resource groups” and select it. Now, click on the Select button available at the bottom.
  12. Assignment Name will automatically be filled with the definition title. However, you may change it according to your preference. 
  13. Click on the Enable option in the policy enforcement. 
     
  14. Now, click on the Parameters tab under Assign Policy. Under Allowed Locations select the locations according to your preferences and select Next.
  15. Finally, click on the Review + Create button to create the Assignment Policy. The allowed locations policy is successfully configured for the resource groups
  16. Follow the steps above, for other Azure Policy Assignment in the current subscription as well as in other subscriptions in your Azure Cloud.

Please feel free to reach out to support@pingsafe.ai with any questions that you may have.

Thanks

PingSafe Support