What are the best practices in a basic Azure cloud setup in a way that is the most restrictive to users and restricts them from creating resources??

Question

The CIS Microsoft Azure Foundations Benchmark v2.0.0 (211 policies) and NIST SP 800-53 Rev. 5 (718 policies) seem to only be good for auditing and not restricting. Users are still able to create resources (vms, storage accounts etc).

What are the best practices in a basic setcup for Azure cloud setup in a way that is the most restrictive to users?

Answer 1

It's a combination of the following techniques:

1. Role-Based Access Control (RBAC):
   • Utilize Azure RBAC to assign roles to users, groups, or service principals based on their responsibilities.
   • Assign the least privilege necessary for users to perform their tasks. Start with built-in roles and customize as needed.
2. Resource Locks:
   • Use Azure resource locks to prevent accidental deletion or modification of critical resources.
   • Apply either delete locks or read-only locks to resources based on their importance and sensitivity.
3. Azure Policies:
   • Implement Azure policies to enforce organizational standards and compliance requirements.
   • Define policies to control resource types, locations, naming conventions, and other configurations.
4. Network Security:
   • Implement network security groups (NSGs) to control inbound and outbound traffic to Azure resources.
   • Use Azure Firewall or third-party firewalls to protect your virtual networks and control traffic flow.
5. Microsoft Defender for Cloud:
   • Enable Microsoft Defender for Cloud to monitor, assess, and remediate security vulnerabilities across your Azure environment.
   • Implement security recommendations provided by Azure Security Center to strengthen your security posture.
6. Data Encryption:
   • Enable encryption for data at rest and in transit using Azure Disk Encryption, Azure Storage Service Encryption, and Azure VPN Gateway.
   • Use Azure Key Vault to manage and safeguard encryption keys and secrets.
7. Audit Logging and Monitoring:
   • Enable Azure Monitor and Azure Security Center to collect and analyze logs and metrics for your Azure resources.
   • Configure diagnostic settings to stream logs to Azure Monitor for auditing and compliance purposes.
8. Continuous Compliance and Remediation:
   • Implement continuous compliance monitoring and automated remediation using Azure Policy and Azure Automation.
   • Regularly review compliance reports and take corrective actions to address non-compliant resources.

You'll also find comprehensive guidance in WAF for Azure documentation at https://learn.microsoft.com/en-us/azure/well-architected/security/principles

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Answer 2

Hello Eric Brown,

Greetings! Welcome to Microsoft Q&A Platform.

Adding to above information, there are several best practices you can follow to restrict user access and enhance security. following below are some recommendations:

1.When it comes to restricting users from deploying resources, you can definitely leverage Azure role-based access control (Azure RBAC) to manage who has access to Azure resources, what they can do with those resources (i.e. create/deploy, deleted, view, etc.), and what areas they have access to. Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.Here are some examples of what you can do with Azure RBAC:

• Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
• Allow a DBA group to manage SQL databases in a subscription
• Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
• Allow an application to access all resources in a resource group.

2.If you do not want to manually assign permissions to users manually, you can make use of PIM feature in Azure. With this feature you can have users activate the permission. Once there is a permission activated there is a request that gets generated for application and you just have to approve the request.

refer - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure, https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-getting-started.

3.To reduce the risk of a compromised owner, limit the number of subscription owners to a maximum of three. Instead of assigning roles directly to users, create Azure AD groups and assign roles to those groups. This approach simplifies management and ensures consistency across users with similar responsibilities.

refer - https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices for best practices.

By implementing these measures, you can effectively restrict user access to desired limit. Additionally, you can regularly review and update your security policies and configurations to ensure that your Azure account remains secure and protected against any potential threats or vulnerabilities.

Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.