Customizing Azure policy definitions

Azure policies help you to monitor, identify, and remediate noncompliant resources. Azure assigns a default set of policies to each subscription. If needed, you can customize these default Azure policies to match Cloud Service's resource configurations.

Note

Cloud Service doesn't customize your Azure policies to prevent conflicts with external workloads.

Customize default policy definitions in Azure

Customize the policy definitions in each of your Cloud Service enabled Azure subscriptions.

Note

You need Microsoft.Authorizations/PolicyAssignments/write permissions to update policy initiatives (sets of policies) in Azure.

  1. In the Azure portal, enter Policy in the search box at the top, and open the Policy service.

  2. On the left side of the Policy page, Select Compliance.

  3. On the Compliance page, set the scope by selecting the ellipsis and then selecting all subscriptions. At the bottom of the Scope page, select Select to add your selection.

    You can see a list of all the policy initiatives (sets of policies) assigned by Azure's onboarding process. The policy initiative for each subscription is labeled ASC Default (subscription: <Subscription_ID>).

  4. From the list, select a policy initiative, and select Edit assignment.

  5. On the Edit Initiative Assignment page, select the Parameters tab.

  6. Clear the Only show parameters that need input or review check box.

  7. Configure your default ASC policy parameters to allow only Cloud Service's specific configurations. Use the parameter values specified in Customizable policy definition parameters to update the parameters.

  8. Select the Review + create tab at the top of the wizard.

  9. Review your selections. At the bottom of the page, select Create.

You're now ready to monitor, identify, and remediate noncompliant resources to improve the compliance state of the resources in your subscription.

Customizable policy definition parameters

The following are the recommended parameters and values that are based on Cloud Service's resource configurations.

Use the values below each parameter while configuring the default ASC policy of a subscription.

Note

JSON values are provided where applicable.

Allowed service ports list in Kubernetes cluster

Cloud Service runs services on several ports in Kubernetes clusters in your cloud account to provide the Cloud services. You must allow the following ports:

["5432",  "9402",  "443", "8080",
  "9090",  "3000",  "8443",  "9443",  "9100", "9201", "8088"]

Allowed AppArmor profiles

Cloud Service requires the runtime/default AppArmor security profile:

["runtime/default"]

Allowed capabilities

Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. Cloud Service generally runs containers with limited capability to limit the attack surface of Kubernetes clusters but requires some capabilities to function:

["FOWNER"]

Allowed host paths for pod in Kubernetes cluster

Cloud Service requires the following HostPath mounts:

{
 "paths": [
   {
     "pathPrefix": "/var/log",
     "readOnly": false
   },
   {
     "pathPrefix": "/var/lib/docker/containers",
     "readOnly": true
   },
   {
     "pathPrefix": "/",
     "readOnly": true
   },
   {
     "pathPrefix": "/sys",
     "readOnly": true
   },
   {
     "pathPrefix": "/proc",
     "readOnly": true
   },
   {
     "pathPrefix": "/var/run/docker.sock",
     "readOnly": false
   },
   {
     "pathPrefix": "/run/containerd/containerd.sock",
     "readOnly": false
   },
   {
     "pathPrefix": "/dev",
     "readOnly": false
   },
   {
     "pathPrefix": "/boot",
     "readOnly": true
   },
   {
     "pathPrefix": "/lib/modules",
     "readOnly": false
   },
   {
     "pathPrefix": "/usr",
     "readOnly": true
   },
   {
     "pathPrefix": "/etc",
     "readOnly": true
   }
 ]
}

Other recommendations from Microsoft Defender for Cloud

Microsoft Defender for Cloud (which includes Azure Secure Center and Azure Defender) analyzes the configurations of your Azure resources to identify potential vulnerabilities.

You might see recommendations from Microsoft Defender for Cloud even after customizing your policies and remediating noncompliant resources. Microsoft offers these recommendations for the reasons that follow.

Restrict unauthorized network access

  • Restrict use of host networking and ports.

    Cloud Service runs containers that use the node network namespace to monitor network traffic statistics of Kubernetes cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, Cloud Service has removed all security capabilities for those containers.

  • Protect virtual networks with Azure Firewall.

    Cloud Service doesn't enable the Azure Firewall. Instead, Cloud Service uses Azure Network Security Group allowlists to specify allowed inbound and outbound traffic.

    If your organization requires an Azure Firewall for compliance purposes, contact Big Animal support.

Manage access and permissions

  • Avoid privileged containers.

    Avoid running containers as root user. However, to achieve some management functionality, like securing and monitoring the application, Cloud Service needs to run some containers in privileged mode.

  • Enforce immutable (read-only) root filesystem for containers.

    Avoid running containers with a read-only root filesystem. However, for Cloud Service to achieve some control plane functionality, Cloud Service needs to run some containers with a read-only root filesystem. For example, for Cloud Service to use system calls to secure and monitor the Cloud Service application, it needs to run containers with a read-only root filesystem.

  • Avoid running containers as root user.

    Cloud Service must run some containers as the root user to provide some aspects of control plane functionality, such as logging. Cloud Service tightly restricts the use of the root user, and no containers running as root expose network connectivity.

  • Avoid containers sharing sensitive host namespaces.

    Cloud Service must run some containers that can share the host process ID namespace to monitor network traffic statistics for cluster worker nodes. To prevent traffic sniffing and configuration changes to the worker node system, Cloud Service has removed all security capabilities for those containers.

  • Avoid containers with privilege escalation.

    To enable some monitoring capabilities for Kubernetes, Cloud Service must run some containers that might allow privilege escalation.

Implement security best practices

  • Disable auto mounting API credentials for Kubernetes clusters.

    Microsoft recommends disabling auto mounting API credentials to prevent a potentially compromised pod from running API commands against a Kubernetes cluster.

    Cloud Service creates service accounts and roles with the least privileges for Kubernetes operators and operands to prevent this scenario.

Enable auditing and logging

Microsoft recommends enabling diagnostic logs in Kubernetes services, Key Vault, and Virtual Machine Scale Sets.

Cloud Service doesn't enable diagnostic logs for Kubernetes services and Key Vault, but it does enable diagnostic logs for Virtual Machine Scale Sets. Resources managed by Cloud Service are logged in Virtual Machine Scale Sets logs. If you must enable other logs for compliance purposes, contact Cloud Service support.

Enable enhanced security features

Microsoft Defender for Cloud includes the capabilities of Microsoft Defender for open-source relational databases.

Cloud Service doesn't enable any of the following capabilities:

  • Microsoft Defender for Servers
  • Microsoft Defender for Storage
  • Microsoft Defender for Key Vault
  • Microsoft Defender for Containers
  • Microsoft Defender for Kubernetes Service clusters
  • Microsoft Defender for Resources Manager
  • Microsoft Defender for DNS

If you have questions about enabling any of those capabilities for Cloud Service, contact Cloud Service support.


Could this page be better? Report a problem or suggest an addition!