Governance on any public cloud
Also See GCP Gov Cloud - Assured Workloads
To implement proper governance, any cloud provider needs these 3 elements (tagging, RBAC, policies and optionally locking). Governance is around both cost management (tagging) and resource management (policies)
Taking Azure as our cloud, Azure provides
- Policies - Azure Policies ensure that resource operations can be denied or audited. Azure policies govern various aspects related to the deployment of resources. The policies will also govern the updates after initial deployment.
- RBAC - ensures the right team members have permissions to access their resources.
- Tagging
- (Optional) Locks - Azure Locks ensure that resources cannot be modified or deleted accidentally.
Azure Policies - Sample Policies
Deployments to certain location
Azure resources and deployments can only be executed for certain chosen locations. It would not be possible to deploy resources in regions out of the policy. For example, the regions that are allowed are West Europe and East US. It should be not possible to deploy resources in any other region.
Tags of resources and Resource Groups
Every resource in Azure including the resource groups will mandatorily have tags assigned to it. The tags will include details about the department, environment, creation data, and project name at minimum.
Diagnostic logs and Application Insights for all resources
Every resource deployed on Azure should have diagnostic logs and application logs enabled wherever possible.
An example RBAC assignment (by an azure admin) might look like
Role | Assigned to | Description |
Owner | Administrator | Manages all resource groups and the subscription. |
Security manager | Security administrators | This role allows users to look at Azure Security Center and the status of the resources. |
Contributor | Infrastructure management | Managing virtual machines and other resources. |
Reader | Developers | Can view resources, but cannot modify them. Developers are expected to work in their
development/testing environments. |
Leave a Reply