Azure Policy - Lawson Cloud

I developed and implemented a range of Azure policies to enforce compliance and bolster security within our cloud environment. My responsibilities included drafting and deploying policies that addressed various compliance requirements and security best practices. I actively engaged in remediating non-compliant resources by identifying and correcting deviations from established policies, ensuring all resources met required standards. Additionally, I created and managed security exemptions for cases where immediate compliance was not feasible, carefully documenting and justifying each exception. This approach ensured that while exceptions were handled appropriately, our overall security posture and policy adherence were maintained, leading to a more secure and compliant cloud infrastructure.

Audit Storage Accounts with External IP Addresses Attached

variable "namePolicy" {}
variable "displayNamePolicy" {}
variable "descriptionPolicy" {}
variable "mgmtGroupID" {}
variable "IPAddresses" {}
resource "azurerm_policy_definition" "policy" {
  name                = var.namePolicy
  policy_type         = "Custom"
  mode                = "All"
  display_name        = var.displayNamePolicy
  description         = var.descriptionPolicy
  management_group_id = var.mgmtGroupID
  metadata = jsonencode({
    category = "Storage"
  })
parameters = jsonencode({
            IPAddresses = {
              type = "Array"
              metadata = {
                displayName = "List of allowed IP addresses"
              },
              defaultValue = "${var.IPAddresses}"
            }
          })
 policy_rule = jsonencode({
    if = {
      allOf = [
        {
          field  = "Microsoft.Storage/storageAccounts/publicNetworkAccess"
          equals = "Enabled"
        },
        {
          not = {
            field = "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value"
            in    = "[parameters('IPAddresses')]"
          }
        }
      ]
    }
    then = {
      effect = "audit"
    }
  })
}

Audit Key Vaults with External IP Addresses Attached

adsfasdfadf

Audit Azure Database of PostgreSQL Flexible Servers with External IP Addresses Attached

as;dlfkja

Audit Azure Database for PostgreSQL resources with External IP Addresses Attached

asdfasdf

Deny Public Access to Managed Disks

asdfasdf

Deny Public Access to Snapshots

asdfasdf

Deny NSG Rules outside of Approved List

asdfasdfasdf

Deny Service Bus Resources with Less Than Minimum TLS Version

asdfasdf

Deploy Private DNS Zone for Cognitive Services and OpenAi

asdfasfd

Deny Event Grid Resources with Less Than Minimum TLS Version

asdfasdfasdf