02-Governance and Compliance Flashcards
What are Datacenters organized into
Organized into Regions
What are Regions
Geographical locations that create multiple Datacenters
What to think about when deploying resources to a region
1 - When selecting Region, do you have legal authority to deploy resources to location
2 - Does that region have all the services I require to complete my mission
3 - Is that region as close as possible to my users (minimize latency)
4 - Are the services cheaper in that region (cost of doing business with Microsoft varies by region)
How is planned maintenance done on region pairs
It is done one region at a time
How far apart are region pairs
300 miles apart
Who can create an Azure subscription
Only identities in Azure AD or in a directory that is trusted by Azure AD
What is Azure Subscription
Logical unit of Azure services that is linked to an Azure account
Security and Billing Boundary
How do you get a Subscription
- Enterprise Agreement - customers make upfront commitment and user services
- Resellers - provide simple way to purchase
- Partners can design and implement your solution
- Personal free account - start right away
List subscription types
- Free - $200 credit for first 30 days, free limited access for 12 months
- Pay-as-you-go - monthly charge
- CSP - Cloud Solutions Provider gives discounts
- Enterprise - discounts for new licenses and Software Assurance
- Student - $100 for 12 months
What does Cost Management include
- Conduct cost analysis
- Create a budget
- Review recommendations
- Export the data
What are Resource Tags?
Logically organize resources into categories
Use name-value pair
Gives metadata to resources
Helpful for rolling up billing informations
What are Azure Reservations
Save money by pre-paying for services
What are Azure Hybrid Benefits
Use Windows Server and SQL Server on-prem licenses with Software Assurances
What are Azure Credits
Monthly credit benefit that allows you to experiment with, develop, and test new solutions on Azure
How should you choose Regions to save money
Use low-cost locations and regions
What are spot instances?
Take advantage of unused capacity and very low cost
Use for operations that can afford operation, such as batch processing.
You get 30 minute notice before eviction.
No SLA
What are Management Groups
Manage multiple subscriptions.
Apply governance conditions and policies at scale
Targeting of policies and spend budgets across subscriptions and inheritance down the hierarchies
Compliance and cost reporting by organization (business/teams)
What is Azure Policy
Service in Azure that you use to create, assign and manage policies
Runs evaluations and scans for non-compliant resources
What are advantages of Azure Policy
- Enforcement and compliance
- Apply policies at scale
- Remediation
What are some things you can set with Azure policy
- Allowed resource types
- Allowed virtual machine SKUs
- Allowed locations
- Require tag and its value
- Azure Backup should be enabled for Virtual Machines
How to Implement Azure Policy
- Browse Policy Definitions
- Create Initiative Definitions
- Scope the Initiative Definition
- View Policy evaluation results
What is scoping?
To what level do you want to assign an initiative definition, i.e. subscription, resource group?
What is PCI
Payment Card Industry
What are Initiative Definitions?
Set of Policies
Example: Initiative Definitions complies with PCI
Policy Definitions
Many policy definitions are available
Import policies from GitHUB
Have specific JSON format
Require planning
How do you Scope the Initiative Definition
Assign definition to Scope
Scope enforces Policy
Select subscription, and optionally the Resource Group
How do you determine Compliance
See non-compliant initiatives, policies and resources in Dashboard
What is Role Based Access Control
Fine-grained access management of resources in Azure
Helps you manage who has access to your resources, what they can do, and at what level
Who is the security principle
What specific operation can they carry out
Where is the scop
What is Security Principle
Object that represents something that is requesting access to resources
What is Role Definition
Collection of permissions that lists the operations that can be performed
What is Scope
Boundary for the level of access that is requested
What is Assignment
Attach a role definition to a security principle at a particular scope
What is Role Definition
Is the what
What operations can or cannot be performed
What is Role Assignment
Process of binding a role definition to a user, group, or service principal at a scope for the purpose of granting access
Binds the what to the who and the where
What are Azure RBAC roles
Manage access to Azure RESOURCES
Scope specified at multiple levels
What are Azure AD roles
Manage access to Azure AD OBJECTS
Scope is tenant level
By default does Global Admin have access to Subscription resources
As Global Admin, they don’t have access to Subscription resources
They need to elevate their access first
Fundamental RBAC Roles
- Owner
- Contributor
- Reader
- User Access Administrator
Owner Permission
fill in
Contributor
fill in
Reader
fill in
User Access Administrator
fill in
ARM Template Advantages
Improves consistency
Express complex deployment
Less error - no fat fingering
Code based
Promotes reuse
Modular and can be linked
Simplifies orchestration
Describe Template Schema
Defines all Resource manage resources in deployment
Written in JSON
Collection of key-value pairs
Each key is a string
Each value can be a string, number, Boolean expression, list of values, object
Describe Template Parameters
Which values are configurable when template is run
