Azure Landing Zone Review Checklist – Security, governance and compliance

0

QuestionSeverityCommentLink to more information
Azure Key Vault   
Use a federated Azure Key Vault model to avoid transaction scale limits.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Follow a least privilege model by limiting authorization to permanently delete keys, secrets, and certificates to specialized custom Azure Active Directory (Azure AD) roles.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Automate the certificate management and renewal process with public certificate authorities to ease administration.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Establish an automated process for key and certificate rotation.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Enable firewall and virtual network service endpoint on the vault to control access to the key vault.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Use the platform-central Azure Monitor Log Analytics workspace to audit key, certificate, and secret usage within each instance of Key Vault.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Delegate Key Vault instantiation and privileged access and use Azure Policy to enforce a consistent compliant configuration.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Don’t share Key Vault instances between applications to avoid secret sharing across environments.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
Don’t use centralized instances of Key Vault for application keys or secrets.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
If you want to bring your own keys, this might not be supported across all considered services. Implement relevant mitigation so that inconsistencies don’t hinder desired outcomes. Choose appropriate region pairs and disaster recovery regions that minimize latency.Medium Best Practices to use Key Vault – Azure Key Vault | Microsoft Docs
    
Azure Policy   
Identify required Azure tags and use the append policy mode to enforce usage.Medium Resource naming and tagging decision guide – Cloud Adoption Framework | Microsoft Docs
Map regulatory and compliance requirements to Azure Policy definitions and Azure role assignments.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Establish Azure Policy definitions at the top-level root management group so that they can be assigned at inherited scopes.
Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Manage policy assignments at the highest appropriate level with exclusions at bottom levels, if required.
Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Use Azure Policy to control resource provider registrations at the subscription and/or management group levels.
Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Use built-in policies where possible to minimize operational overhead.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Assign the built-in Policy Contributor role at a particular scope to enable application-level governance.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Limit the number of Azure Policy assignments made at the root management group scope to avoid managing through exclusions at inherited scopes.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Use Azure policies to automatically deploy software configurations through VM extensions and enforce a compliant baseline VM configuration.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
Monitor VM security configuration drift via Azure Policy.Medium Overview of Azure Policy – Azure Policy | Microsoft Docs
    
Use Azure AD reporting capabilities to generate access control audit reports.Medium What are Azure Active Directory reports? | Microsoft Docs
Export Azure activity logs to Azure Monitor Logs for long-term data retention. Export to Azure Storage for long-term storage beyond two years, if necessary.Medium Log Analytics workspace data export in Azure Monitor (preview) – Azure Monitor | Microsoft Docs
Enable Security Center Standard for all subscriptions, and use Azure Policy to ensure compliance.Medium Azure Security Center documentation | Microsoft Docs
Monitor base operating system patching drift via Azure Monitor Logs and Azure Security Center.Medium Azure Security Center documentation | Microsoft Docs
Connect default resource configurations to a centralized Azure Monitor Log Analytics workspace.Medium Designing your Azure Monitor Logs deployment – Azure Monitor | Microsoft Docs
Determine the incident response plan for Azure services before allowing it into production.Medium Azure Security Control – Incident Response | Microsoft Docs
Implement a zero-trust approach for access to the Azure platform, where appropriate.Medium Implementing a Zero Trust security model at Microsoft
Plan how new azure services will be implementedMedium Azure Security Control – Incident Response | Microsoft Docs
Plan how service requests will be fulfilled for Azure servicesMedium Azure Security Control – Incident Response | Microsoft Docs

Thank you for your precious time.

Leave a Reply

Your email address will not be published. Required fields are marked *