Read, Interpret and Detect Non-compliance in a Complex Construction and Specifications
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Make up one's mind causes of non-compliance
When an Azure resource is determined to be not-compliant to a policy rule, it's helpful to sympathize which portion of the rule the resource isn't compliant with. It's likewise useful to sympathize what change contradistinct a previously compliant resource to make it not-compliant. In that location are two ways to observe this data:
- Compliance details
- Change history (Preview)
Compliance details
When a resource is non-compliant, the compliance details for that resource are bachelor from the Policy compliance page. The compliance details pane includes the following data:
- Resources details such as name, type, location, and resource ID
- Compliance state and timestamp of the final evaluation for the current policy assignment
- A listing of reasons for the resources non-compliance
Important
Every bit the compliance details for a Non-compliant resources shows the current value of backdrop on that resource, the user must have read operation to the blazon of resource. For instance, if the Non-compliant resource is Microsoft.Compute/virtualMachines then the user must take the Microsoft.Compute/virtualMachines/read performance. If the user doesn't have the needed functioning, an access error is displayed.
To view the compliance details, follow these steps:
-
Launch the Azure Policy service in the Azure portal by selecting All services, then searching for and selecting Policy.
-
On the Overview or Compliance page, select a policy in a compliance state that is Non-compliant.
-
Under the Resource compliance tab of the Policy compliance page, select and hold (or right-click) or select the ellipsis of a resources in a compliance state that is Non-compliant. Then select View compliance details.
-
The Compliance details pane displays information from the latest evaluation of the resources to the current policy consignment. In this example, the field Microsoft.Sql/servers/version is found to be 12.0 while the policy definition expected 14.0. If the resource is not-compliant for multiple reasons, each is listed on this pane.
For an auditIfNotExists or deployIfNotExists policy definition, the details include the details.type property and whatsoever optional properties. For a list, come across auditIfNotExists backdrop and deployIfNotExists properties. Last evaluated resource is a related resource from the details section of the definition.
Example fractional deployIfNotExists definition:
{ "if": { "field": "type", "equals": "[parameters('resourceType')]" }, "and so": { "outcome": "DeployIfNotExists", "details": { "blazon": "Microsoft.Insights/metricAlerts", "existenceCondition": { "field": "name", "equals": "[concat(parameters('alertNamePrefix'), '-', resourcegroup().name, '-', field('name'))]" }, "existenceScope": "subscription", "deployment": { ... } } } }
Note
To protect data, when a belongings value is a secret the current value displays asterisks.
These details explain why a resource is currently non-compliant, simply don't show when the alter was made to the resource that acquired information technology to become non-compliant. For that data, see Change history (Preview) below.
Compliance reasons
Resource Manager modes and Resource Provider modes each have dissimilar reasons for not-compliance.
General Resource Manager mode compliance reasons
The post-obit table maps each Resource Manager way reason to the responsible condition in the policy definition:
| Reason | Condition |
|---|---|
| Current value must contain the target value equally a cardinal. | containsKey or not notContainsKey |
| Current value must comprise the target value. | contains or not notContains |
| Current value must be equal to the target value. | equals or not notEquals |
| Current value must exist less than the target value. | less or not greaterOrEquals |
| Electric current value must exist greater than or equal to the target value. | greaterOrEquals or not less |
| Current value must be greater than the target value. | greater or not lessOrEquals |
| Current value must exist less than or equal to the target value. | lessOrEquals or not greater |
| Current value must exist. | exists |
| Electric current value must exist in the target value. | in or not notIn |
| Current value must be similar the target value. | like or not notLike |
| Electric current value must instance-sensitive match the target value. | friction match or not notMatch |
| Current value must case-insensitive lucifer the target value. | matchInsensitively or not notMatchInsensitively |
| Electric current value must not contain the target value as a central. | notContainsKey or not containsKey |
| Current value must not incorporate the target value. | notContains or not contains |
| Current value must not be equal to the target value. | notEquals or not equals |
| Current value must non exist. | not exists |
| Current value must non be in the target value. | notIn or not in |
| Electric current value must not be similar the target value. | notLike or not like |
| Current value must not case-sensitive match the target value. | notMatch or not match |
| Current value must not case-insensitive lucifer the target value. | notMatchInsensitively or not matchInsensitively |
| No related resources match the effect details in the policy definition. | A resources of the blazon defined in then.details.type and related to the resource divers in the if portion of the policy rule doesn't exist. |
AKS Resource Provider mode compliance reasons
The following tabular array maps each Microsoft.Kubernetes.Information Resource Provider mode reason to the responsible country of the constraint template in the policy definition:
| Reason | Constraint template reason description |
|---|---|
| Constraint/TemplateCreateFailed | The resource failed to create for a policy definition with a Constraint/Template that doesn't lucifer an existing Constraint/Template on cluster by resource metadata proper name. |
| Constraint/TemplateUpdateFailed | The Constraint/Template failed to update for a policy definition with a Constraint/Template that matches an existing Constraint/Template on cluster by resource metadata name. |
| Constraint/TemplateInstallFailed | The Constraint/Template failed to build and was unable to exist installed on cluster for either create or update operation. |
| ConstraintTemplateConflicts | The Template has a conflict with one or more than policy definitions using the same Template name with dissimilar source. |
| ConstraintStatusStale | There is an existing 'Inspect' status, but Gatekeeper has not performed an audit inside the last 60 minutes. |
| ConstraintNotProcessed | In that location is no status and Gatekeeper has not performed an audit within the terminal hour. |
| InvalidConstraint/Template | API Server has rejected the resource due to a bad YAML. This reason can likewise be caused by a parameter type mismatch (case: string provided for an integer) |
Note
For existing policy assignments and constraint templates already on the cluster, if that Constraint/Template fails, the cluster is protected past maintaining the existing Constraint/Template. The cluster reports as non-compliant until the failure is resolved on the policy consignment or the improver self-heals. For more information nearly treatment conflict, see Constraint template conflicts.
Component details for Resource Provider modes
For assignments with a Resource Provider mode, select the Non-compliant resource to open a deeper view. Nether the Component Compliance tab is additional information specific to the Resource Provider mode on the assigned policy showing the Not-compliant Component and Component ID.
Compliance details for guest configuration
For policy definitions in the Guest Configuration category, in that location could exist multiple settings evaluated within the virtual machine and y'all'll need to view per-setting details. For example, if you're auditing for a list of security settings and simply one of them has status Non-compliant, yous'll need to know which specific settings are out of compliance and why.
Yous besides might not have access to sign in to the virtual machine straight only you need to written report on why the virtual machine is Not-compliant.
Azure portal
Begin by post-obit the aforementioned steps in the department higher up for viewing policy compliance details.
In the Compliance details pane view, select the link Last evaluated resources.
The Guest Consignment page displays all available compliance details. Each row in the view represents an evaluation that was performed inside the machine. In the Reason column, a phrase is shown describing why the Guest Assignment is Not-compliant. For instance, if you're auditing password policies, the Reason cavalcade would display text including the current value for each setting.
View configuration assignment details at scale
The guest configuration characteristic can be used outside of Azure Policy assignments. For example, Azure AutoManage creates invitee configuration assignments, or you might assign configurations when you deploy machines.
To view all guest configuration assignments across your tenant, from the Azure portal open the Guest Assignments page. To view detailed compliance information, select each assignment using the link in the column "Proper noun".
Change history (Preview)
As part of a new public preview, the final 14 days of modify history are available for all Azure resources that back up complete style deletion. Change history provides details most when a change was detected and a visual diff for each modify. A modify detection is triggered when the Azure Resource Manager backdrop are added, removed, or contradistinct.
-
Launch the Azure Policy service in the Azure portal by selecting All services, and then searching for and selecting Policy.
-
On the Overview or Compliance page, select a policy in any compliance state.
-
Under the Resources compliance tab of the Policy compliance page, select a resource.
-
Select the Change History (preview) tab on the Resource Compliance page. A list of detected changes, if any be, are displayed.
-
Select ane of the detected changes. The visual unequal for the resources is presented on the Change history page.
The visual unequal aides in identifying changes to a resources. The changes detected may not exist related to the current compliance land of the resource.
Change history data is provided by Azure Resource Graph. To query this information outside of the Azure portal, come across Get resource changes.
Next steps
- Review examples at Azure Policy samples.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
- Sympathise how to programmatically create policies.
- Learn how to get compliance data.
- Acquire how to remediate non-compliant resources.
- Review what a management group is with Organize your resources with Azure management groups.
Feedback
Source: https://docs.microsoft.com/en-us/azure/governance/policy/how-to/determine-non-compliance
Post a Comment for "Read, Interpret and Detect Non-compliance in a Complex Construction and Specifications"