Welcome back to the fourth and final part of this Azure Blueprints series. This section covers how to use some Blueprints provided by Microsoft and how to get started writing your Blueprints for managing your Azure Governance. Specifically, we will look more closely at a FedRAMP use case.
Getting started with Microsoft templates
As previously pointed out, there is a lot of power available within Blueprints. Like many automation and cloud tools, scenario-based examples help increase the tool effectiveness for adopters. To that end, Microsoft has given a jump start by providing roughly a dozen sample Blueprints available for free, covering several significant compliance and security postures.
As part of the Blueprint templates Microsoft provides, there are templates for FedRAMP Moderate and High and a DoD IL4. Please note that these Blueprints are not a magical path to an ATO. For example, IL4 still requires Azure Government cloud; merely applying the DoD Blueprint on Azure Commercial doesn't get over that requirement. Or if there is a U.S. person requirement for the offering, that excludes Azure Commercial even though it has FedRAMP Moderate and High accreditation.
The Azure FedRAMP Moderate Blueprint helps jump-start Moderate requirements. Most of the Blueprint is composed of Azure Policies to deny or report on configurations states in line with compliance requirements.
There generally is not a 1:1 relationship between FedRAMP controls and an Azure Policy. Typically, it is several policies working together to cover a specific control. Keeping this in mind is very important when evaluating the Blueprint and its associated Policies’ compliance state in the future. When an Azure resource is listed as 'Compliant' by the Policy engine, it's merely a check against that specific tooling and the resources being covered. Other potential gaps or non-policy defined controls still need to be accounted for.
Similar to the Moderate Blueprint, the Azure FedRAMP High Blueprint has the additional requirements for High. With either Blueprint. it is highly recommended to review the Control Mapping documentation and compare the Blueprints' actions against an organization's specific patterns and practices.
What the FedRAMP Blueprints do
As part of the assignment process, the Blueprints perform several activities to manage, track, and deploy resources in support of FedRAMP compliance.
The Blueprints use an Azure System Identity that temporarily receives Owner rights on a subscription to deploy and configure Blueprint artifacts such as:
- Enabling Advanced Data Security on SQL servers
- Configuring VM's for Log Analytics
- Enabling Diagnostic logs on resources
- Storage Account ATP
- Enabling Transparent Data Encryption on SQL
Essentially, the Blueprint deployment jump-starts the entire process. While Blueprints provide a lot of value and control, they are not silver bullets for fixing security and compliance.
Tip: A workspace ID of an existing Log Analytics workspace is needed before storing log data. Remember that compliance and security postures are often complex components of infrastructure.
Note: Blueprints are guardrails to an environment, not set in stone. If a person has sufficient rights in Azure, they can remove the Blueprint or create an exclusion. Yet another reason for limiting permissions as much as possible.
Building custom Blueprints
At some point, the need arises to audit or control something that doesn't have a Microsoft or community Blueprint published. For this situation, creating a custom Blueprint is the way to go.
Blueprint creation is a relatively straightforward process. Define a scope, such as a subscription or a resource group. Within that scope, Policies, ARM Templates, or permissions artifacts are built to build on the controls and requirements that fit the needs within a Blueprint draft.
The wizard in the portal is handy while working through creating the first Blueprint from scratch.
To deploy a Blueprint, open the Azure Portal and open the Blueprint services.
On the landing page, click 'Create' under the 'Create a Blueprint' section.
For this example, we'll deploy the FedRAMP Moderate Template. In the wizard, either find or search for the FedRAMP templates Microsoft provides.
Provide a name and description for the Blueprint definition and assign the definition to either a Management Group or subscription. Remember from Part One that having definitions assigned at higher scoped Management Groups is better than Subscription assignments.
On the next page, review the policy assignments that the template contains, make any changes as necessary, but none are required. The template takes input on the Blueprint assignment. Once ready, click 'Save Draft.'
Now that a draft definition has been created, it appears under 'Blueprint definitions,' this provides a quick overview of any definitions and their status.
The next step is elevating this definition from draft to published. Click on the definition, and it opens to an overview page with the status, version, state, and artifacts within the Blueprint.
Click 'Publish blueprint,' provide a version number, and change notes as necessary, click 'Publish.'
Notice that now the Blueprint properties have updated with the information provided, and the state is now 'Published.'
The final step is clicking 'Assign blueprint' to enforce this definition against a subscription.
A new blade opens where inputs and options need to be selected for this assignment.
Subscriptions – only subscriptions within the scope of the definition are visible.
Assignment name – It's possible to assign a Blueprint multiple times to a single subscription. Keep this and future uses in mind when providing a name. This does not need to be the same as the definition name.
Location – This is where the Managed Identity is created for the Blueprint. This is not a requirement of Blueprints in general. Only when a Blueprint deploys or modifies resources, it needs an account to perform those actions.
Blueprint definition version – Recall that you can have multiple versions in the library. This is useful for managing across multiple teams and subscriptions.
Lock assignment – Determines the lifecycle of the resources of the Blueprint itself.
- "Don't Lock" anything the Blueprint deploys can be modified by anything with permission to do so.
- "Do Not Delete" anything the Blueprint deploys cannot be deleted from the environment.
- "Read Only" anything the Blueprint deploys cannot be modified or deleted from the environment.
Managed Identity – Either a system-assigned or user-assigned identity that deploys any artifacts described within the definition.
Next, work through the Artifact parameters, providing values as required for Log Analytics Workspaces, Resource Groups, and other values.
Once the assignment is done, the Blueprint shows up under 'Assigned blueprints.'
Depending on your environment's size, it will take a while for this Blueprint to complete deployment. Progress can be tracked by selecting the Blueprint from the list.
Eventually, the provisioning status should say 'Succeeded' when complete.
Not that this specific Blueprint is only deploying Policies. Check the Policy service for the status of each policy deployed; this takes much longer for the changes to roll out. Once completed, you're on your way to having trackable governance within your environment.
While there is undoubtedly a high level of effort required to manage and track FedRAMP compliance and security requirements, Azure's suite of tools provides a leg up in management and reporting functionality across its cloud services. Using Blueprints to define these guardrails in the environment provides the agility that more people can deploy and consume Azure resources on their own with the peace of mind knowing they are doing so within compliance requirements. We hope this post was helpful to you in navigating how to best use Blueprints for your organization.
For more information and to get assistance on your cloud engineering and compliance challenges, please visit Coalfire Engineering.
More from this blog series:
Part 1: Using Azure Blueprints to Control Azure Compliance
Part 2: Azure Policies
Part 3: Blueprints scopes and assignments