Configure Security Center bundle pricing with Azure Policy

Published Apr 08 2019 02:55 AM 5,399 Views
Microsoft

With the new Security Center pricing tier options per resource type, customers have asked us how to configure these at the (Root) Management Group scope so that any new (or existing) subscription will be automatically configured for the Standard pricing tier, allowing Security Center to automatically protect your resources.

 

As you may know, we have recently added Storage accounts protection in Security Center:

 

ResourcesPricingTier.png

The most efficient way to achieve that objective is to leverage Azure Policy.

With the new Azure Policy aliases for Security Center you can author Azure Policy definitions for each of the 4 resource types.

To get you going, I've written 4 Azure Policy definitions which you can add to 1 single initiative to either enforce it on new subscriptions, or to set it on existing subscriptions.

 

The Azure Policy definition (deployIfNotExists) for setting the Standard pricing tier for Storage Accounts looks like this:

PolicyDefintionStorageAccounts.png

 

Add the 4 policy definitions for each bundle pricing tier:

FourPolicyDefinitions.png

 

Once you have added the 4 Policy definitions, you can add them to 1 single initiative:

CreateInitiative.png

Finally we assign the Initiative:

AssignInitiative.png

 

It will take around 30 minutes for a new assignment to become active:

Compliance - Not Started.png

 

After a while we can see the compliance state for the Initiative:

Compliance - Non-compliant.png

Clicking on one of the definitions shows us why it is not compliant. From here we can "remediate":

StorageAccounts - Non-compliant.png

 

Remediation is in progress and then done:

StorageAccounts - remediate in progress.pngStorageAccounts - remediate success.png

The 4 Policy definitions (deployIfNotExists) for the bundle resources can be found here.

1 Comment
Co-Authors
Version history
Last update:
‎Nov 29 2021 12:07 PM
Updated by: