Azure Introduction
Azure Pricing
Azure Threats
Ensure Not Allowed Resource Types Policy Assignment In Use
More Info:
Ensure Not Allowed Resource Types Policy Assignment in Use
Risk Level
Medium
Address
Operational Maturity, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the “Ensure Not Allowed Resource Types Policy Assignment In Use” misconfiguration in Azure using the Azure console, follow the below steps:
- Open the Azure Portal and log in to your account.
- In the left-hand menu, click on “Policy” under “Governance and management”.
- In the “Policy” blade, click on “Assignments” and select the policy assignment that is causing the misconfiguration.
- Click on the “Edit” button at the top of the blade.
- In the “Edit assignment” blade, scroll down to the “Parameters” section and locate the “disallowedResourceTypes” parameter.
- Edit the value of the “disallowedResourceTypes” parameter to remove any resource types that are not actually disallowed.
- Click on the “Review + Save” button at the bottom of the blade.
- Review the changes and click on the “Save” button to apply the changes.
Once the changes are saved, the “Ensure Not Allowed Resource Types Policy Assignment In Use” misconfiguration will be remediated in Azure.
To remediate the “Ensure Not Allowed Resource Types Policy Assignment In Use” misconfiguration in Azure using Azure CLI, you can follow the below steps:
-
Open the Azure CLI on your local machine or Azure Cloud Shell.
-
Run the following command to list all the policy assignments:
az policy assignment list
-
Identify the policy assignment that is causing the misconfiguration. The policy assignment name can be found in the “name” field of the output.
-
Run the following command to delete the policy assignment:
az policy assignment delete --name <policy-assignment-name>
Replace
<policy-assignment-name>
with the name of the policy assignment that you identified in step 3. -
Verify that the policy assignment has been deleted by running the following command:
az policy assignment list
The output should not contain the deleted policy assignment.
-
Once the policy assignment has been deleted, remediation is complete.
Note: Before deleting the policy assignment, make sure that it is safe to do so and that it will not cause any unintended consequences.
To remediate the Azure misconfiguration “Ensure Not Allowed Resource Types Policy Assignment In Use” using Python, follow these steps:
-
First, you need to authenticate to your Azure account using the Azure Python SDK. You can do this by following the instructions here: https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate?tabs=cmd.
-
Once you have authenticated, you can use the Azure Python SDK to get a list of all the policy assignments in your Azure subscription. You can do this by using the
azure.mgmt.resource.policy
module and thePolicyAssignmentsOperations
class.from azure.identity import DefaultAzureCredential from azure.mgmt.resource.policy import PolicyAssignmentsOperations, PolicyClient from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient from azure.mgmt.subscription import SubscriptionClient credential = DefaultAzureCredential() subscription_id = "<your-subscription-id>" policy_client = PolicyClient(credential, subscription_id=subscription_id) assignments = policy_client.policy_assignments.list()
-
Next, you can filter the list of policy assignments to find the ones that are not allowed. You can do this by checking the
notScopes
property of each policy assignment.for assignment in assignments: if assignment.not_scopes is not None: # This policy assignment is not allowed # You can delete it using the PolicyAssignmentsOperations.delete() method policy_client.policy_assignments.delete(assignment.id)
-
Finally, you can delete the policy assignments that are not allowed using the
PolicyAssignmentsOperations.delete()
method.for assignment in assignments: if assignment.not_scopes is not None: # This policy assignment is not allowed # You can delete it using the PolicyAssignmentsOperations.delete() method policy_client.policy_assignments.delete(assignment.id)
That’s it! By following these steps, you can remediate the Azure misconfiguration “Ensure Not Allowed Resource Types Policy Assignment In Use” using Python.