azureazure-policy

Azure Policy for Tag Tampering prevention

A current challenge in a Subscription Vending environment, is that we rely on Tags on Subscriptions for certain data to be fed back in to other systems, for instance for CMDB entries or cost calculation.

What we are trying to do is to enforce a Policy which prevents the Tags with a certain prefix from being deleted, or altered for that matter.

With the Policy Effect 'DenyAction', I would assume that the following Policy would prevent Tags from being deleted, while still being able to create them:


{
  "mode": "Indexed",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/tags"
    },
    "then": {
      "effect": "DenyAction",
      "details": {
        "actionNames": [
          "delete"
        ],
        "cascadeBehaviors": {
          "resourceGroup": "deny"
        }
      }
    }
  },
  "parameters": {}
}

Unfortunately, this does not provide us with the expected outcome.

And if we try to look for a certain value it contains (I also tried 'match, or specify an Array of predefined Tags that contain those prefixes with 'in' or 'like' etc.):

{
  "mode": "Indexed",
  "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Resources/tags"
          },
          {
            "field": "tags",
            "contains": "prefix"
          }
        ]
      },
    "then": {
      "effect": "DenyAction",
      "details": {
        "actionNames": [
          "delete"
        ],
        "cascadeBehaviors": {
          "resourceGroup": "deny"
        }
      }
    }
  },
  "parameters": {}
}

It doesn't work as expected. I can not find any limitations in the MS Docs which refer to the resourceType 'Tags' not being able to work together with the 'DenyAction'. I've also tried to specify the 'field: "name"' for Tags, as that is what it refers to in the Portal as well, but no luck.

Does any of you have worked with similar use cases and has a solution for this? It would be greatly appreciated!

Solution

  • As it turns out, this is not possible for this specific action within Azure Policy. Microsoft has also explained that a 'notAction' in a Custom RBAC for tag deletion is not possible as well. This is a limitation of the platform.

    Next step:

    I will focus on configuring an auto-remediation pipeline which sets the Tags on subscriptions on a specific interval (say 2,4,6 times a day) to ensure the tags are always there. This does not prevent tampering or deletion of the Tags, but eventually still satisfies the requirement.