A sparkling new Microsoft Azure environment is a beautiful thing, but before you start creating resources, what should you configure first?
The Microsoft Cloud Adoption Framework has detailed guidance on defining your strategy, planning for the cloud, getting ready with landing zones, then adopting, governing and managing cloud resources. All of these steps are important for an organization's cloud environment. But if you are creating your own free or pay-as-you-go account to learn about Microsoft's cloud or test some capabilities, there are a few key steps I'd recommend you implement first to optimize and secure your Azure environment.
1. Azure Security Center
My first stop is the Azure Security Center. If I create a new Azure free account and go straight to Security Center, my new subscription prompts me to configure a setting so that the Log Analytics Agent will automatically be installed on any new Azure virtual machines, so I can receive security alerts and recommendations for them. Turn this on by clicking "Install agents"
Install log analytics agents automatically for Azure virtual machines
Next, in the Security policy blade, I'll turn on the default security policy. By enabling this at the Management Group level, it will apply to any other subscriptions I create too under this Management Group. Clicking on the Management Group name allows me to assign the Security Center default policy, enabling the Azure Security Benchmark (which currently contains 202 separate policies!).
Assuming that this Azure tenant doesn't (yet) have users with Azure Active Directory Premium licenses, I still want to protect access to it with multi-factor authentication. The good news is that all new Azure tenants created on or after October 22, 2019 have this enabled by default via Security Defaults, but the users I create in this tenant will need to use the Microsoft Authenticator app notifications for MFA, unless I upgrade to Azure AD Premium P1 for more options with Conditional Access. To check if Security Defaults are enabled, go to Azure Active Directory then Properties \ Manage Security defaults.
Choose your own dollar amount as the maximum budget amount, then the percentage thresholds of that amount that you'd like to be emailed about as they are reached (eg 50%, 75%, 90%). Note: Unlike subscription credits, budget amounts are not a spending cap - resources will continue to run and incur costs after your budget amount has been reached, but you can build in some automation if you do want to trigger actions like shutting down virtual machines - learn more at Create and manage Azure budgets.
4. Azure Service Health alerts
Independent of any resource-specific Azure Monitor alerts you configure, Azure Service Health can alert you when an issue with an Azure service is impacting your resources, or may impact them in the future. Go to Service Health and configure Health alerts to receive email notifications about service issues, planned maintenance, health advisories or service advisories, relevant to your subscription, services and regions.
5. Azure Advisor alerts
Azure Advisor provides pro-active, personalized recommendations for the reliability, security, performance, cost and operational excellence of your deployed resources. You can configure some or all of these alerts to send you an email. If this subscription has an undetermined life span, consider configuring an email alert for at least the High impact level Azure advisor recommendations.
6. Role based access control
The final (but still very important) question is who will be using this subscription - just yourself or other people too? For a one-off test environment with made-up names and no live data, you might be tempted to use the login you created, with no restrictions. However, to get serious about the security of your cloud environment, consider creating a couple of different user accounts and implementing role based access control, so you're not using an account with the highly-privileged Service Administrator or Co-Administrator role to perform all of your regular tasks. Other people may then be given Contributor access to your subscription or to particular resource groups, so you're operating with a least privilege approach.
Note: This guidance does not take into account if you have any other specific regulatory requirements that all of your cloud environments (even test tenants) need to adhere to. Consider if you also need to apply Azure Policies for things like ISO 27001 compliance, or implement Azure Blueprints if this environment will grow to include other subscriptions or you want to bundle role based access control, policies and other components together and add version control. In addition, growing environments with multiple users benefit from other aspects covered in the Cloud Adoption Framework like planning your resource group structure, naming standards etc.
That's my must-do list to get you started with security and alerts for even the smallest, temporary Azure environment. What else would you add to this list?