CIS Control 1 on Azure - Maintain Asset Inventory Part 5

In part 4 we discussed how we could use an Azure function (presumably triggered off of an event hub subscription) that would look at a resource and grab information on the required tags.  Another way to do this is to make use of Azure Policy.

The policy document for this type of affair is quite easy and looks something like this:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Compute/virtualMachines"
      },
      {
        "anyOf": [
          {
            "field": "tags.department",
            "exists": "false"
          },
          {
            "field": "tags.approved",
            "exists": "false"
          },
          {
            "field": "tags.owner",
            "exists": "false"
          }
        ]
      }
    ]
  },
  "then": {
    "effect": "audit"
  }
}

The above policy will only look at virtual machines, and will kick off a non-compliance item if any of the tags department, approved, or owner is missing.  Pretty neat!  One thing to keep in mind when using this system is the evaluation triggers.  See this link for more information.