You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use?
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use?
To enforce ISO 27001:2013 standards in an Azure subscription and ensure that noncompliant resources are remediated automatically, Azure Policy is the appropriate tool. Azure Policy allows you to create, assign, and manage policies that enforce rules and effects over your resources, ensuring compliance with predefined standards. Importantly, Azure Policy includes the DeployIfNotExist effect, which can automatically remediate non-compliant resources upon their creation. This built-in capability is crucial for maintaining continuous compliance and applying standards such as ISO 27001:2013, making Azure Policy the best choice for this requirement.
Azure policy
Azure Policy, unfortunatly at the moment of this writting Blueprints are in preview and thus should not be used in production (this will change in the future as it is a good solution).
Automatic remediation was the key requirement here for me and it aligns directly with Azure Policy
blueprint contains policy as a child item , I think key here automatic resolution which happens when deployifnotexists effect is added in the policy; so will go with policy to honor the details present in the question
Exam 5/25/2023
A is the answer. https://learn.microsoft.com/en-us/azure/governance/policy/overview Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.
B. Azure Blueprints 100% sure
Azure Blueprints is excellent for deploying a consistent set of resources, policies, and role assignments, but it does not continuously enforce compliance or provide automatic remediation on its own. Azure Policy provides the ongoing enforcement and remediation capabilities needed to ensure that resources remain compliant with ISO 27001:2013 standards. Therefore, while Azure Blueprints can be used to initially deploy the necessary compliance infrastructure, Azure Policy is the tool that ensures continuous compliance and automatic remediation.
I would go with Blueprint because it contains Policies, and RBAC and customised configuration. Once Blueprint is used it maintains its link to configuration to ensure automated compliance. See the table here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/manage/azure-management-guide/operational-compliance?tabs=UpdateManagement%2CAzurePolicy%2CAzureBlueprints See the differences here: https://k21academy.com/az-305/azure-rbac-vs-azure-policies-vs-azure-blueprints/
You are going beyond the requirements, whilst policy and RBAC etc can be part of Blue prints. All that is needed here in the most simplistic form is Azure policy.
https://learn.microsoft.com/en-us/azure/governance/policy/samples/iso-27001
Blueprint to enforce.
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/governance/blueprints/samples/iso-27001-2013
In the same link the first explanation refers to Azure Policy --> The ISO 27001 blueprint sample provides governance guardrails using Azure Policy
deployifnotexist to be enabled in Azure Policy. Source: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal
https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal
B https://azure.microsoft.com/en-us/products/blueprints/#features
I go with B...