Managing Security Center at scale using ARM templates and Azure Policy

*** Update: This blogpost has been updated with a new ARM template and new Azure Policy definitions which covers the new Security Center bundle pricings. The new ARM template can be found here, the new Azure Policy definitions can be found here  ***

Recently we have been receiving several customer questions on how to manage Security Center at scale in a continuous integration (CI) and continuous delivery (CD) scenario, better known as CI/CD. How do you make sure that when a new subscription is instantiated, Security Center is configured correctly and is enabled to monitor new and existing resources? How do you manage hundreds of subscriptions within your organizattion? How do you enforce your security policies?

This blogpost covers two scenarios:

1. Configure Security Center using an ARM template to support a CI/CD scenario and management at scale
2. Enforce a Security Center configuration within your organization, using Azure Policy

Since both ARM templates and Azure Policy talk to the Resource Manager API in Azure, by making a JSON formatted request, you can re-use the deployment section of an ARM template to author an Azure Policy definition.

If you are new to ARM templates and are looking for guidance on authoring, go here.

In case you want to leverage PowerShell for configuring ASC, go here.

The Security Center ARM Template

Every ARM template consists of these 7 elements (not all of them have to be used):

It’s the “resources” element that we are interested in since the ARM template reference for Security Center hasn’t been documented yet. We are in the process of publishing which makes it easier to find which types and values are allowed and will also provide IntelliSense. I will update this post when that becomes available.

In this blogpost I will cover the two most asked questions:

1. How can I make sure that Security Center is configured for the Standard pricing tier, which unlocks all the Security Center features
2. How can I enable auto provisioning, which enables automatic installation of the Microsoft Management Agent (MMA) VM extension for new resources. Please refer to the pricing tier documentation for the difference between the Free and Standard tier.

Set the ASC pricing tier in an ARM template

The new pricing tier API is fast and efficient to use. We are using the Microsoft.Security/pricings type to set our pricing tier.

How does that look in a template?

The ARM template can be found here.

If you want to deploy this template, please make sure you target the subscription instead of a resource group. This is a common made mistake, since ASC lives at the subscription level, not at the resource group level. A deployment would look like this (using PowerShell):

New-AzDeployment -Name myAscDeploy -Location <yourLocation> -TemplateFile ‘<yourTemplateFileAndPathHere>' -Verbose

Since you have probably noticed the usage of a parameter, so you can flip it from “Free” to “Standard” or the other way around, you will be prompted for this value. Please note that we are only allowing the two values specified and it is case sensitive.

You can verify the deployment in the activity log:

Leveraging the ARM template to create an Azure Policy

Now that you have a working ARM template, you can use it to create a deployIfNotExists type of Azure policy which allows you to remediate if the policy definition is non-compliant.

If you are just starting with Azure Policy, I would recommend to explore our documentation for guidance on different policy definitions.

Leveraging the ARM template we just created, you can construct a deployIfNotExists Azure Policy.

You first need to create the section that allows you to find the pricingTier field and value (Standard). For this to work, you need to target your Policy at the right scope (subscriptions or higher), then you define the “effect” (deployIfNotExists) and you set the type to Microsoft.Security/pricings, where the field and value lives which we are looking for.

If the existenceCondition returns false and you want to remediate it, you need to define a deployment section under the resources section, where you define your target type and properties.

You can find the Azure Policy shown above here.

Having your ARM Policy defined, you can now create and assign your new Azure Policy.

Please note that you need the appropriate permissions to create a managed identity. This ensures that the policy has the appropriate permissions to change the Security Center configuration at the subscription level.

It takes around 30 minutes for the policy to take effect as mentioned in the confirmation.

Your policy will remain in this state for a while:

Then after around 30 minutes, you will notice a non-compliant assignment, as shown below.

If you click on the assignment, you can explore which resource is non-compliant. You can click on Create Remediation Task to remediate it.

Automatically create a remediation task

In case you want to use automation, you can leverage the Policy Insights API to create a remediation task. One of the options you have is to invoke the API using PowerShell. The script below shows an example how to accomplish that. Please note that besides the subscriptionId, you need to pass a remediationName and policyID:

You can find the script to create a remediation task here.

If you have succesfully executed the script, you should see something similar in your activity log:

Your ASC pricing tier should be changed to Standard and after a policy refresh cycle, your compliance state should be updated to compliant.

Configure Security Center auto provisioning using a custom workspace

The following ARM template enables auto provisioning so that the Microsoft Management Agent VM extension will be deployed automatically to new created virtual machines. You will also configure a custom Log Analytics workspace instead of the default Security Center one.

The ARM template for enabling auto provisioning can be found here.

Please note that you need to pass specific parameters values for configuring the Log Analytics workspace like workspace name, the resource group of the workspace and the Azure subscriptionID of where the workspace is created.

Deployment of the ARM template is straightforward as you have seen before while deploying the pricing tier template and should look like this: