Tags

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: Resources-001

Ensure that user-defined tags are being used for labeling, collecting, and organizing cloud resources within your Microsoft Azure account. User-defined tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple cloud resources. Trend Micro Cloud One™ – Conformity recommends the following tagging schema to help you identify and manage your Azure resources:

  • Name: used to identify individual cloud resources.
  • Role: used to describe the function of a specific resource (e.g. web tier, app tier, and database tier).
  • Environment: used to distinguish between different stages (e.g. development, staging, and production).
  • Owner: used to identify the person responsible for the cloud resource.
  • This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security
Reliability
Performance
efficiency
Cost
optimisation
Operational
excellence

As your Microsoft Azure cloud environment is becoming more and more complex, it requires better management strategies. Using a tagging schema can help you gain more visibility across your Azure cloud resources and organize them more efficiently. You can use tags for different scenarios such as tracking resource owners and their stack level, identify which resources are incurring the highest costs, and filter available resources based on a particular deployment stage.

Note: As example, this conformity rule uses Microsoft Azure virtual machines as cloud resources for tagging in order to demonstrate how to implement a tagging schema like the one listed above. You can use the same steps to search and/or assign tagging schemas for other Azure cloud resource types.


Audit

To determine if your Azure virtual machines are using the recommended tagging schema, perform the following operations:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the virtual machines (VMs) provisioned in the selected subscription.

05 Click on the name of the Azure virtual machine that you want to examine, and choose Tags from the resource navigation panel to view the tag set(s) created for the selected virtual machine.

06 On the Tags page, search the Name column for the following combination of tag names (tag names are case insensitive): Name, Role, Environment and Owner. If the verified resource does not have the same exact combination of tag names, the selected Microsoft Azure virtual machine (VM) is not using the recommended tagging schema.

07 Repeat step no. 5 and 6 for each Azure virtual machine created in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions created for your Azure cloud account:

az account list --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run vm list command (Windows/macOS/Linux) with custom query filters to list the resource ID of each Azure virtual machine provisioned in the selected subscription:

az vm list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].id'

04 The command output should return the requested virtual machine resource IDs:

[
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-analytics-vm-server",
  "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-data-server"
]

05 Run tag list command (Windows/macOS/Linux) using the resource ID of the Azure virtual machine that you want to examine as identifier parameter, to describe the tag set(s) created for the selected virtual machine:

az tag list
  --resource-id "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
  --output table
  --query 'properties.tags'

06 The command output should return a table with the requested tagging information:

Project     Type
----------  -----------
Project5    Unmanaged

Check the first row of the table returned by the tag list command output for the following combination of tag names (tag names are case insensitive): Name, Role, Environment, and Owner. If the verified resource does not have the same exact combination of tag names, the selected Microsoft Azure virtual machine (VM) is not using the recommended tagging schema.

07 Repeat step no. 5 and 6 for each Azure virtual machine deployed in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To implement the recommended tagging schema for your Microsoft Azure virtual machines (VMs), perform the following operations:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 Choose the Azure subscription that you want to access from the Subscription filter box.

04 From the Type filter box, select Virtual machine to list only the virtual machines (VMs) available in the selected subscription.

05 Click on the name of the Azure virtual machine that you want to reconfigure (see Audit section part I to identify the right VM), and choose Tags from the navigation panel to access the resource tagging configuration page.

06 On the Tags page, use the Name and Value text fields to create the following tagging schema (tag names are case insensitive, tag values are case sensitive):

  1. For tag names use Name, Role, Environment, and Owner.
  2. For tag values use your own metadata as specified below:
    1. The Name tag value can be used to identify individual cloud resources (e.g. Project5 Web Server).
    2. The Role tag value can be used to describe the function of a specific resource (e.g. Web Tier).
    3. The Environment tag value can be used to distinguish between different stages (e.g. Production).
    4. The Owner tag value can be used to identify the person responsible for the cloud resource (e.g. Project5 Team).
    >

07 Repeat step no. 5 and 6 to implement the recommended tagging schema for each Azure virtual machine provisioned in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run resource tag command (Windows/macOS/Linux) using the ID of the Microsoft Azure virtual machine that you want to reconfigure as identifier parameter (see Audit section part II to identify the right VM), to tag the selected virtual machine using the recommended tagging schema. Replace the tags values after "=", for the --tags parameter, with your own metadata. Include the --is-incremental command parameter to add tags incrementally without deleting the original tags. If the key (name) of new tag and original tag are duplicated, the original value will be overwritten:

az resource tag
  --ids "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/CLOUD-SHELL-STORAGE-WESTEUROPE/providers/Microsoft.Compute/virtualMachines/cc-project5-main-server"
  --resource-type "Microsoft.Compute/virtualMachines"
  --tags 'Name=Web Server' 'Role=Web Tier' 'Environment=Production' 'Owner=Project5 Team'
  --is-incremental
  --query 'tags'

02 The command output should return all the tag sets assigned to the selected cloud resource (including original tags):

  {
    "Name": "Web Server",
    "Role": "Web Tier",
    "Environment": "Production",
    "Owner": "Project5 Team",
    "Type": "Unmanaged",
    "Project": "Project5"
  }

03 Repeat step no. 1 and 2 to implement the recommended tagging schema for each Azure virtual machine available in the selected subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Dec 11, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Tags

Risk level: Low