Check for Desired VM SKU Size(s)

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: VirtualMachines-029

Determine if the virtual machine (VM) instances provisioned within your Azure cloud account have the desired SKU size(s) established by your organization based on the workload deployed. The desired SKU size(s) must be defined in the conformity rule settings, on the Trend Micro Cloud One™ – Conformity account console

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Setting limits for the SKU size(s) of the virtual machine instances provisioned in your Microsoft Azure account can help you to manage better your cloud compute power, address internal compliance requirements and prevent unexpected charges on your Azure monthly bill.


Audit

To determine if all your Azure VM instances have the desired SKU size(s), perform the following actions:

Using Azure Portal

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check for Desired VM SKU Size conformity rule settings and identify the SKU size configured for VM instances.

02 Sign in to Azure Management Portal.

03 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FVirtualMachines to view the list with all the virtual machine (VM) instances available in your Azure cloud account.

04 Choose the Azure subscription that you want to access from the subscription filter box to list only the VM instances available in the selected subscription.

05 Choose the virtual machine instance that you want to examine.

06 In the navigation panel, select Overview, and check the SKU size of the instance, listed as value for the Size configuration attribute. If the VM SKU size is different than the one(s) allowed by your organization and identified at step no. 1, the selected Azure virtual machine instance was not launched using the desired SKU size.

07 Repeat step no. 5 and 6 for each Azure virtual machine available in the selected subscription.

08 Repeat steps no. 4 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Check for Desired VM SKU Size conformity rule settings and identify the SKU size configured for VM instances.

02 Run account list command (Windows/macOS/Linux) using custom query filters to list the IDs of the subscriptions available in your Azure account:

az account list
	--query '[*].id'

03 The command output should return the requested subscription identifiers (IDs):

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
]

04 Run vm list command (Windows/macOS/Linux) using custom query filters to list the name and the associated resource group of each virtual machine provisioned in the selected Azure subscription:

az vm list
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested virtual machine (VM) identifiers:

Name                      ResourceGroup
-----------------------   ------------------------------
cc-project5-app-server    cloud-shell-storage-westeurope
cc-project5-web-server    cloud-shell-storage-westeurope

06 Run vm show command (Windows/macOS/Linux) using the name of the virtual machine that you want to examine and the associated resource group as identifier parameters, to describe the VM SKU size of the selected virtual machine instance:

az vm show
	--name cc-project5-app-server
	--resource-group cloud-shell-storage-westeurope
	--query 'hardwareProfile.vmSize'

07 The command output should return the size of the specified VM instance:

"Standard_A8_v2"

Compare the VM SKU size returned by the vm show command output with the one(s) allowed by your organization, identified at step no. 1. If the verified SKU size is not listed in the conformity rule configuration settings, the selected Azure virtual machine instance is not using the desired SKU size.

08 Repeat step no. 6 and 7 for each Azure virtual machine deployed to the selected subscription.

09 Repeat steps no. 4 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To resize your Azure virtual machine instances to the VM SKU size established by your organization, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Portal.

02 Navigate to Virtual machines blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Compute%2FVirtualMachines to access the list with all the virtual machine instances available within your Azure cloud account.

03 Choose the Azure subscription that you want to access from the subscription filter box.

04 Click on the name of the virtual machine instance that you resize.

05 In the navigation panel, under Settings, select Size to access the list of SKU sizes available for the selected instance.

06 On the Size page, perform the following actions:

  1. Click on See all sizes, to list all the VM SKU sizes provided by Microsoft Azure cloud.
  2. Select the desired SKU size allowed by your organization, defined in the conformity rule settings.
  3. Click on the Resize button to resize the selected Azure VM instance. If the virtual machine instance is currently running, changing its size will cause it to be restarted.

07 Once the selected instance has been resized, you can implement the "Allowed virtual machine size SKUs" policy to restrict the creation of VM instances to one or more SKU sizes. This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. To get started, navigate to Azure Policy blade at https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade.

08 In the navigation panel, choose Assignments to access the list with all the policy assignments available within your cloud account.

09 On the Assignments page, click on the Assign policy button to initiate the "Allowed virtual machine size SKUs" policy assignment setup.

10 On the Assign policy page, perform the following:

  1. Select the Basics tab to configure the assignment basic settings.
  2. For Scope, choose the Azure cloud subscription that you want to use as policy assignment scope. A scope determines what resources or grouping of resources the policy assignment gets enforced on.
  3. (Optional) For Exclusions, choose the resource group or the cloud resources that can be excluded based on the selected scope. Exclusions start at one level lower than the level of the selected scope (in this case, the selected subscription).
  4. Click on the Policy definition ellipsis to open the list of available definitions. On the Available Definitions panel, select the built-in policy definition named Allowed virtual machine size SKUs.
  5. Provide a unique name for your new policy assignment in the Assignment name box.
  6. Provide a short description for the new assignment in the Description text box.
  7. Make sure that Policy enforcement is set to Enabled.
  8. Once the assignment basics are configured, select the Parameters tab to specify the required parameters for the policy assignment.
  9. Click inside the Allowed Size SKUs dropdown list and choose the SKU size(s) that your organization can use to deploy virtual machine instances in the selected scope.
  10. Click Review + create to review and validate the assignment.
  11. Click Create to create the "Allowed virtual machine size SKUs" policy assignment.

11 Repeat step no. 4 – 6 to resize other Azure VM instances available in the selected subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run vm resize command (Windows/macOS/Linux) using the name of the virtual machine (VM) instance that you want to reconfigure as identifier parameter, to resize the SKU size of the selected VM instance to the SKU size allowed by your organization, defined in the conformity rule settings (e.g. Standard_DS3_v2):

az vm resize
	--name cc-project5-app-server
	--resource-group cloud-shell-storage-westeurope
	--size Standard_DS3_v2
	--query 'hardwareProfile.vmSize'

02 The command output should return the enabled VM SKU size:

"Standard_DS3_v2"

03 Once the selected instance has been resized, you can create the "Allowed virtual machine size SKUs" policy to restrict the creation of VM instances to one or more SKU sizes. This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. To create the "Allowed virtual machine size SKUs" policy assignment for the selected Azure cloud subscription (scope), run policy assignment create command (Windows/macOS/Linux) using the ID of the Allowed virtual machine size SKUs policy definition as value for the --policy parameter (i.e. cccc23c7-8427-4f53-ad12-b6a63eb452b3). In the following command example, the SKU size that your organization can use to deploy VM instances within the specified scope, defined as value of the -p parameter, is Standard_DS3_v2:

az policy assignment create
	--display-name cc-allowed-vm-size-skus
	--policy cccc23c7-8427-4f53-ad12-b6a63eb452b3
	-p "{ \"listOfAllowedSKUs\": { \"value\": [ \"standard_ds3_v2\" ] } }"
	--scope /subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd

04 The command output should return the new Azure policy assignment metadata:

{
  "description": null,
  "displayName": "cc-allowed-vm-size-skus",
  "enforcementMode": "Default",
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/ABCDABCDABCD",
  "identity": null,
  "location": null,
  "metadata": {
    "createdBy": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
    "createdOn": "2020-05-07T07:05:30.0000007Z",
    "updatedBy": null,
    "updatedOn": null
  },
  "name": "ABCDABCDABCD",
  "notScopes": null,
  "parameters": {
    "listOfAllowedSKUs": {
      "value": [
        "standard_ds3_v2"
      ]
    }
  },
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3",
  "scope": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "type": "Microsoft.Authorization/policyAssignments"
}

05 Repeat step no. 1 and 2 to resize other Azure VM instances provisioned within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 22, 2020

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Desired VM SKU Size(s)

Risk level: High