Struggling with Azure CSPM Security Posture Management

By
William Rossbach
-
0
11
Asked By TechieTornado42 On

Hey all, I'm really feeling overwhelmed managing the security posture recommendations after enabling Cloud Security Posture Management (CSPM) for our Azure subscriptions. It seems like the whole setup is pretty frustrating and lacks efficiency when it comes to scaling. We're using Landing Zones and have deployed most of the Azure Policies through accelerators, but we keep getting really low secure scores due to warnings about inactive managed identities. This has been a continuous battle for our team, and we're stuck justifying these scores, which hit between 2-4%. It's concerning to see such low numbers. Constantly excluding these identities from new subscriptions is not sustainable, especially since we've already hit around 500 exclusions! This is becoming a real challenge as we plan to expand our cloud strategy and add even more subscriptions. How are others managing this type of situation at scale? Any tips or best practices would be greatly appreciated!

3 Answers

Answered By CloudGuru88 On

I totally feel your pain! If you're relying heavily on built-in policies, it can get overwhelming. Here are a few tips:
- Have you considered using user-assigned identities? If they’re centrally managed, they can be much more manageable than system-assigned identities.
- Try replacing any noisy built-in policies with custom ones that fit your needs better. If a certain policy is flagging too many false positives, create a policy that ignores those conditions.
- Avoid going the route of making too many exemptions; they can be a nightmare to manage as you scale.

Answered By DevOpsDynamo On

You're definitely not alone! The 'inactive identities' check has been a source of massive headaches for us too. Microsoft’s own identities showing up in these results just adds to the confusion. We’ve seen secure scores drop because of these issues, and their support isn’t very helpful. Just know you're not in this alone!

Answered By InfraNinja21 On

I can relate to the frustrations with the Azure Landing Zone Accelerator. It really is a hassle if you want more than the default settings. I ended up rolling my own Terraform scripts for deployment. Just be sure you’re deploying the policies at the right Management Group level to cut down on duplicates! Utilizing Terraform can give you considerably better control.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.