Hey everyone, I'm really struggling with managing the Security Posture recommendations after enabling Cloud Security Posture Management (CSPM) for our Azure subscriptions. The experience feels overly complicated and difficult to manage, especially as we're using Landing Zones and have already deployed a lot of Azure Policies including Guardrail policies from accelerators. It's frustrating to constantly see horrible secure scores for our subscriptions, primarily due to warnings about inactive permissions on Managed Identities, which were created by these Azure Policies. Our scores hover around 2-4%, which is concerning and leads to endless justifications for the security teams. I find myself adding exclusions for these permissions repeatedly, but with about 500 exclusions already, it's clearly not sustainable. As we expand our cloud adoption strategy, I'm worried that more exceptions will just create more work for us. How are you all managing these issues at scale? Am I missing something important because it all seems so manual and overwhelming?
4 Answers
I’m in the same boat! I get flagged for our AVD users constantly. Just had to exclude every single one recently, which just feels so wrong.
I totally get your frustrations with CSPM. Here are a few tips that might help you manage things better:
- Try using User Assigned identities instead of System Assigned ones for your policies if they can be centrally managed. The System Assigned can really complicate things.
- Replace noisy built-in policies with customized ones that fit your needs better. If you're getting a lot of false positives, a tailored policy can help reduce the clutter.
- Avoid relying on exemptions. Managing those at scale can be a nightmare.
But isn't it safer to stick with System Assigned in small environments? It limits what can be changed since the built-in policies can't be altered, right?
I feel you on the pain with inactive and overprovisioned identities; those warnings are driving us nuts too. Our secure scores took a hit due to those issues, and to make matters worse, Microsoft support is pretty much useless when it comes to addressing their own identity recommendations.
I had a similar experience with the Azure Landing Zone Accelerator. It felt more like a mess after deploying than an actual solution. I ended up writing my own Terraform scripts to regain control over policy deployments. Regarding the DfCSP, it's a lot like the old Azure Security Center, but you'll need to adjust and tune those bundled policies extensively to fit your actual environment.
We did something like that too and rolled back from the accelerator because customization was such a hassle. Terraform really gives us the control we need!
Yeah, it seems like stripping back to essentials might be the best way forward. I need to find a more pragmatic approach with the policies.
Thanks for the tips! I’ll definitely consider switching to User Assigned identities. The CSPM Policies can be pretty rigid, so hopefully this cuts down on the unnecessary alerts.