Azure Recommended Policies

ParkMyCloud accesses Azure through an Application service account. Basically, you will create an Application within Azure AD that includes a secret or password that ParkMyCloud will use to access your cloud. You will then assign this Application to a role within your different subscriptions. ParkMyCloud uses a custom role with the minimum permissions needed to do our job. We prefer to avoid the more generic pre-built roles, as they tend to grant more permissions than we need, and do not exactly follow a “least privilege” security model.

We do update our custom role from time to time as we add additional features that require additional privileges. Watch for our Release Notes messages, as we will let you know when it is time to update the security policy used by the role.

Note that the latest version of the ParkMyCloud recommended policies for Azure are always available at https://github.com/parkmycloud/useful_tools/tree/master/Azure/RecommendedPolicies

This is our recommended policy, with the best balance of security and simplicity. Note that the same policy can be assigned to multiple subscriptions by placing multiple comma-separated subscriptions in the AssignableScopes section. See https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles for formatting details.

Policy Name: PMCAzureRecommendedPolicy

Policy Description: All-in-one policy for ParkMyCloud

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 { "Name": "ParkMyCloud Limited Access 2020-08-17", "Description": "ParkMyCloud limited access policy as of 2020-08-17", "IsCustom": "true", "Actions": [ "Microsoft.Capacity/reservationOrders/*/read", "Microsoft.Commerce/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/write", "Microsoft.Compute/virtualMachineScaleSets/write", "Microsoft.Compute/virtualMachineScaleSets/start/action", "Microsoft.Compute/virtualMachineScaleSets/deallocate/action", "Microsoft.Consumption/*/read", "Microsoft.ContainerService/managedClusters/agentPools/read", "Microsoft.ContainerService/managedClusters/read", "Microsoft.Insights/*/read", "Microsoft.Insights/AutoscaleSettings/Write", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Resources/subscriptions/*/read", "Microsoft.Sql/managedInstances/*/read", "Microsoft.Sql/managedInstances/write", "Microsoft.Sql/servers/databases/*/read", "Microsoft.Sql/servers/databases/pause/action", "Microsoft.Sql/servers/databases/resume/action", "Microsoft.Sql/servers/databases/write", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/elasticPools/*/read", "Microsoft.Sql/servers/elasticPools/write" ], "NotActions": [], "AssignableScopes": [ "/subscriptions/<Your_subscription_ID_here>" ] }