Handling case-sensitive tags in Azure Policy

A few weeks ago, I was working with one of my customers in refining their public cloud governance model, in particular as it related to tag enforcement. While they had a mature resource deployment process that ensured the proper application of tags, they struggled with a single tag that could be set to alphanumeric values with assorted cases. There system of record for these values was ancient and despite my pleading to augment the data with a lower() or upper(), they asked me to come up with a solution.

Azure Logs to a SIEM

Recently, I worked with a customer that wanted to wrangle their Azure log data to meet their audit requirements. Their Security Operations Center (SOC) was mature and had an established Security Incident and Event Management (SIEM) process. To achieve compliance, they requested that only security event data from Azure be streamed to their SIEM solution. In this post, I describe the process to identify, filter, and stream the log data out of Azure.

CodeBuild cache for Jekyll build

For the past couple of years, this blog is run from AWS with iterative improvements to make publishing easier for me. Using a static site framework like Jekyll minimized the need for a “Linux Apache MySQL PHP” (LAMP) stack which used to be the de-facto standard. The problem is that because of the amount of content, the build times to publish were steadily increasing. In this post, I’ll describe the relatively easy fix that resulted in a 70% improvement.

Azure Solutions Architect Expert

When I joined Microsoft in August of ‘20, the only experience that I had with Azure was that I knew how to spell it. At a high level, I knew that the fundamentals between AWS and Azure were the same. I was lucky to have incredible mentors at Amazon who raised me right in building my cloud skill set. I recognized that there would be differences, and that I would learn the new platform the same way. I created an account through the Azure portal in one browser displayed on the left half of my screen, and viewed my AWS account on the right half. With the AWS to Azure services comparison documentation in another tab, I started building out one resource at a time. When I first joined AWS, a colleague of mine reminded me that every public cloud is comprised of the same three basic components: compute, storage, and network and that helped guide me as I learned AWS. I knew that the same applied to Azure, and started my journey.

Secrets management using Azure Managed HSM

Configuring least privilege

The first post of this series described a solution to use an Azure Managed HSM to wrap secrets stored in an Azure Key Vault. The intent of his design was to comply with a given control that required secrets to be encrypted with keys that were generated in a FIPS 140-2 Level 3 validated HSM. In my excitement to publish the post, I completely neglected to discuss the differences in Role Based Access Control (RBAC) required to interact with the Managed HSM versus the Azure Key Vault. Thanks to KrisTurk86 on Twitter for bringing this to my attention! In this post, I’ll describe why the roles between the two services are different.