Resource Group

Microsoft Azure

Management & Governance

Azure Resource Group is a logical container that allows users to organize and manage related Azure resources, such as virtual machines, storage accounts, and network interfaces, as a single unit. It provides a way to manage and monitor resources collectively, rather than individually.Resource groups are created within an Azure subscription and can be used to organize resources based on different criteria, such as environment, application, or department. Resources can be added, removed, or modified within a resource group as needed.‍

Terraform Name

terraform

azurerm_resource_group

Resource Group

attributes:

The following arguments are supported:

location - (Required) The Azure Region where the Resource Group should exist. Changing this forces a new Resource Group to be created.
name - (Required) The Name which should be used for this Resource Group. Changing this forces a new Resource Group to be created.

tags - (Optional) A mapping of tags which should be assigned to the Resource Group.

‍

Associating resources with a

Resource Group

Resources do not "belong" to a

Resource Group

Rather, one or more Security Groups are associated to a resource.

Create

Resource Group

via Terraform:

Syntax:

resource "azurerm_resource_group" "example" {
name = "example"
location = "West Europe"
}

Create

Resource Group

via CLI:

Parameters:

az group create --location
--name
[--managed-by]
[--tags]

Example:

az group create -l westus -n MyResourceGroup

aws cost

Costs

Direct Cost

Indirect Cost

No items found.

Best Practices for

Resource Group

Categorized by Availability, Security & Compliance and Cost

Medium

AMI (Amazon Machine Images) not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

AMI (Amazon Machine Images) not in use (12 months)

AWS Cost Optimization

AWS Well-Architected Framework

High

AWS Config configuration changes alarm

Security & Compliance

AWS Well-Architected Framework

Low

Access allowed from VPN

Security & Compliance

No items found.

Low

Auto Scaling Group not in use

Other

No items found.

Low

CloudTrail changes alarm

Security & Compliance

Medium

Connections towards DynamoDB should be via VPC endpoints

Security & Compliance

No items found.

Medium

Connections towards S3 should be via VPC endpoint

Security & Compliance

Medium

Container in CrashLoopBackOff state

Availability

No items found.

Low

Cross peering connectivity is allowed by EC2

Security & Compliance

Low

Cross peering connectivity is allowed by ECS Task

Security & Compliance

Low

Cross peering connectivity is allowed by Lambda

Security & Compliance

Low

Cross peering connectivity is allowed by Pod

Security & Compliance

Low

Cross transit connectivity is allowed by EC2

Security & Compliance

Low

Cross transit connectivity is allowed by ECS

Security & Compliance

Low

Cross transit connectivity is allowed by Lambda

Security & Compliance

Low

Cross transit connectivity is allowed by Pod

Security & Compliance

Medium

DynamoDB tables not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS snapshots not in use

AWS Cost Optimization

AWS Well-Architected Framework

Medium

EBS volume not in use

AWS Cost Optimization

AWS Well-Architected Framework

Low

EC2 large instance create alarm

Security & Compliance

AWS Well-Architected Framework

Medium

EC2 should have a name set

Other

Critical

EC2 with Admin access (*:*)

Security & Compliance

Low

EC2 with GPU capabilities

AWS Cost Optimization

No items found.

Medium

EC2 with high privileged policies

Security & Compliance

No items found.

Medium

ECS cluster delete alarm

Availability

No items found.

Critical

ECS task with Admin access (*:*)

Security & Compliance

Medium

ECS task with high privileged policies

Security & Compliance

No items found.

Critical

EKS cluster delete alarm

Availability

No items found.

Medium

AWS Cost Optimization

AWS Well-Architected Framework

Medium

ElastiCache cluster delete alarm

Availability

No items found.

Medium

Elastic IP not in use

AWS Cost Optimization

AWS Well-Architected Framework

Low

Ensure API Gateway has Content Encoding feature enabled

Other

Medium

Ensure AWS Config is configured to include global resources

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure AWS EKS cluster has secrets encryption enabled

Security & Compliance

Medium

Ensure Amazon MQ broker instances are using desired instance types

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure Amazon MQ brokers Auto Minor Version Upgrade feature is enabled

Security & Compliance

Low

Ensure Amazon MQ brokers Log Exports feature is enabled

Security & Compliance

Medium

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Critical

Ensure Amazon MQ brokers are not publicly accessible

Security & Compliance

Low

Ensure Amazon MQ brokers are using the active/standby deployment mode

Availability

AWS Well-Architected Framework

Low

Ensure Amazon MQ brokers are using the latest engine version

Security & Compliance

Medium

Ensure Amazon SageMaker Notebook Instance is in VPC

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure Application Load Balancer (ALB) has access logging enabled

Security & Compliance

No items found.

Medium

Ensure Application Load Balancers (ALB) are configured to drop HTTP headers

Security & Compliance

AWS Foundational Security Best Practices Controls

Low

Ensure Auto-Tune feature is enabled in OpenSearch clusters

Other

No items found.

Medium

Ensure CloudFormation stacks Termination Protection feature is enabled

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFormation stacks are sending event notifications to an SNS topic

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distribution enforce HTTPS protocol for data in-transit

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2

Security & Compliance

Medium

Ensure CloudFront has WAF attached

Security & Compliance

AWS Foundational Security Best Practices Controls

Medium

Ensure CloudFront web distributions are configured to compress objects (files) automatically

AWS Cost Optimization

Medium

Ensure CloudFront web distributions enforce field-level encryption

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure CloudTrail Log File Integrity Validation is enabled

Security & Compliance

High

Ensure CloudTrail buckets are configured to use MFA

Security & Compliance

Medium

Ensure CloudTrail logs are encrypted at rest

Security & Compliance

High

Ensure CloudTrail trails have multi-region enabled

Security & Compliance

High

Ensure CloudTrail trails record global service events

Security & Compliance

Medium

Ensure CloudWatch Logs service is configured to monitor CloudTrail trail logs

Security & Compliance

Medium

Ensure Container liveness probe is configured

Availability

No items found.

Low

Ensure Container readiness probe is configured

Availability

No items found.

Critical

Ensure DMS instances are not accessible via Internet (Network and API)

Security & Compliance

AWS Well-Architected Framework

High

Ensure Database Migration Service (DMS) are not publicly accessible

Security & Compliance

Medium

Ensure Database Migration Service (DMS) replication instances are using Multi-AZ deployment configurations

Availability

Medium

Ensure Database Migration Service (DMS) replication instances have Auto Minor Version Upgrade feature enabled

Security & Compliance

Low

Ensure DocumentDB clusters have Log Exports feature enabled

Security & Compliance

Medium

Ensure DocumentDB database clusters have a minimum backup retention period

Other

AWS Well-Architected Framework

Critical

Ensure DocumentDB database instances are not accessible via Internet (Network and API)

Security & Compliance

Critical

Ensure DocumentDB database instances have storage encryption enabled

Security & Compliance

High

Ensure DocumentDB volumes are of type gp3 (General Purpose SSD) instead of gp2

AWS Cost Optimization

AWS Well-Architected Framework

Low

Ensure DynamoDB Tables are encrypted with customer managed key

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure DynamoDB tables have point in time recovery enabled

Availability

Medium

Ensure EBS snapshots are encrypted

Security & Compliance

Critical

Ensure EBS snapshots are not publicly accessible

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure EBS volumes are encrypted

Security & Compliance

Medium

Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of gp2

AWS Cost Optimization

AWS Well-Architected Framework

Medium

Ensure EBS volumes are of type gp3 (General Purpose SSD) instead of io1

AWS Cost Optimization

AWS Well-Architected Framework

Critical

Ensure EC2 AMIs are not publicly accessible

Security & Compliance

Medium

Ensure EC2 instance uses an IAM profile

Security & Compliance

Medium

Ensure EC2 instances use Instance Metadata Service Version 2 (IMDSv2)

Security & Compliance

AWS Foundational Security Best Practices Controls

Medium

Ensure ECS task definition has memory limit

Availability

No items found.

High

Ensure EFS file systems are encrypted

High

Ensure EFS file systems are encrypted using KMS CMK customer-managed keys

AWS Well-Architected Framework

Low

Ensure EKS Private access is enabled

Security & Compliance

Medium

Ensure EKS Public access is disabled

Security & Compliance

Critical

Ensure EKS Public access is restricted to specific sources

Security & Compliance

Low

Ensure EMR cluster archive log files to S3

Other

AWS Well-Architected Framework

Critical

Ensure EMR cluster master nodes are not publicly accessible

Security & Compliance

No items found.

Medium

Ensure EMR clusters are encrypted in-transit and at-rest

Security & Compliance

AWS Well-Architected Framework

Critical

Ensure ElastiCache Redis clusters are encrypted at-rest

Security & Compliance

Critical

Ensure ElastiCache Redis clusters are encrypted in-transit

Security & Compliance

Low

Ensure ElastiCache Redis clusters have automatic backup turned on

Availability

No items found.

Medium

Ensure Geo-Restriction is enabled within CloudFront distribution

Security & Compliance

Medium

Ensure IAM Group has no inline policy

Security & Compliance

Medium

Ensure IAM Role has no inline policy

Security & Compliance

AWS Well-Architected Framework

Medium

Ensure IAM User has no inline policy

Security & Compliance

AWS Well-Architected Framework

Critical

Ensure IAM password policy expires passwords within 90 days or less

Security & Compliance

Low

Ensure IAM password policy has expiration period

Security & Compliance

Medium

Ensure IAM password policy prevents password reuse

Security & Compliance

Medium

Ensure IAM password policy require at least one lowercase letter

Security & Compliance

AWS Well-Architected Framework

We haven't write about

View all blog posts ->