A New Approach to Back-End Cloud Governance

Blog

Cloud administrators already govern front-end access to their cloud resources. Now, they have greater visibility and control over their back-end cloud governance on Azure, thanks to an update to Azure Resource Graph. Learn how to monitor and report what people are doing on your cloud.

Back-End Cloud Governance blog image

Who’s doing what in your cloud? That’s a question that has been difficult to answer. 

Cloud administrators have long had control over front-end governance of the cloud – that is, who comes in the front door. You can control who has access by roles, responsibilities, and assets. 

Once someone is already inside your house, however, it has been difficult to assess what they’re doing. Are they stepping out of bounds? What resources are they updating? Why were a bunch of resources suddenly updated or deleted? Figuring out what happened used to mean auditing what access permissions were given in the beginning. 

Earlier this year, Azure added functionality to its Azure Resource Graph (ARG) tool that allows you to track how resources are created, changed, and deleted on your cloud. Previously, admins could see only what resources were present in your Azure cloud. Now, admins can see who initiated changes, and with which client a change was made, across all tenants and all subscriptions.

The new feature is called Change Actor Functionality. Specifically, you can see:

  • Who made the change   
  • With which client the change was made  
  • What operation was called  

Using Change Actor Functionality, you can audit, troubleshoot, and govern at scale. By using Azure Resource Graph to query your resource changes, you can craft charts and pin results to Azure dashboards based on specific change queries.

This new functionality also improves the reporting available for FinOps Dashboards. Monitoring cloud operational costs by cost center, service type, application, or other tags provides insights into the budgetary control of your cloud practice. The Change Actor Functionality supplements cost data by showing which users directly affect those resources, as well as the state of the resources. For instance, now you can tell if a resource was added, updated, or removed and by whom for each cost center, service type, or application – AND the cost implications of that action. 

At CoStrategix, we are building audit reports and notifications to align the user permissions we created with users’ actions being taken. We can supplement existing data cloud reports with back-end cloud governance reports for project managers and technical managers, detailing how individual projects within an Azure tenant are functioning. 

How to Build a Query and Back-End Cloud Governance Report

Using the Power BI connection to Azure Resource Graph, your cloud admin can reduce time-to-value and produce reports in days, even when you have a data cloud integration in place. Optimally, you would periodically query and ingest your data into a data warehouse, validate it, and augment it with additional metadata. By pulling your data into a data warehouse, Azure Resource Graph’s Change Actor data can be analyzed more thoroughly for FinOps KPIs and reporting.

Here is how CoStrategix builds a query and back-end cloud governance report. Below is a sample query we built in just a few minutes and added to Power BI to create a report within a day.

The following query shows the Summarization of who and which client were used to make resource changes in the last 7 days, ordered by the number of changes made:

resourcechanges 
| extend
     changeTime = todatetime(properties.changeAttributes.timestamp),
     changeYear = datetime_part(‘year’,todatetime(properties.changeAttributes.timestamp)),
     changeMonth = datetime_part(‘month’,todatetime(properties.changeAttributes.timestamp)),
     changeDay = datetime_part(‘day’,todatetime(properties.changeAttributes.timestamp)),
     targetResourceId = tostring(properties.targetResourceId),
     changeType = tostring(properties.changeType), #(lf)
     changedBy = tostring(properties.changeAttributes.changedBy),
     changedByType = properties.changeAttributes.changedByType,
     clientType = tostring(properties.changeAttributes.clientType)
| where changeTime > ago(15d)
| project changeYear,changeMonth, changeDay,
     changeType, changedBy, changedByType, clientType
| summarize count() by changeYear, changeMonth, changeDay,
     changedBy, changeType, clientType
| order by count_ desc 

For additional details see this summary of the Azure Resource Graph – Change Actor from Microsoft.

Back-End Governance Report Example

Now You Try It Out

Try querying the “resourcechanges” or “resourcecontainerchanges” tables in your Azure Resource Graph.

Additional Resources

If you are new to Azure Resource Graph (ARG), please check out the main Microsoft Learning page for the resource. Azure provides multiple methods for accessing the data including via the Portal, from Azure CLI and PowerShell, with REST APIs, and with Power BI.

How is your Kusto (KQL) knowledge? The ARG data is queried using the Kusto Query Language (KQL) used by Azure Data Explorer. The documentation includes a list of available tables with starter and advanced query examples.

CoStrategix is a data and insights services firm that helps organizations improve decision-making capabilities by building data quality and reliability, and by making insights actionable. We can help you modernize your data ecosystem, develop custom visualizations, deliver insights at the point of decision, or enable your team with self-service analytics.