Day 5 — Compliance, Policy & Automation
Day 5 — Compliance, Policy & Automation
Day 5 closes the course arc. After four days of building a secure cloud application from identity through to monitoring, you now face the final challenge: how do you keep things secure when no one is watching?
Day 5 Start Files
Day 5 labs
The Day 5 storyline
After building secure infrastructure, enabling monitoring, and deploying through pipelines — what happens when someone changes a setting in the portal at 2 AM? What if a developer forgets to tag a resource? What if storage is accidentally made public?
Manual fixes work once. Policy enforces forever. Automation closes the loop.
Day 5 introduces the final piece of the security lifecycle: compliance and policy. You will detect non-compliance in your deployed resources, fix it manually once, encode the rule as a policy, enable automatic remediation, and then observe anomalies in the monitoring data.
Day 1: Identity — manage identities, permissions, and secrets
Day 2: Network — configure network segmentation and access controls
Day 3: Automation — implement automated pipelines with security gates
Day 4: Audit — enable monitoring, threat detection, and investigation
Day 5: Compliance — enforce rules, automate fixes, detect anomaliesThis completes the full security lifecycle:
Identity → Network → Automation → Audit → ComplianceWhat changes in Day 5
Day 5 starts with a fresh repository containing the Day 5 infrastructure files. You will deploy all resources using Terraform, then add policy guardrails, remediation tasks, and anomaly detection on top.
| Resource | Action | Terraform or Portal? |
|---|---|---|
| All resources (App Services, Key Vault, Storage, Log Analytics, App Insights, VNet) | Deployed from Day 5 infrastructure | Terraform (Day 5 repo) |
| Backend apps | Zip source and deploy to App Services (Azure builds remotely) | PowerShell script |
| Frontend | Build locally, upload to blob storage | PowerShell script |
| Azure Policy — deny public blob access | Assign built-in policy to resource group | Portal + Terraform |
| Azure Policy — require tags | Create custom policy and assign | Portal |
| The power of tags | Explore tags beyond compliance (cost, automation, incident response) | Portal |
| Remediation tasks | Apply missing tags, disable public access | Portal |
| Security config summary endpoint | Add /api/security/config-summary to backend | Application code |
| Demo traffic generator | Add /api/demo/traffic and /api/demo/errors | Application code |
| KQL anomaly queries | Write queries in Log Analytics / Sentinel | Portal |
Policy evaluation takes time. Azure Policy can take 15–30 minutes to evaluate existing resources after assignment. Remediation tasks may take even longer.
Theory overview
Day 5 has four theory pages that build on each other. Read them in order:
Compliance and Governance in the Cloud
Covers the foundational concepts: compliance vs governance, the three types of security controls (preventive, detective, corrective), and why citizen development makes compliance harder — not easier. This page also introduces the "shift left" philosophy: bake rules into the platform so the right thing is the easy thing.
Azure Policy
Covers how Azure Policy works at a practical level: definitions vs assignments, the different policy effects (Deny, Audit, DeployIfNotExists, Modify), scopes and exclusions, and the critical distinction between RBAC and Policy. This page also walks through common scenarios (tagging, encryption, network security, monitoring baseline).
Security Automation
Covers the three approaches to fixing problems (manual, encoded policy, automated remediation), Power Automate approval flows for human-in-the-loop automation, Logic Apps for alerting and response, and the Auto-Remediate vs Alert-Only decision framework. Includes the risks of over-automation: false positives, business disruption, and alert fatigue.
Anomaly Detection in Cloud Security
Covers rule-based vs statistical anomaly detection, KQL-based anomaly patterns, Defender for Cloud vs custom KQL hunting, the importance of baselining, and strategies for avoiding alert fatigue. The practical approach: use Defender for Cloud as your baseline, then write custom queries for the threats that matter to your organisation.
Architecture
Policy assignments evaluate resources against rules. Remediation tasks automatically fix violations. KQL queries and Application Insights detect anomalies in the data flowing from your resources.
What you will learn
After Day 5, you will know how to:
- Identify compliance violations in deployed Azure resources
- Apply built-in Azure Policies to enforce security baselines
- Create custom policy definitions for organizational requirements
- Build a Power Automate approval flow for human-in-the-loop automation
- Enable remediation tasks that automatically fix non-compliant resources
- Write KQL queries for anomaly detection in Log Analytics
- Generate and analyze synthetic traffic for testing detection rules
- Decide when to auto-remediate versus alert-only
Day 5 labs
| Lab | Topic |
|---|---|
| Lab 5.1 | Discover & fix compliance violations in your deployed resources |
| Lab 5.2 | Assign Azure Policy guardrails (deny public access, require tags) |
| Lab 5.3 | Build a Power Automate approval flow — automation that asks before it acts |
| Lab 5.4 | Explore the power of tags beyond compliance |
| Lab 5.5 | Enable auto-remediation and observe policy enforcement |
| Lab 5.6 | Write KQL queries for lightweight anomaly detection |