After Lab 5.1 — Recap
After Lab 5.1 — Recap
You audited your Day 5 environment for compliance violations and documented what you found — discovering real problems without fixing them yet (you'll address those later when you learn the automated approaches).
What you should have discovered
| Violation | Where | Why it matters |
|---|---|---|
| Missing required tags | Resources without environment, student, managed_by, day tags | Makes cost allocation and resource ownership impossible |
| Public blob access | Storage containers set to public access — note: In azurerm provider 3.0+, the storage account property that controls whether blobs CAN be made public is called allow_nested_items_to_be_public (Azure ARM name: AllowBlobPublicAccess). Having this set to true means public access IS POSSIBLE but doesn't guarantee it — individual containers/blobs must also be configured with public access level separately. | Data can be accessed from anywhere on the internet |
| Missing diagnostic settings | Key Vault without logging enabled | No audit trail for key access — a compliance gap |
What you should have fixed
| Fix | Before | After |
|---|---|---|
| Missing tags | No environment, student, managed_by, day tags | Tags added to resources and resource groups |
| Public blob access | Storage container set to public access (container_access_type = "blob") | Container access type changed to private |
| Diagnostic settings | Key Vault without logging | Verified diagnostic settings enabled |
Why this matters
These violations would be flagged by any security review. But the key question is: who finds them?
In a manual process, a person has to remember to check. In an automated process, the system checks itself — continuously — and flags violations before they become incidents.
That is the difference between compliance as a one-time audit and compliance as a continuous practice.
But manual fixes work — only until someone creates a new resource that repeats the same violations. The key insight from this lab is that manual compliance is not a strategy. It is a starting point. You needed to see what a fix looks like before you could automate it.
Key principle: Fix it once manually, then encode the rule so it never needs to be fixed again.
Main takeaway
Compliance is not passing an audit. It is being able to show that important controls are defined, applied, monitored, and improved.
Bridge to Lab 5.2
Now that you've seen what compliance violations look like and fixed them manually, the next step is preventing them from happening in the first place — using Azure Policy. Review the Azure Policy theory page which explains policy effects, scopes, and the difference between preventive, detective, and corrective controls.