Bird
Raised Fist0
Azurecloud~5 mins

Compliance standards (SOC, ISO, GDPR) in Azure - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Compliance standards help companies follow rules to keep data safe and private. SOC, ISO, and GDPR are examples that guide how to protect information and show trustworthiness.
When you store customer data and need to prove it is protected properly.
When your company wants to meet international security rules to work with global partners.
When you handle personal data of people in Europe and must follow privacy laws.
When you want to show your cloud setup meets recognized safety standards.
When auditors ask for evidence of your security controls and policies.
Commands
This command lists the compliance standards assessments available in your Azure subscription and shows their current status.
Terminal
az security regulatory-compliance-assessment list --query "[].{Name:name, Status:status.code}"
Expected OutputExpected
[{"Name":"SOC TSP","Status":"Healthy"},{"Name":"ISO 27001","Status":"Healthy"},{"Name":"GDPR","Status":"Unhealthy"}]
--query - Filters and formats the output to show only the name and status of each compliance assessment.
This command shows detailed information about the GDPR compliance assessment, including which controls are met or need attention.
Terminal
az security regulatory-compliance-assessment show --name GDPR
Expected OutputExpected
{ "name": "GDPR", "status": { "code": "Unhealthy", "description": "Some controls are not met" }, "controls": [ {"name": "Data Protection", "status": "Healthy"}, {"name": "Consent Management", "status": "Unhealthy"} ] }
This command shows details about the specific control 'Consent Management' under GDPR to understand what needs fixing.
Terminal
az security regulatory-compliance-assessment control show --name GDPR --control-name "Consent Management"
Expected OutputExpected
{ "name": "Consent Management", "status": "Unhealthy", "description": "Ensure user consent is properly recorded and managed.", "recommendations": [ "Implement consent logging", "Review consent policies" ] }
Key Concept

If you remember nothing else from this pattern, remember: compliance standards are checklists that help you prove your cloud setup protects data correctly.

Common Mistakes
Running compliance commands without proper Azure Security Center permissions
The commands will fail or show incomplete data because the user lacks access rights.
Ensure your Azure account has Security Reader or higher role assigned before running compliance commands.
Ignoring unhealthy status in compliance assessments
Unhealthy means some controls are not met, which can lead to security risks or audit failures.
Review the detailed control reports and fix issues to improve compliance status.
Summary
Use Azure CLI commands to list and check compliance standards like SOC, ISO, and GDPR.
Review detailed control reports to understand which parts of compliance need improvement.
Fix issues found in controls to maintain a healthy compliance status and protect data.

Practice

(1/5)
1. What is the main purpose of compliance standards like SOC, ISO, and GDPR in cloud environments?
easy
A. To increase cloud storage capacity
B. To speed up network connections
C. To protect data and ensure legal rules are followed
D. To reduce cloud service costs

Solution

  1. Step 1: Understand compliance standards

    Compliance standards like SOC, ISO, and GDPR are designed to protect data and ensure organizations follow legal and security rules.

  2. Step 2: Identify the main goal in cloud

    In cloud environments, these standards help keep data safe and meet legal requirements.

  3. Final Answer:

    To protect data and ensure legal rules are followed -> Option C

  4. Quick Check:

    Compliance = Data protection + legal rules [OK]
Hint: Compliance means protecting data and following laws [OK]
Common Mistakes:
  • Confusing compliance with cost savings
  • Thinking compliance speeds up networks
  • Assuming compliance increases storage
2. Which Azure service helps enforce compliance standards automatically across your cloud resources?
easy
A. Azure Functions
B. Azure Virtual Machines
C. Azure Blob Storage
D. Azure Policies

Solution

  1. Step 1: Identify Azure services related to compliance

    Azure Policies is a service designed to enforce rules and compliance automatically on cloud resources.

  2. Step 2: Compare with other services

    Virtual Machines, Blob Storage, and Functions serve other purposes like compute and storage, not compliance enforcement.

  3. Final Answer:

    Azure Policies -> Option D

  4. Quick Check:

    Compliance enforcement = Azure Policies [OK]
Hint: Azure Policies enforce rules automatically [OK]
Common Mistakes:
  • Choosing compute or storage services instead of policy service
  • Confusing Azure Functions with compliance tools
3. Given this Azure Policy assignment JSON snippet, what is the effect of the policy?
{
  "if": {
    "field": "location",
    "notIn": ["eastus", "westus"]
  },
  "then": {
    "effect": "deny"
  }
}
medium
A. Allows resources only in eastus and westus regions
B. Denies resources only in eastus and westus regions
C. Allows resources in all regions
D. Denies resources in all regions

Solution

  1. Step 1: Understand the policy condition

    The policy checks if the resource location is NOT in eastus or westus.

  2. Step 2: Understand the policy effect

    If the location is not in those regions, the policy denies creation, so only eastus and westus are allowed.

  3. Final Answer:

    Allows resources only in eastus and westus regions -> Option A

  4. Quick Check:

    NotIn + deny = allow only listed regions [OK]
Hint: "notIn" with "deny" means only listed allowed [OK]
Common Mistakes:
  • Thinking deny applies to listed regions
  • Confusing allow and deny effects
  • Ignoring the 'notIn' condition
4. You assigned an Azure Policy to enforce GDPR compliance, but resources in non-compliant regions are still created. What is the most likely cause?
medium
A. The policy effect is set to "audit" instead of "deny"
B. Azure Policies do not support region restrictions
C. The policy assignment scope is too narrow and misses some resources
D. The policy was assigned to a resource group instead of a subscription

Solution

  1. Step 1: Understand policy effects

    Policies with effect "audit" only report violations but do not block resource creation.

  2. Step 2: Check why non-compliant resources are created

    If resources are created despite policy, likely the effect is audit, not deny.

  3. Final Answer:

    The policy effect is set to "audit" instead of "deny" -> Option A

  4. Quick Check:

    Audit reports only, deny blocks creation [OK]
Hint: Audit logs violations, deny blocks resource creation [OK]
Common Mistakes:
  • Assuming audit blocks resources
  • Ignoring policy scope impact
  • Confusing resource group and subscription scopes
5. Your company must comply with ISO standards requiring encryption of all data at rest in Azure. Which combination of Azure services and configurations best ensures compliance?
hard
A. Use Azure Storage without encryption and rely on network security groups for protection
B. Use Azure Storage with customer-managed keys for encryption and assign Azure Policy to deny unencrypted storage accounts
C. Use Azure Storage with default encryption enabled and assign Azure Policy to audit unencrypted storage accounts
D. Use Azure Storage with no encryption and assign Azure Policy to audit network traffic

Solution

  1. Step 1: Understand ISO encryption requirements

    ISO standards require all data at rest to be encrypted, preferably with strong key management.

  2. Step 2: Choose encryption and policy enforcement

    Using customer-managed keys gives control over encryption keys. Assigning a policy to deny unencrypted storage ensures no unencrypted data is stored.

  3. Step 3: Evaluate other options

    Auditing only reports issues but does not block non-compliance. Network security groups protect network traffic but not data at rest encryption.

  4. Final Answer:

    Use Azure Storage with customer-managed keys for encryption and assign Azure Policy to deny unencrypted storage accounts -> Option B

  5. Quick Check:

    Encryption + deny policy = ISO compliance [OK]
Hint: Encrypt with keys + deny unencrypted storage [OK]
Common Mistakes:
  • Relying on audit instead of deny
  • Ignoring encryption at rest
  • Confusing network security with data encryption