Firewall - Filter Storage Accounts By Rules¶
This example demonstrates a common filtering scenario where we would like to ensure all firewalls are configured to only allow access from IP addresses in our datacenter (or any block of IP space).
Below we look at storage accounts and we identify any accounts where the firewall is not enabled or the firewall is enabled but it allows IP’s that are not within the specified IP space.
The IP space is specified as an array and can contain a variety of formats as shown in the example.
only field used in the firewall rules filter returns any resources
where the firewall only contains IP’s from the list provided. It need
not contain all of them (or any of them). In this example we use the
modifier to find non-compliant resources.
You could further extend this example by using the
to remediate the non-compliant resources.
policies: - name: storage-only-allow-datacenter-ips description: | Find all storage accounts which permit access from any IP not in datacenter IP space resource: azure.storage filters: - or: - type: value key: properties.networkAcls.defaultAction value: 'Allow' - not: - type: firewall-rules only: - '188.8.131.52' - '10.0.0.0/16' - '184.108.40.206 - 220.127.116.11'