Firewall - Filter Storage Accounts By Rules

This example demonstrates a common filtering scenario where we would like to ensure all firewalls are configured to only allow access from IP addresses in our datacenter (or any block of IP space).

Below we look at storage accounts and we identify any accounts where the firewall is not enabled or the firewall is enabled but it allows IP’s that are not within the specified IP space.

The IP space is specified as an array and can contain a variety of formats as shown in the example.

The only field used in the firewall rules filter returns any resources where the firewall only contains IP’s from the list provided. It need not contain all of them (or any of them). In this example we use the not modifier to find non-compliant resources.

You could further extend this example by using the set-network-rules action to remediate the non-compliant resources.

policies:
  - name: storage-only-allow-datacenter-ips
    description: |
      Find all storage accounts which permit access
      from any IP not in datacenter IP space
    resource: azure.storage
    filters:
      - or:
        - type: value
          key: properties.networkAcls.defaultAction
          value: 'Allow'

        - not:
          - type: firewall-rules
            only:
              - '8.8.8.8'
              - '10.0.0.0/16'
              - '20.0.0.0 - 20.10.0.0'