Azure Common Filters

Filters

auditing

Filter by the current auditing policy for this sql server.

example:

Find SQL servers with auditing disabled

policies:
  - name: sql-database-no-auditing
    resource: azure.sql-server
    filters:
      - type: auditing
        enabled: false
properties:
  default:
    type: object
  enabled:
    type: boolean
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - auditing
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

authentication

Web Applications Authentication Filter

example:

This policy will find all web apps without an authentication method enabled

policies:
  - name: webapp-no-authentication
    resource: azure.webapp
    filters:
      - type: authentication
        key: enabled
        value: False
        op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - authentication
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

azure-ad-administrators

Provides a value filter targetting the Azure AD Administrator of this SQL Server.

Here is an example of the available fields:

"administratorType": "ActiveDirectory",
"login": "bob@contoso.com",
"sid": "00000011-1111-2222-2222-123456789111",
"tenantId": "00000011-1111-2222-2222-123456789111",
"azureADOnlyAuthentication": true
examples:

Find SQL Servers without AD Administrator

policies:
  - name: sqlserver-no-ad-admin
    resource: azure.sqlserver
    filters:
      - type: azure-ad-administrators
        key: login
        value: absent
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - azure-ad-administrators
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

blob-services

Filter by the current blob services configuration for this storage account.

example:

Find storage accounts with blob services soft delete disabled or retention less than 7 days

policies:
  - name: storage-no-soft-delete
    resource: azure.storage
    filters:
      - or:
          - type: blob-services
            key: deleteRetentionPolicy.enabled
            value: false
          - type: blob-services
            key: deleteRetentionPolicy.days
            value: 7
            op: lt
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - blob-services
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

configuration

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - configuration
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

configuration-parameter

Filter by configuration parameter for this postresql server

Configurations are made available to the filter as a map with each key holding the name of the configuration and each value holding the properties of the Configuration as defined here: https://learn.microsoft.com/en-us/python/api/azure-mgmt-rdbms/azure.mgmt.rdbms.postgresql.models.configuration?view=azure-python

example:

Example JSON document showing the data format provided to the filter

{
  "value": "off",
  "description": "Logs each successful connection.",
  "defaultValue": "on",
  "dataType": "Boolean",
  "allowedValues": "on,off",
  "source": "user-override",
  "isConfigPendingRestart": "False",
  "isDynamicConfig": "True"
}
example:

Find Postgresql servers with log_connections not enabled

policies:
  - name: sql-database-no-log-connections
    resource: azure.postgresql-server
    filters:
      - type: configuration-parameter
        name: log_connections
        key: value
        op: ne
        value: 'on'
properties:
  default:
    type: object
  key:
    type: string
  name:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - configuration-parameter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type
- name
- type

cost

Filter resources by the cost consumed over a timeframe.

Total cost for the resource includes costs for all of it child resources if billed separately (e.g. SQL Server and SQL Server Databases). Warning message is logged if we detect different currencies.

Timeframe options:

  • Number of days before today

  • All days in current calendar period until today:

    • WeekToDate

    • MonthToDate

  • All days in the previous calendar period:

    • TheLastMonth

    • TheLastBillingMonth

examples:

SQL servers that were cost more than 2000 in the last month.

policies:
    - name: expensive-sql-servers-last-month
      resource: azure.sqlserver
      filters:
      - type: cost
        timeframe: TheLastMonth
        op: gt
        value: 2000

SQL servers that were cost more than 2000 in the last 30 days not including today.

policies:
    - name: expensive-sql-servers
      resource: azure.sqlserver
      filters:
      - type: cost
        timeframe: 30
        op: gt
        value: 2000
properties:
  default:
    type: object
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  timeframe:
    oneOf:
    - enum:
      - MonthToDate
      - BillingMonthToDate
      - TheLastMonth
      - TheLastBillingMonth
      - WeekToDate
    - minimum: 1
      type: number
  type:
    enum:
    - cost
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- timeframe
- type

diagnostic-settings

The diagnostic settings filter is implicitly just the ValueFilter on the diagnostic settings for an azure resource.

example:

Find Load Balancers that have logs for both LoadBalancerProbeHealthStatus category and LoadBalancerAlertEvent category enabled. The use of value_type: swap is important for these examples because it swaps the value and the evaluated key so that it evaluates the value provided is in the logs.

policies:
  - name: find-load-balancers-with-logs-enabled
    resource: azure.loadbalancer
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerProbeHealthStatus'][].enabled
        value: True
        op: in
        value_type: swap
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerAlertEvent'][].enabled
        value: True
        op: in
        value_type: swap
example:

Find KeyVaults that have logs enabled for the AuditEvent category.

policies:
  - name: find-keyvaults-with-logs-enabled
    resource: azure.keyvault
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'AuditEvent'][].enabled
        value: True
        op: in
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - diagnostic-settings
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

effective-route-table

Filters network interfaces by the Effective Route Table

example:

This policy will get Network Interfaces that have VirtualNetworkGateway and VNet hops.

policies:
  - name: virtual-network-gateway-hop
    resource: azure.networkinterface
    filters:
      - type: effective-route-table
        key: routes.value[?source == 'User'].nextHopType
        op: difference
        value:
          - Internet
          - None
          - VirtualAppliance
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - effective-route-table
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

event

Filter a resource based on an event.

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - event
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

firewall-rules

Filters resources by the firewall rules

Rules can be specified as x.x.x.x-y.y.y.y or x.x.x.x or x.x.x.x/y.

With the exception of equal all modes reference total IP space and ignore specific notation.

include: True if all IP space listed is included in firewall.

any: True if any overlap in IP space exists.

only: True if firewall IP space only includes IPs from provided space (firewall is subset of provided space).

equal: the list of IP ranges or CIDR that firewall rules must match exactly.

IMPORTANT: this filter ignores all bypass rules. If you want to ensure your resource is not available for other Azure Cloud services or from the Portal, please use firewall-bypass filter.

example:

policies:
    - name: servers-with-firewall
      resource: azure.sqlserver
      filters:
          - type: firewall-rules
            include:
                - '131.107.160.2-131.107.160.3'
                - 10.20.20.0/24
example:

For SQL Server and Postresql Server, Azure represents the service bypass as firewall rule allowing traffic from “0.0.0.0” (this allows traffic from all other azure services). By default the firewall filter for these resources ignores this rule during evaluation. To include it in the evaluation set the “include-azure-services” flag to true. For example, to find all Postgresql Servers where traffic is allowed from all Azure services:

policies:
  - name: postgres-servers-open-from-azure
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        include-azure-services: true
        equal:
          - '0.0.0.0'
oneOf:
- required:
  - type
  - include
- required:
  - type
  - any
- required:
  - type
  - only
- required:
  - type
  - equal
properties:
  any:
    items:
      type: string
    type: array
  equal:
    items:
      type: string
    type: array
  include:
    items:
      type: string
    type: array
  include-azure-services:
    type: boolean
  only:
    items:
      type: string
    type: array
  type:
    enum:
    - firewall-rules

flow-logs

Filter a Network Security Group by its associated flow logs. NOTE: only one flow log can be assigned to a Network Security Group, but to maintain parity with the Azure API, a list of flow logs is returned to the filter.

example:

Find all network security groups with a flow-log retention less than 90 days

policies:
  - name: flow-logs
    resource: azure.networksecuritygroup
    filters:
      - or:
        - type: flow-logs
          key: logs
          value: empty
        - type: flow-logs
          key: logs[0].retentionPolicy.days
          op: lt
          value: 90
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - flow-logs
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

instance-view

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance-view
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

list-item

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  key:
    type: string
  type:
    enum:
    - list-item
required:
- type

marked-for-op

Filter resources for tag specified future action

Filters resources by a ‘custodian_status’ tag which specifies a future date for an action.

The filter parses the tag values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.

The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.

The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.

Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)

example:

policies:
 - name: vm-stop-marked
   resource: azure.vm
   filters:
     - type: marked-for-op
       # The default tag used is custodian_status
       # but that is configurable
       tag: custodian_status
       op: stop
       # Another optional tag is skew
       tz: utc
properties:
  op:
    type: string
  skew:
    minimum: 0
    type: number
  skew_hours:
    minimum: 0
    type: number
  tag:
    type: string
  type:
    enum:
    - marked-for-op
  tz:
    type: string
required:
- type

metric

Filters Azure resources based on live metrics from the Azure monitor

Click here for a full list of metrics supported by Azure resources.

example:

Find all VMs with an average Percentage CPU greater than 75% over last 2 hours

policies:
  - name: vm-percentage-cpu
    resource: azure.vm
    filters:
      - type: metric
        metric: Percentage CPU
        aggregation: average
        op: gt
        threshold: 75
        timeframe: 2
example:

Find KeyVaults with more than 1000 API hits in the last hour

policies:
  - name: keyvault-hits
    resource: azure.keyvault
    filters:
      - type: metric
        metric: ServiceApiHit
        aggregation: total
        op: gt
        threshold: 1000
        timeframe: 1
example:

Find SQL servers with less than 10% average DTU consumption across all databases over last 24 hours

policies:
  - name: dtu-consumption
    resource: azure.sqlserver
    filters:
      - type: metric
        metric: dtu_consumption_percent
        aggregation: average
        op: lt
        threshold: 10
        timeframe: 24
        filter:  "DatabaseResourceId eq '*'"
properties:
  aggregation:
    enum:
    - total
    - average
    - count
    - minimum
    - maximum
  filter:
    type: string
  interval:
    enum:
    - PT1M
    - PT5M
    - PT15M
    - PT30M
    - PT1H
    - PT6H
    - PT12H
    - P1D
  metric:
    type: string
  no_data_action:
    enum:
    - include
    - exclude
    - to_zero
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
  threshold:
    type: number
  timeframe:
    type: number
  type:
    enum:
    - metric
required:
- type
- metric
- op
- threshold

offer

CosmosDB Offer Filter

Allows access to the offer on a collection or database.

example:

This policy will find all collections with a V2 offer which indicates throughput is provisioned at the collection scope.

policies:
  - name: cosmosdb-collection-high-throughput
    resource: azure.cosmosdb-collection
    filters:
      - type: offer
        key: offerVersion
        op: eq
        value: 'V2'
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - offer
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

offhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  offhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - offhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- offhour
- default_tz
- type

onhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  onhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - onhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- onhour
- default_tz
- type

parent

Meta filter that allows you to filter child resources by applying filters to their parent resources.

You can use any filter supported by corresponding parent resource type.

examples:

Find Azure KeyVault Keys from Key Vaults with owner:ProjectA tag.

policies:
  - name: kv-keys-from-tagged-keyvaults
    resource: azure.keyvault-key
    filters:
      - type: parent
        filter:
          type: value
          key: tags.owner
          value: ProjectA
properties:
  filter:
    type: object
  type:
    enum:
    - parent
required:
- type
- type

policy-compliant

Filter resources based on Azure Policy compliance status

Filter resources by their current Azure Policy compliance status.

You can specify if you want to filter compliant or non-compliant resources.

You can provide a list of Azure Policy definitions display names or names to limit amount of non-compliant resources. By default it returns a list of all non-compliant resources.

policies:
 - name: non-compliant-vms
   resource: azure.vm
   filters:
     - type: policy-compliant
       compliant: false
       definitions:
         - "Definition display name 1"
         - "Definition display name 2"
properties:
  compliant:
    type: boolean
  definitions:
    type: array
  type:
    enum:
    - policy-compliant
required:
- type
- compliant
- type

reduce

Generic reduce filter to group, sort, and limit your resources.

This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.

example:

- name: oldest-instance-by-asg
  resource: ec2
  filters:
    - "tag:aws:autoscaling:groupName": present
    - type: reduce
      group-by: "tag:aws:autoscaling:groupName"
      sort-by: "LaunchTime"
      order: asc
      limit: 1

Or you might want to randomly select a 10 percent of your resources, but no more than 15.

example:

- name: random-selection
  resource: ec2
  filters:
    - type: reduce
      order: randomize
      limit: 15
      limit-percent: 10
properties:
  discard:
    minimum: 0
    type: number
  discard-percent:
    maximum: 100
    minimum: 0
    type: number
  group-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  limit:
    minimum: 0
    type: number
  limit-percent:
    maximum: 100
    minimum: 0
    type: number
  null-order:
    enum:
    - first
    - last
  order:
    enum:
    - asc
    - desc
    - reverse
    - randomize
  sort-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  type:
    enum:
    - reduce
required:
- type

resource-lock

Filter locked resources. Lock can be of 2 types: ReadOnly and CanNotDelete. To filter any lock, use “Any” type. Lock type is optional, by default any lock will be applied to the filter. To get unlocked resources, use “Absent” type.

example:

Get all keyvaults with ReadOnly lock:

policies:
 - name: locked-keyvaults
   resource: azure.keyvault
   filters:
     - type: resource-lock
       lock-type: ReadOnly
example:

Get all locked sqldatabases (any type of lock):

policies:
 - name: locked-sqldatabases
   resource: azure.sqldatabase
   filters:
     - type: resource-lock
example:

Get all unlocked resource groups:

policies:
 - name: unlock-rgs
   resource: azure.resourcegroup
   filters:
     - type: resource-lock
       lock-type: Absent
properties:
  lock-type:
    enum:
    - ReadOnly
    - CanNotDelete
    - Any
    - Absent
  type:
    enum:
    - resource-lock
required:
- type
- type

server-configuration

Filter by server parameter for this MySql server

Configurations are made available to the filter as a map with each key holding the name of the configuration and each value holding the properties of the Configuration as defined here: https://learn.microsoft.com/en-us/python/api/azure-mgmt-rdbms/azure.mgmt.rdbms.mysql.models.configuration?view=azure-python

example:

Example JSON document showing the data format provided to the filter

{
 "value": "OFF",
  "description": "Allow to audit the log.",
  "defaultValue": "OFF",
  "dataType": "Enumeration",
  "allowedValues": "ON,OFF",
  "source": "system-default",
  "isConfigPendingRestart": "False",
  "isDynamicConfig": "True",
  "isReadOnly": "False"
}
example:

Find Mysql servers with audit_not_enabled not equal to “ON”

policies:
  - name: mysql-server-audit-log-enabled
    resource: azure.mysql
    filters:
      - type: server-configuration
        name: audit_not_enabled
        key: value
        op: ne
        value: 'ON'
properties:
  default:
    type: object
  key:
    type: string
  name:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - server-configuration
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type
- name
- type

server-parameter

Filter by configuration parameter for mysql flexible server

example:

Example JSON document showing the data format provided to the filter

{
  "value": "TLSv1.2"
  "description": "Which protocols the server permits for encrypted
  connections. By default, TLS 1.2 is enforced",
  "defaultValue": "TLSv1.2",
  "dataType": "Set",
  "allowedValues": "TLSv1,TLSv1.1,TLSv1.2",
  "source": "system-default",
  "isReadOnly": "False",
  "isConfigPendingRestart": "False",
  "isDynamicConfig": "False",
}
example:

Find Mysql Flexible servers with tls_version not set to TLSV1.2

policies:
  - name: mysql-flexible-server-tls-version
    resource: azure.mysql-flexibleserver
    filters:
      - type: server-parameter
        name: tls_version
        key: value
        op: eq
        value: 'TLSv1.2'
properties:
  default:
    type: object
  key:
    type: string
  name:
    allowed_value:
    - TLSv1.2
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - server-parameter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type
- name
- type

storage-diagnostic-settings

Filters storage accounts based on its diagnostic settings. The filter requires specifying the storage type (blob, queue, table, file) and will filter based on the settings for that specific type.

example:

Find all storage accounts that have a ‘delete’ logging setting disabled.

policies:
    - name: find-accounts-with-delete-logging-disabled
      resource: azure.storage
      filters:
        - or:
            - type: storage-diagnostic-settings
              storage-type: blob
              key: logging.delete
              op: eq
              value: False
            - type: storage-diagnostic-settings
              storage-type: queue
              key: logging.delete
              op: eq
              value: False
            - type: storage-diagnostic-settings
              storage-type: table
              key: logging.delete
              op: eq
              value: False
example:

Find Load Balancers that have logs for both LoadBalancerProbeHealthStatus category and LoadBalancerAlertEvent category enabled. The use of value_type: swap is important for these examples because it swaps the value and the evaluated key so that it evaluates the value provided is in the logs.

policies:
  - name: find-load-balancers-with-logs-enabled
    resource: azure.loadbalancer
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerProbeHealthStatus'][].enabled
        value: True
        op: in
        value_type: swap
      - type: diagnostic-settings
        key: logs[?category == 'LoadBalancerAlertEvent'][].enabled
        value: True
        op: in
        value_type: swap
example:

Find KeyVaults that have logs enabled for the AuditEvent category.

policies:
  - name: find-keyvaults-with-logs-enabled
    resource: azure.keyvault
    filters:
      - type: diagnostic-settings
        key: logs[?category == 'AuditEvent'][].enabled
        value: True
        op: in
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  storage-type:
    enum:
    - blob
    - queue
    - table
    - file
    type: string
  type:
    enum:
    - storage-diagnostic-settings
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- storage-type
- type

value

Generic value filter using jmespath

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - value
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

vm-extensions

Provides a value filter targetting the virtual machine extensions array. Requires an additional API call per virtual machine to retrieve the extensions.

Here is an example of the data returned:

[{
  "id": "/subscriptions/...",
  "name": "CustomScript",
  "type": "Microsoft.Compute/virtualMachines/extensions",
  "location": "centralus",
  "properties": {
    "publisher": "Microsoft.Azure.Extensions",
    "type": "CustomScript",
    "typeHandlerVersion": "2.0",
    "autoUpgradeMinorVersion": true,
    "settings": {
      "fileUris": []
    },
    "provisioningState": "Succeeded"
  }
}]
examples:

Find VM’s with Custom Script extensions

policies:
  - name: vm-with-customscript
    description: |
      Find all virtual machines with a custom
      script extension installed.
    resource: azure.vm
    filters:
      - type: vm-extensions
        op: in
        key: "[].properties.type"
        value: CustomScript
        value_type: swap

Find VM’s without the OMS agent installed

policies:
  - name: vm-without-oms
    description: |
      Find all virtual machines without the
      OMS agent installed.
    resource: azure.vm
    filters:
      - type: vm-extensions
        op: not-in
        key: "[].properties.type"
        value: OmsAgentForLinux
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - vm-extensions
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

vulnerability-assessment

Filter sql servers by whether they have recurring vulnerability scans enabled.

example:

Find SQL servers without vulnerability assessments enabled (legacy)

policies:
  - name: sql-server-no-va
    resource: azure.sql-server
    filters:
      - type: vulnerability-assessment
        enabled: false
example:

Find SQL Servers where vulnerability assessments are not being sent to a required email

policies:
  - name: sql-server-no-email
    resource: azure.sql-server
    filters:
      - type: vulnerability-assessment
        key: recurringScans.emails[?@ == `required@ops.domain`]
        value: empty

When using the above value filter form, the data takes the following shape:

"storageContainerPath": "https://testznubm7c1.blob.core.windows.net/testznubm7c1/",
"recurringScans": {
    "isEnabled": true,
    "emailSubscriptionAdmins": false,
    "emails": [
        "ops@fake.email",
        "admins@fake.email"
    ]
}
properties:
  default:
    type: object
  enabled:
    type: boolean
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - vulnerability-assessment
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type