azure.networksecuritygroup¶
Network Security Group Resource
- example:
This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups
policies:
- name: close-inbound-except-22-24
resource: azure.networksecuritygroup
filters:
- type: ingress
exceptPorts: '22-24'
match: 'any'
access: 'Allow'
actions:
- type: close
exceptPorts: '22-24'
direction: 'Inbound'
- example:
This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443
policies:
- name: close-egress-except-TCP
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '80'
access: 'Allow'
- type: ingress
ports: '443'
access: 'Deny'
actions:
- type: open
ports: '443'
- example:
This policy will find all NSGs with port 22 opened from ‘Any’ source
policies:
- name: find-ingress-SSH-from-any-source
resource: azure.networksecuritygroup
filters:
- type: ingress
ports: '22'
access: 'Allow'
source: '*'
- example:
This policy will find all NSGs with port 8080 enabled to ‘Any’ destination
policies:
- name: find-egress-HTTP-to-any-destination
resource: azure.networksecuritygroup
filters:
- type: egress
ports: '8080'
access: 'Allow'
destination: '*'
Filters¶
advisor-recommendation¶
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
egress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
Cidr: {}
access:
enum:
- Allow
- Deny
type: string
destination:
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
source:
type: string
type:
enum:
- egress
required:
- type
ingress¶
Filter Network Security Groups using opened/closed ports configuration
properties:
Cidr: {}
access:
enum:
- Allow
- Deny
type: string
destination:
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
match:
enum:
- all
- any
type: string
ports:
type: string
source:
type: string
type:
enum:
- ingress
required:
- type
Actions¶
close¶
Deny access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
ports:
type: string
prefix:
maxLength: 44
type: string
type:
enum:
- close
required:
- type
open¶
Allow access to Security Rule
properties:
direction:
enum:
- Inbound
- Outbound
type: string
exceptPorts:
type: string
ipProtocol:
enum:
- ICMP
- TCP
- UDP
- '*'
type: string
ports:
type: string
prefix:
maxLength: 44
type: string
type:
enum:
- open
required:
- type