azure.networksecuritygroup

Network Security Group Resource

example:

This policy will deny access to all ports that are NOT 22, 23 or 24 for all Network Security Groups

policies:
 - name: close-inbound-except-22-24
   resource: azure.networksecuritygroup
   filters:
    - type: ingress
      exceptPorts: '22-24'
      match: 'any'
      access: 'Allow'
   actions:
    - type: close
      exceptPorts: '22-24'
      direction: 'Inbound'
example:

This policy will find all NSGs with port 80 opened and port 443 closed, then it will open port 443

policies:
  - name: close-egress-except-TCP
    resource: azure.networksecuritygroup
    filters:
     - type: ingress
       ports: '80'
       access: 'Allow'
     - type: ingress
       ports: '443'
       access: 'Deny'
    actions:
     - type: open
       ports: '443'
example:

This policy will find all NSGs with port 22 opened from ‘Any’ source

policies:
  - name: find-ingress-SSH-from-any-source
    resource: azure.networksecuritygroup
    filters:
     - type: ingress
       ports: '22'
       access: 'Allow'
       source: '*'
example:

This policy will find all NSGs with port 8080 enabled to ‘Any’ destination

policies:
  - name: find-egress-HTTP-to-any-destination
    resource: azure.networksecuritygroup
    filters:
     - type: egress
       ports: '8080'
       access: 'Allow'
       destination: '*'

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

egress

Filter Network Security Groups using opened/closed ports configuration

properties:
  Cidr: {}
  access:
    enum:
    - Allow
    - Deny
    type: string
  destination:
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - ICMP
    - TCP
    - UDP
    - '*'
    type: string
  match:
    enum:
    - all
    - any
    type: string
  ports:
    type: string
  source:
    type: string
  type:
    enum:
    - egress
required:
- type

ingress

Filter Network Security Groups using opened/closed ports configuration

properties:
  Cidr: {}
  access:
    enum:
    - Allow
    - Deny
    type: string
  destination:
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - ICMP
    - TCP
    - UDP
    - '*'
    type: string
  match:
    enum:
    - all
    - any
    type: string
  ports:
    type: string
  source:
    type: string
  type:
    enum:
    - ingress
required:
- type

Actions

close

Deny access to Security Rule

properties:
  direction:
    enum:
    - Inbound
    - Outbound
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - ICMP
    - TCP
    - UDP
    - '*'
    type: string
  ports:
    type: string
  prefix:
    maxLength: 44
    type: string
  type:
    enum:
    - close
required:
- type

open

Allow access to Security Rule

properties:
  direction:
    enum:
    - Inbound
    - Outbound
    type: string
  exceptPorts:
    type: string
  ipProtocol:
    enum:
    - ICMP
    - TCP
    - UDP
    - '*'
    type: string
  ports:
    type: string
  prefix:
    maxLength: 44
    type: string
  type:
    enum:
    - open
required:
- type