Storage Account Resource
Finds all Storage Accounts in the subscription.
policies: - name: find-all-storage-accounts resource: azure.storage
Filters resources by the firewall bypass rules.
This policy will find all Storage Accounts with enabled Azure Services, Metrics and Logging bypass rules
policies: - name: storage-bypass resource: azure.storage filters: - type: firewall-bypass mode: equal list: - AzureServices - Metrics - Logging
properties: list: items: enum: - AzureServices - Metrics - Logging type: array mode: enum: - include - equal - any - only type: enum: - firewall-bypass required: - mode - list - type
Action that updates the Secure Transfer setting on Storage Accounts. Programmatically, this will be seen by updating the EnableHttpsTrafficOnly setting
Turns on Secure transfer required for all storage accounts. This will reject requests that use HTTP to your storage accounts.
policies: - name: require-secure-transfer resource: azure.storage actions: - type: require-secure-transfer value: True
properties: type: enum: - require-secure-transfer value: default: true type: boolean required: - type
Set Firewall Rules Action
Updates Azure Storage Firewalls and Virtual Networks settings.
By default the firewall rules are appended with the new values. The
flag can be used to replace the old rules with the new ones on
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use
ServiceTags. followed by the
name of any group
Note that there are firewall rule number limits and that you will likely need to use a regional block to fit within the limit. The limit for storage accounts is 200 rules.
- type: set-firewall-rules bypass-rules: - Logging - Metrics ip-rules: - 18.104.22.168/16 - ServiceTags.AppService.CentralUS
Find storage accounts without any firewall rules.
Configure default-action to
Deny and then allow:
- Azure Logging and Metrics services
- Two specific IPs
- Two subnets
policies: - name: add-storage-firewall resource: azure.storage filters: - type: value key: properties.networkAcls.ipRules value_type: size op: eq value: 0 actions: - type: set-firewall-rules append: False bypass-rules: - Logging - Metrics ip-rules: - 22.214.171.124/16 - 126.96.36.199 virtual-network-rules: - <subnet_resource_id> - <subnet_resource_id>
properties: append: default: true type: boolean bypass-rules: items: enum: - AzureServices - Logging - Metrics type: array default-action: default: Deny enum: - Allow - Deny ip-rules: items: type: string type: array type: enum: - set-firewall-rules virtual-network-rules: items: type: string type: array required: - type
Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).
Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.policies: - name: enable-blob-storage-logging resource: azure.storage actions: - type: set-log-settings storage-types: [blob] retention: 5 log: [write, delete]
properties: log: items: enum: - read - write - delete type: string type: array retention: type: number storage-types: items: enum: - blob - queue - table type: string type: array type: enum: - set-log-settings required: - storage-types - log - retention - type