azure.storage

Storage Account Resource

example:

Finds all Storage Accounts in the subscription.

policies:
    - name: find-all-storage-accounts
      resource: azure.storage

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

firewall-bypass

Filters resources by the firewall bypass rules.

example:

This policy will find all Storage Accounts with enabled Azure Services, Metrics and Logging bypass rules

policies:
  - name: storage-bypass
    resource: azure.storage
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices
            - Metrics
            - Logging
properties:
  list:
    items:
      enum:
      - AzureServices
      - Metrics
      - Logging
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

Actions

require-secure-transfer

Action that updates the Secure Transfer setting on Storage Accounts. Programmatically, this will be seen by updating the EnableHttpsTrafficOnly setting

example:

Turns on Secure transfer required for all storage accounts. This will reject requests that use HTTP to your storage accounts.

policies:
    - name: require-secure-transfer
      resource: azure.storage
      actions:
      - type: require-secure-transfer
        value: True
properties:
  type:
    enum:
    - require-secure-transfer
  value:
    default: true
    type: boolean
required:
- type

set-firewall-rules

Set Firewall Rules Action

Updates Azure Storage Firewalls and Virtual Networks settings.

By default the firewall rules are appended with the new values. The append: False flag can be used to replace the old rules with the new ones on the resource.

You may also reference azure public cloud Service Tags by name in place of an IP address. Use ServiceTags. followed by the name of any group from https://www.microsoft.com/en-us/download/details.aspx?id=56519.

Note that there are firewall rule number limits and that you will likely need to use a regional block to fit within the limit. The limit for storage accounts is 200 rules.

- type: set-firewall-rules
      bypass-rules:
          - Logging
          - Metrics
      ip-rules:
          - 11.12.13.0/16
          - ServiceTags.AppService.CentralUS
example:

Find storage accounts without any firewall rules.

Configure default-action to Deny and then allow: - Azure Logging and Metrics services - Two specific IPs - Two subnets

policies:
    - name: add-storage-firewall
      resource: azure.storage

    filters:
        - type: value
          key: properties.networkAcls.ipRules
          value_type: size
          op: eq
          value: 0

    actions:
        - type: set-firewall-rules
          append: False
          bypass-rules:
              - Logging
              - Metrics
          ip-rules:
              - 11.12.13.0/16
              - 21.22.23.24
          virtual-network-rules:
              - <subnet_resource_id>
              - <subnet_resource_id>
properties:
  append:
    default: true
    type: boolean
  bypass-rules:
    items:
      enum:
      - AzureServices
      - Logging
      - Metrics
    type: array
  default-action:
    default: Deny
    enum:
    - Allow
    - Deny
  ip-rules:
    items:
      type: string
    type: array
  type:
    enum:
    - set-firewall-rules
  virtual-network-rules:
    items:
      type: string
    type: array
required:
- type

set-log-settings

Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).

example:

Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.

policies:
    - name: enable-blob-storage-logging
      resource: azure.storage
      actions:
        - type: set-log-settings
          storage-types: [blob]
          retention: 5
          log: [write, delete]
properties:
  log:
    items:
      enum:
      - read
      - write
      - delete
      type: string
    type: array
  retention:
    type: number
  storage-types:
    items:
      enum:
      - blob
      - queue
      - table
      type: string
    type: array
  type:
    enum:
    - set-log-settings
required:
- storage-types
- log
- retention
- type