Storage Account Resource
Finds all Storage Accounts in the subscription.
policies: - name: find-all-storage-accounts resource: azure.storage
Set Firewall Rules Action
Updates Azure Storage Firewalls and Virtual Networks settings.
By default the firewall rules are appended with the new values. The
flag can be used to replace the old rules with the new ones on
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use
ServiceTags. followed by the
name of any group
Note that there are firewall rule number limits and that you will likely need to use a regional block to fit within the limit. The limit for storage accounts is 200 rules.
- type: set-firewall-rules bypass-rules: - Logging - Metrics ip-rules: - 220.127.116.11/16 - ServiceTags.AppService.CentralUS
Find storage accounts without any firewall rules.
Configure default-action to
Deny and then allow:
- Azure Logging and Metrics services
- Two specific IPs
- Two subnets
policies: - name: add-storage-firewall resource: azure.storage filters: - type: value key: properties.networkAcls.ipRules value_type: size op: eq value: 0 actions: - type: set-firewall-rules append: False bypass-rules: - Logging - Metrics ip-rules: - 18.104.22.168/16 - 22.214.171.124 virtual-network-rules: - <subnet_resource_id> - <subnet_resource_id>
properties: append: default: true type: boolean bypass-rules: items: enum: - AzureServices - Logging - Metrics type: array default-action: default: Deny enum: - Allow - Deny ip-rules: items: type: string type: array type: enum: - set-firewall-rules virtual-network-rules: items: type: string type: array required: - type
Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).
Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.policies: - name: enable-blob-storage-logging resource: azure.storage actions: - type: set-log-settings storage-types: [blob] retention: 5 log: [write, delete]
properties: log: items: enum: - read - write - delete type: string type: array retention: type: number storage-types: items: enum: - blob - queue - table type: string type: array type: enum: - set-log-settings required: - storage-types - log - retention - type