azure.storage
Storage Account Resource
- example:
Finds all Storage Accounts in the subscription.
policies:
- name: find-all-storage-accounts
resource: azure.storage
Filters
advisor-recommendation
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
firewall-bypass
Filters resources by the firewall bypass rules.
- example:
This policy will find all Storage Accounts with enabled Azure Services, Metrics and Logging bypass rules
policies:
- name: storage-bypass
resource: azure.storage
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
- Metrics
- Logging
properties:
list:
items:
enum:
- AzureServices
- Metrics
- Logging
type: array
mode:
enum:
- include
- equal
- any
- only
type:
enum:
- firewall-bypass
required:
- mode
- list
- type
Actions
require-secure-transfer
Action that updates the Secure Transfer setting on Storage Accounts. Programmatically, this will be seen by updating the EnableHttpsTrafficOnly setting
- example:
Turns on Secure transfer required for all storage accounts. This will reject requests that use HTTP to your storage accounts.
policies:
- name: require-secure-transfer
resource: azure.storage
actions:
- type: require-secure-transfer
value: True
properties:
type:
enum:
- require-secure-transfer
value:
default: true
type: boolean
required:
- type
set-firewall-rules
Set Firewall Rules Action
Updates Azure Storage Firewalls and Virtual Networks settings.
By default the firewall rules are appended with the new values. The append: False
flag can be used to replace the old rules with the new ones on
the resource.
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use ServiceTags. followed by the name of any group
from https://www.microsoft.com/en-us/download/details.aspx?id=56519.
Note that there are firewall rule number limits and that you will likely need to use a regional block to fit within the limit. The limit for storage accounts is 200 rules.
- type: set-firewall-rules
bypass-rules:
- Logging
- Metrics
ip-rules:
- 11.12.13.0/16
- ServiceTags.AppService.CentralUS
- example:
Find storage accounts without any firewall rules.
Configure default-action to Deny and then allow:
- Azure Logging and Metrics services
- Two specific IPs
- Two subnets
policies:
- name: add-storage-firewall
resource: azure.storage
filters:
- type: value
key: properties.networkAcls.ipRules
value_type: size
op: eq
value: 0
actions:
- type: set-firewall-rules
append: False
bypass-rules:
- Logging
- Metrics
ip-rules:
- 11.12.13.0/16
- 21.22.23.24
virtual-network-rules:
- <subnet_resource_id>
- <subnet_resource_id>
properties:
append:
default: true
type: boolean
bypass-rules:
items:
enum:
- AzureServices
- Logging
- Metrics
type: array
default-action:
default: Deny
enum:
- Allow
- Deny
ip-rules:
items:
type: string
type: array
type:
enum:
- set-firewall-rules
virtual-network-rules:
items:
type: string
type: array
required:
- type
set-log-settings
Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).
- example:
Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.
policies: - name: enable-blob-storage-logging resource: azure.storage actions: - type: set-log-settings storage-types: [blob] retention: 5 log: [write, delete]
properties:
log:
items:
enum:
- read
- write
- delete
type: string
type: array
retention:
type: number
storage-types:
items:
enum:
- blob
- queue
- table
type: string
type: array
type:
enum:
- set-log-settings
required:
- storage-types
- log
- retention
- type