azure.storage

Storage Account Resource

example

Finds all Storage Accounts in the subscription.

policies:
    - name: find-all-storage-accounts
      resource: azure.storage

Actions

set-firewall-rules

Set Firewall Rules Action

Updates Azure Storage Firewalls and Virtual Networks settings.

By default the firewall rules are appended with the new values. The append: False flag can be used to replace the old rules with the new ones on the resource.

You may also reference azure public cloud Service Tags by name in place of an IP address. Use ServiceTags. followed by the name of any group from https://www.microsoft.com/en-us/download/details.aspx?id=56519.

Note that there are firewall rule number limits and that you will likely need to use a regional block to fit within the limit. The limit for storage accounts is 200 rules.

- type: set-firewall-rules
      bypass-rules:
          - Logging
          - Metrics
      ip-rules:
          - 11.12.13.0/16
          - ServiceTags.AppService.CentralUS
example

Find storage accounts without any firewall rules.

Configure default-action to Deny and then allow: - Azure Logging and Metrics services - Two specific IPs - Two subnets

policies:
    - name: add-storage-firewall
      resource: azure.storage

    filters:
        - type: value
          key: properties.networkAcls.ipRules
          value_type: size
          op: eq
          value: 0

    actions:
        - type: set-firewall-rules
          append: False
          bypass-rules:
              - Logging
              - Metrics
          ip-rules:
              - 11.12.13.0/16
              - 21.22.23.24
          virtual-network-rules:
              - <subnet_resource_id>
              - <subnet_resource_id>
properties:
  append:
    default: true
    type: boolean
  bypass-rules:
    items:
      enum:
      - AzureServices
      - Logging
      - Metrics
    type: array
  default-action:
    default: Deny
    enum:
    - Allow
    - Deny
  ip-rules:
    items:
      type: string
    type: array
  type:
    enum:
    - set-firewall-rules
  virtual-network-rules:
    items:
      type: string
    type: array
required:
- type

set-log-settings

Action that updates the logging settings on storage accounts. The action requires specifying an array of storage types that will be impacted by the action (blob, queue, table), retention (number in days; 0-365), and an array of log settings to enable (read, write, delete). The action will disable any settings not listed (e.g. by providing log: [write, delete], the action will disable read).

example

Enable write and delete logging and disable read logging on blob storage, and retain logs for 5 days.

policies:
    - name: enable-blob-storage-logging
      resource: azure.storage
      actions:
        - type: set-log-settings
          storage-types: [blob]
          retention: 5
          log: [write, delete]
properties:
  log:
    items:
      enum:
      - read
      - write
      - delete
      type: string
    type: array
  retention:
    type: number
  storage-types:
    items:
      enum:
      - blob
      - queue
      - table
      type: string
    type: array
  type:
    enum:
    - set-log-settings
required:
- storage-types
- log
- retention
- type