-
Notifications
You must be signed in to change notification settings - Fork 330
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add audit policy for resource access from other services and tenants
- Loading branch information
1 parent
a7df806
commit 1ffe2ef
Showing
3 changed files
with
76 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
...tions/SQL/audit-allow-azure-services-and-resources-to-access-this-server/azurepolicy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| { | ||
| "name": "e369a998-a653-4e19-a058-a6256c3f999b", | ||
| "type": "Microsoft.Authorization/policyDefinitions", | ||
| "properties": { | ||
| "displayName": "Audit Allow Azure services and resources to access this server", | ||
| "description": "This option configures the firewall to allow connections from IP addresses allocated to any Azure service or asset, including connections from the subscriptions of other customers. Rather than allowing any service in any tenant to access this server, network access should be limited using the virtual network option or private access.", | ||
| "metadata": { | ||
| "category": "SQL", | ||
| "version": "1.0.0", | ||
| "preview": true | ||
| }, | ||
| "mode": "All", | ||
| "parameters": { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "Audit or Disabled the execution of the Policy" | ||
| }, | ||
| "allowedValues": [ | ||
| "Audit", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Audit" | ||
| } | ||
| }, | ||
| "policyRule": { | ||
| "if": { | ||
| "allOf": [ | ||
| { | ||
| "field": "type", | ||
| "equals": "Microsoft.Sql/servers/firewallrules" | ||
| }, | ||
| { | ||
| "field": "name", | ||
| "like": "AllowAllWindowsAzureIps" | ||
| } | ||
| ] | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]" | ||
| } | ||
| } | ||
| } | ||
| } |
14 changes: 14 additions & 0 deletions
14
...udit-allow-azure-services-and-resources-to-access-this-server/azurepolicy.parameters.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { | ||
| "effect": { | ||
| "type": "String", | ||
| "metadata": { | ||
| "displayName": "Effect", | ||
| "description": "Audit or Disabled the execution of the Policy" | ||
| }, | ||
| "allowedValues": [ | ||
| "Audit", | ||
| "Disabled" | ||
| ], | ||
| "defaultValue": "Audit" | ||
| } | ||
| } |
17 changes: 17 additions & 0 deletions
17
...SQL/audit-allow-azure-services-and-resources-to-access-this-server/azurepolicy.rules.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| { | ||
| "if": { | ||
| "allOf": [ | ||
| { | ||
| "field": "type", | ||
| "equals": "Microsoft.Sql/servers/firewallrules" | ||
| }, | ||
| { | ||
| "field": "name", | ||
| "like": "AllowAllWindowsAzureIps" | ||
| } | ||
| ] | ||
| }, | ||
| "then": { | ||
| "effect": "[parameters('effect')]" | ||
| } | ||
| } |