From 6af557ffd5d383e02fcc19b6a5f83cb53345543d Mon Sep 17 00:00:00 2001 From: Kim Syversen Date: Fri, 11 Oct 2024 12:38:37 +0200 Subject: [PATCH 1/2] Add policy for auditing Storage Accounts having configured firewall rules --- .../azurepolicy.json | 57 +++++++++++++++++++ .../azurepolicy.parameters.json | 21 +++++++ .../azurepolicy.rules.json | 23 ++++++++ 3 files changed, 101 insertions(+) create mode 100644 policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json create mode 100644 policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.parameters.json create mode 100644 policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json diff --git a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json new file mode 100644 index 00000000..3f5abbb8 --- /dev/null +++ b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json @@ -0,0 +1,57 @@ +{ + "name": "537cd074-8c79-48c3-b896-d73c72ea7a12", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Audit Storage Accounts having configured firewall rules", + "description": "This policy audits storage accounts that are configured with unknown IP-addresses.", + "metadata": { + "category": "Storage", + "version": "1.0.0" + }, + "mode": "All", + "parameters": { + "allowedAddressRanges": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Add IP-addresses using the format x.x.x.x or x.x.x.x/xx" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "notEquals": "" + }, + { + "not": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('allowedAddressRanges')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.parameters.json b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.parameters.json new file mode 100644 index 00000000..581eee34 --- /dev/null +++ b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.parameters.json @@ -0,0 +1,21 @@ +{ + "allowedAddressRanges": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Add IP-addresses using the format x.x.x.x or x.x.x.x/xx" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json new file mode 100644 index 00000000..08d5b0fc --- /dev/null +++ b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json @@ -0,0 +1,23 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "notEquals": "" + }, + { + "not": { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('allowedAddressRanges')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} From 2218a9e06d7b400aeb42c213a386d09599ecff1d Mon Sep 17 00:00:00 2001 From: Kim Syversen Date: Thu, 17 Oct 2024 15:03:25 +0200 Subject: [PATCH 2/2] Updated policy for auditing Storage Accounts having configured firewall rules --- .../azurepolicy.json | 8 ++++++-- .../azurepolicy.rules.json | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json index 3f5abbb8..70306b36 100644 --- a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json +++ b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.json @@ -43,8 +43,12 @@ }, { "not": { - "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", - "in": "[parameters('allowedAddressRanges')]" + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('allowedAddressRanges')]" + } + ] } } ] diff --git a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json index 08d5b0fc..caf8e6da 100644 --- a/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json +++ b/policyDefinitions/Storage/audit-storageaccounts-having-configured-firewall-rules/azurepolicy.rules.json @@ -11,8 +11,12 @@ }, { "not": { - "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", - "in": "[parameters('allowedAddressRanges')]" + "anyOf": [ + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", + "in": "[parameters('allowedAddressRanges')]" + } + ] } } ]