After looking through the policies I want to merge the policies :
- Storage accounts should restrict network access using virtual network rules Storage accounts
- should allow access from trusted Microsoft services
- [Preview]: Storage account public access should be disallowed
But all the three have different effects and are either audit or deny . What I want is to check the storage accounts and for the three rules and then activate those automatically for new resources .
Any Ideas on how to achieve this ? I am using terraform to deploy the policy definitions and remediations .
CodePudding user response:
You can create the below policy which validates the network rules and deny public access for blob is present or not and then deploys it for the new resources :
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]"
},
"greaterOrEquals": 1
}
]
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "false"
}
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"sku": {
"type": "string"
},
"location": {
"type": "string"
},
"kind": {
"type": "string"
},
"virtualnetworklist": {
"type": "string",
"metadata": {
"description": "The list of locations that can be specified when deploying resources"
},
"defaultValue": "test"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"properties": {
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny"
}
},
"dependsOn": [],
"sku": {
"name": "[parameters('sku')]"
},
"kind": "[parameters('kind')]"
}
]
},
"parameters": {
"name": {
"value": "[field('name')]"
},
"sku": {
"value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"
},
"location": {
"value": "[field('location')]"
},
"kind": {
"value": "[field('kind')]"
}
}
}
}
}
}
},
"parameters": {}
}
Output:
