Azure Policy - Check Blob container access level - azure

I am creating a policy to check if the Blob container access level is set to "Anonymous" in Azure Storage accounts.
This is the policy that i have created.
{
"properties": {
"displayName": "check if Blob container access level is set to Anonymous",
"description": "check the container access level",
"mode": "all",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices/containers"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/containers/publicAccess",
"equals": "False"
}
}
]
},
"then": {
"effect": "Audit"
}
}
}
}
Its not able to detect the container access level.

As the issue said, Storage team is releasing public access setting on storage account towards Jun 30 2020. Customers can use it to control the public access on all containers in the storage account.
After it's released on storage, we will work with Azure Policy team to integrate the setting with Azure Policy so customers can us Azure Policy to audit and govern public access across storage accounts.
We work the best to ship above features and capabilities as early as possible.

Related

Need to deploy the Azure Policy for the Tags only for the VM

I am deploying the Azure policy for the Recommended Tags that need to be applied when anyone creates the new VM.
I found one in-built policy: Require a tag on resources
But when I deployed, it will be applied to all the resources and I need a policy for only VM resources.
Also how I can use more than one tag in a single policy?
In your policy rule, you must indicate that the policy is just for VMs
For example:
...
"policyRule": {
"if": {
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.ClassicCompute/virtualMachines"
]
},
"then": {
...
}
}
...
Hope this helps!

How to restrict public IP to all Azure DevTest Labs by policy

We currently have the built in policy to disallow public ips scoped at the management group level which works when creating regular VMs in our environment. This policy does not block the creation of VMs with public IPs in DevTest labs even though they are created within the management group that has a policy blocking IPs. Has anyone ran into this?
There are built-in policies working on Microsoft.Network/networkInterfaces level to block NICs have public IPs but VMs in DevTest Labs have different type of resources than regular VMs.
For example, you can restrict public IP on VMs in Azure DevTest Labs by policy like this:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DevTestLab/labs/virtualmachines"
},
{
"not": {
"field": "Microsoft.DevTestLab/labs/virtualmachines/disallowPublicIpAddress",
"equals": true
}
}
]
},
"then": {
"effect": "deny"
}
}
},

Stop Creation of Log Analytics Workspaces

I want to stop creation of Log Analytics workspaces, what is the best way to achieve this? can you do this via azure policies, if so how?
thank you in advance,
Kelly
AFAIK, the best possible way to restrict creating any resources is using azure policies. Below azure policy will help you in stopping the creation of log analytics workspace in your subscription.
{
"properties": {
"displayName": "Deny creating Log analytics",
"description": "This policy denies creation of log analytics workspace.",
"parameters": {
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.OperationalInsights/workspaces"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
It is also interesting to note that with the introduction of the new access control mode "Require Workspace Permissions", users can only see logs for resources that they have the correct privileges to. Therefore allowing teams to utilize a centralized Log Analytics workspace for all their logging needs

Overwrite Azure resource values with Azure policy values

Is it possible to overwrite Azure resource values with Azure policy values? I am trying to fix the VM size/sku. I created the below Policy with an append effect which fails VM creation as it cannot overwrite the default/given VM size/sku.
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "append",
"details": [{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"value": "Standard_D4_v3"
}
]
}
}
No, it is not possible to overwrite a resource value using an ARM policy append effect. The behavior you are experiencing is by design as described here.
Since a VM's SKU is a single value vs. a collection/array of values, the only action you could hope to take is to overwrite the original value. But, as you are seeing, an ARM policy will revert to the deny effect instead in this case.

Is it possible to create a SendGrid account through Azure CLI?

Every tutorial and resource I've seen has you create a SendGrid account through the GUI, but I want to be able to use the cli. Is it possible?
Something like:
az sendgrid create
Although you cannot create a SendGrid account using Azure Cli, you can create one using an ARM template, as following
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
},
"plan_name": {
"type": "string"
},
"plan_publisher": {
"type": "string"
},
"plan_product": {
"type": "string"
},
"plan_promotion_code": {
"type": "string"
},
"password": {
"type": "secureString"
},
"email": {
"type": "string"
},
"firstName": {
"type": "string"
},
"lastName": {
"type": "string"
},
"company": {
"type": "string"
},
"website": {
"type": "string"
},
"acceptMarketingEmails": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-01-01",
"name": "[parameters('name')]",
"type": "Sendgrid.Email/accounts",
"location": "[parameters('location')]",
"plan": {
"name": "[parameters('plan_name')]",
"publisher": "[parameters('plan_publisher')]",
"product": "[parameters('plan_product')]",
"promotionCode": "[parameters('plan_promotion_code')]"
},
"properties": {
"password": "[parameters('password')]",
"acceptMarketingEmails": "[parameters('acceptMarketingEmails')]",
"email": "[parameters('email')]",
"firstName": "[parameters('firstName')]",
"lastName": "[parameters('lastName')]",
"company": "[parameters('company')]",
"website": "[parameters('website')]"
}
}
]
Then you can use az group deployment create to provision your template.
but I want to be able to use the cli. Is it possible?
As far as I know, azure doe not support create sendgrid via CLI at this time.
C:\Users>az --help
For version info, use 'az --version'
Group
az
Subgroups:
account : Manage subscriptions.
acs : Manage Azure Container Services.
ad : Synchronize on-premises directories and manage Azure Active Directory resources.
appservice: Manage your Azure Web apps and App Service plans.
batch : Manage Azure Batch.
cloud : Manage the registered Azure clouds.
component : Manage and update Azure CLI 2.0 (Preview) components.
container : Set up automated builds and deployments for multi-container Docker applications.
disk : Manage Azure Managed Disks.
documentdb: Manage your Azure DocumentDB (NoSQL) database accounts.
feature : Manage resource provider features, such as previews.
group : Manage resource groups and template deployments.
image : Manage custom Virtual Machine Images.
iot : Connect, monitor, and control millions of IoT assets.
keyvault : Safeguard and maintain control of keys, secrets, and certificates.
lock : Manage Azure locks.
network : Manages Azure Network resources.
policy : Manage resource policies.
provider : Manage resource providers.
redis : Access to a secure, dedicated cache for your Azure applications.
resource : Manage Azure resources.
role : Use role assignments to manage access to your Azure resources.
snapshot : Manage point-in-time copies of managed disks, native blobs, or other snapshots.
sql : Manage Azure SQL Databases and Data Warehouses.
storage : Durable, highly available, and massively scalable cloud storage.
tag : Manage resource tags.
vm : Provision Linux or Windows virtual machines in seconds.
vmss : Create highly available, auto-scalable Linux or Windows virtual machines.
Commands:
configure : Configure Azure CLI 2.0 Preview or view your configuration. The command is
interactive, so just type `az configure` and respond to the prompts.
feedback : Loving or hating the CLI? Let us know!
find : Find Azure CLI commands based on a given query.
login : Log in to access Azure subscriptions.
logout : Log out to remove access to Azure subscriptions.
No, it's not possible.
Here you can see all available commands: https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest

Resources