Policy types for @turbot/azure-securitycenter
- Azure > Security Center > Enabled
- Azure > Security Center > Permissions
- Azure > Security Center > Permissions > Levels
- Azure > Security Center > Permissions > Levels > Modifiers
- Azure > Security Center > Security Center > CMDB
- Azure > Security Center > Security Center > Defender Plan
- Azure > Security Center > Security Center > Defender Plan > Resource Type
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-securitycenter
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-securitycenter
Azure > Security Center > Enabled
Enable Azure Security Center service.
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServiceEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
Azure > Security Center > Permissions
Configure whether permissions policies are in effect for Azure Security Center
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissions
[ "Enabled", "Disabled", "Enabled if Azure > Security Center > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if Azure > Security Center > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if Azure > Security Center > Enabled"}
Azure > Security Center > Permissions > Levels
Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissionsLevels
[ "{\n item: subscription {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "User", "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
Azure > Security Center > Permissions > Levels > Modifiers
A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.<br />example:<br /> - "Microsoft.Security Center/Security Center/delete": operator<br /> - "Microsoft.Security Center/Security Center/write": admin<br /> - "Microsoft.Security Center/Security Center/read": readonly<br />
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissionsLevelsModifiers
Azure > Security Center > Security Center > CMDB
Configure whether to record and synchronize details for Azure
Security Center security center(s) into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note that if CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Security provider is Registered"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Security provider is Registered" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Security provider is Registered"}
Azure > Security Center > Security Center > Defender Plan
Configure Defender Plan settings on Azure > Security Center > Security Center
.
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterDefenderPlan
[ "Skip", "Check: Defender Plan Enabled", "Check: Defender Plan Disabled", "Enforce: Defender Plan Enabled", "Enforce: Defender Plan Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Defender Plan Enabled", "Check: Defender Plan Disabled", "Enforce: Defender Plan Enabled", "Enforce: Defender Plan Disabled" ], "default": "Skip"}
Azure > Security Center > Security Center > Defender Plan > Resource Type
The resource types for which the Security Center's Defender Plan is to be configured.
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterDefenderPlanResourceType
{ "type": "array", "items": { "type": "string", "enum": [ "Servers", "App Service", "Azure SQL Databases", "SQL servers on machines", "Open-source relational databases", "Storage", "Kubernetes", "Container registries", "Key Vault", "Resource Manager", "DNS" ] }, "default": [ "Servers", "App Service", "Azure SQL Databases", "SQL servers on machines", "Open-source relational databases", "Storage", "Kubernetes", "Container registries", "Key Vault", "Resource Manager", "DNS" ]}
Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-securitycenter
A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure Security Center that is used as input to the
stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/azure-securitycenter#/policy/types/azureLevelsCompiled
Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-securitycenter
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure Security Center that is used as input to the control that manages
the IAM stack.
tmod:@turbot/azure-securitycenter#/policy/types/azureCompiledServicePermissions