Policy types for @turbot/azure-securitycenter

Azure > Security Center > Enabled

Enable Azure Security Center service.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServiceEnabled
Valid Value
[
"Enabled",
"Enabled: Metadata Only",
"Disabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Enabled: Metadata Only",
"Disabled"
],
"example": [
"Enabled"
],
"default": "Disabled"
}

Azure > Security Center > Permissions

Configure whether permissions policies are in effect for Azure Security Center
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissions
Valid Value
[
"Enabled",
"Disabled",
"Enabled if Azure > Security Center > Enabled"
]
Schema
{
"type": "string",
"enum": [
"Enabled",
"Disabled",
"Enabled if Azure > Security Center > Enabled"
],
"example": [
"Enabled"
],
"default": "Enabled if Azure > Security Center > Enabled"
}

Azure > Security Center > Permissions > Levels

Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissionsLevels
Default Template Input
[
"{\n item: subscription {\n turbot{\n id\n }\n }\n}\n",
"{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"
]
Default Template
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
Schema
{
"type": "array",
"items": {
"type": "string",
"enum": [
"User",
"Metadata",
"ReadOnly",
"Operator",
"Admin",
"Owner"
]
}
}

Azure > Security Center > Permissions > Levels > Modifiers

A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.

<br />example:<br /> - &quot;Microsoft.Security Center/Security Center/delete&quot;: operator<br /> - &quot;Microsoft.Security Center/Security Center/write&quot;: admin<br /> - &quot;Microsoft.Security Center/Security Center/read&quot;: readonly<br />

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterServicePermissionsLevelsModifiers

Azure > Security Center > Security Center > Auto Provisioning

Determine whether to check or enforce Auto Provisioning settings for the Azure Security Center.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterAutoProvisioning
Valid Value
[
"Skip",
"Check: Enabled",
"Check: Disabled",
"Enforce: Enabled",
"Enforce: Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Enabled",
"Check: Disabled",
"Enforce: Enabled",
"Enforce: Disabled"
],
"default": "Skip"
}

Azure > Security Center > Security Center > CMDB

Configure whether to record and synchronize details for Azure
Security Center security center(s) into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note that if CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterCmdb
Category
Valid Value
[
"Skip",
"Enforce: Enabled",
"Enforce: Enabled if Security provider is Registered"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Enforce: Enabled",
"Enforce: Enabled if Security provider is Registered"
],
"example": [
"Skip"
],
"default": "Enforce: Enabled if Security provider is Registered"
}

Azure > Security Center > Security Center > Defender Plan

Configure Defender Plan settings on Azure > Security Center > Security Center.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterDefenderPlan
Category
Valid Value
[
"Skip",
"Check: Defender Plan Enabled",
"Check: Defender Plan Disabled",
"Enforce: Defender Plan Enabled",
"Enforce: Defender Plan Disabled"
]
Schema
{
"type": "string",
"enum": [
"Skip",
"Check: Defender Plan Enabled",
"Check: Defender Plan Disabled",
"Enforce: Defender Plan Enabled",
"Enforce: Defender Plan Disabled"
],
"default": "Skip"
}

Azure > Security Center > Security Center > Defender Plan > Resource Type

The resource types for which the Security Center's Defender Plan is to be configured.

URI
tmod:@turbot/azure-securitycenter#/policy/types/securityCenterDefenderPlanResourceType
Category
Schema
{
"type": "array",
"items": {
"type": "string",
"enum": [
"App Service",
"Azure SQL Databases",
"Cloud Posture",
"Container registries",
"Containers",
"Cosmos DB",
"DNS",
"Key Vault",
"Kubernetes",
"Open-source relational databases",
"Resource Manager",
"Servers",
"SQL servers on machines",
"Storage"
]
},
"default": [
"App Service",
"Azure SQL Databases",
"Cloud Posture",
"Container registries",
"Containers",
"Cosmos DB",
"DNS",
"Key Vault",
"Kubernetes",
"Open-source relational databases",
"Resource Manager",
"Servers",
"SQL servers on machines",
"Storage"
]
}

Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-securitycenter

A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure Security Center that is used as input to the
stack that manages the Guardrails IAM permissions objects.

URI
tmod:@turbot/azure-securitycenter#/policy/types/azureLevelsCompiled

Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-securitycenter

A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure Security Center that is used as input to the control that manages
the IAM stack.

URI
tmod:@turbot/azure-securitycenter#/policy/types/azureCompiledServicePermissions