@turbot/azure-storage
The azure-storage mod contains resource, control and policy definitions for Azure Storage service.
- Setting Policies Tutorial
- Mods Overview
- Policies Overview
- Resources Overview
- Common Policies and Controls
Recommended Version
@turbot/azure-iam ^5.0.0
@turbot/azure-provider ^5.0.0
@turbot/turbot ^5.22.0
@turbot/turbot-iam ^5.1.0
Resource Types
- Azure > Storage
- Azure > Storage > Container
- Azure > Storage > FileShare
- Azure > Storage > Queue
- Azure > Storage > Storage Account
Control Types
- Azure > Storage > Container > Active
- Azure > Storage > Container > Approved
- Azure > Storage > Container > CMDB
- Azure > Storage > Container > Discovery
- Azure > Storage > Container > Public Access Level
- Azure > Storage > FileShare > Active
- Azure > Storage > FileShare > Approved
- Azure > Storage > FileShare > CMDB
- Azure > Storage > FileShare > Discovery
- Azure > Storage > Queue > CMDB
- Azure > Storage > Queue > Discovery
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Tier
- Azure > Storage > Storage Account > Active
- Azure > Storage > Storage Account > Approved
- Azure > Storage > Storage Account > CMDB
- Azure > Storage > Storage Account > Configured
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Discovery
- Azure > Storage > Storage Account > Encryption in Transit
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Azure > Storage > Storage Account > Minimum TLS Version
- Azure > Storage > Storage Account > Public Access
- Azure > Storage > Storage Account > Queue
- Azure > Storage > Storage Account > Queue > Logging
- Azure > Storage > Storage Account > Tags
Policy Types
- Azure > Storage > Approved Regions [Default]
- Azure > Storage > Container > Active
- Azure > Storage > Container > Active > Age
- Azure > Storage > Container > Active > Last Modified
- Azure > Storage > Container > Approved
- Azure > Storage > Container > Approved > Custom
- Azure > Storage > Container > Approved > Usage
- Azure > Storage > Container > CMDB
- Azure > Storage > Container > Public Access Level
- Azure > Storage > Enabled
- Azure > Storage > FileShare > Active
- Azure > Storage > FileShare > Active > Age
- Azure > Storage > FileShare > Active > Last Modified
- Azure > Storage > FileShare > Approved
- Azure > Storage > FileShare > Approved > Custom
- Azure > Storage > FileShare > Approved > Usage
- Azure > Storage > FileShare > CMDB
- Azure > Storage > Permissions
- Azure > Storage > Permissions > Levels
- Azure > Storage > Permissions > Levels > Modifiers
- Azure > Storage > Queue > CMDB
- Azure > Storage > Regions
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
- Azure > Storage > Storage Account > Access Tier
- Azure > Storage > Storage Account > Active
- Azure > Storage > Storage Account > Active > Age
- Azure > Storage > Storage Account > Active > Last Modified
- Azure > Storage > Storage Account > Approved
- Azure > Storage > Storage Account > Approved > Azure Datalake Storage
- Azure > Storage > Storage Account > Approved > Custom
- Azure > Storage > Storage Account > Approved > Regions
- Azure > Storage > Storage Account > Approved > Usage
- Azure > Storage > Storage Account > CMDB
- Azure > Storage > Storage Account > Configured
- Azure > Storage > Storage Account > Configured > Claim Precedence
- Azure > Storage > Storage Account > Configured > Source
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days
- Azure > Storage > Storage Account > Encryption in Transit
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > Exceptions > Items
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required > Items
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Subnets
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required > Items
- Azure > Storage > Storage Account > Minimum TLS Version
- Azure > Storage > Storage Account > Public Access
- Azure > Storage > Storage Account > Queue
- Azure > Storage > Storage Account > Queue > Logging
- Azure > Storage > Storage Account > Queue > Logging > Properties
- Azure > Storage > Storage Account > Queue > Logging > Properties > Retention Days
- Azure > Storage > Storage Account > Regions
- Azure > Storage > Storage Account > Tags
- Azure > Storage > Storage Account > Tags > Template
- Azure > Storage > Tags Template [Default]
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-storage
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-storage
Release Notes
5.17.1 (2024-04-26)
Bug fixes
- The
Azure > Storage > Storage Account > Data Protection
control would go into an error state when container delete retention policy data was not available in CMDB. This issue is fixed and the control will now work as expected.
5.17.0 (2024-04-22)
Control Types
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
Policy Types
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days
Action Types
- Azure > Storage > Storage Account > Set Data Protection Soft Delete
- Azure > Storage > Storage Account > Update Rotation Reminder
5.16.1 (2024-04-12)
Bug fixes
- The
Azure > Storage > Storage Account > Queue > Logging
control would go into a skipped state for storage accounts, irrespective of any policy setting for Logging. This issue is fixed and the control will now work as expected.
5.16.0 (2024-04-01)
What's new?
- Storage Account CMDB data will now also include details about the account's blob service properties.
5.15.0 (2024-02-01)
What's new?
- We've updated the runtime of the lambda functions to Node 18. You wouldn't notice any difference and things will continue to work smoothly and consistently as before.
5.14.0 (2023-06-16)
What's new?
- Resource's metadata will now also include
createdBy
details in Guardrails CMDB.
5.13.2 (2023-04-03)
Bug fixes
- The
Azure > Storage > Queue > CMDB
control would go into an error state while trying to fetch Queue access policies if key based authentication was not permitted on the parent storage account. This is fixed and the control will now not try to fetch the Queue access policies in such cases, and work as expected.
5.13.1 (2023-03-16)
Bug fixes
- The
Azure > Storage > Storage Account > CMDB
control would go into an error state while trying to fetch default Queue details if key based authentication was not permitted on the storage account. This is fixed and the control will now not try to fetch default Queue details in such cases, and work as expected.
5.13.0 (2022-12-26)
What's new?
- All
Azure > Storage
resource types now support China Cloud regions.
5.12.2 (2022-03-01)
Bug fixes
- The
Azure > Storage > Storage Account > Public Access
control would sometimes incorrectly evaluate the outcome if theAzure > Storage > Storage Account > Public Access
policy was set toEnforce: Disabled
. This issue is fixed and the control now works as expected.
5.12.1 (2022-02-25)
Bug fixes
- The
Azure > Storage > Queue > Discovery
control would fail to discover the queues and incorrectly move to an error state when anAzure > Storage > Storage Account
was created using a private endpoint with IP Address restrictions. This is fixed and the control will now work as expected.
5.12.0 (2022-02-18)
What's new?
- Users can now create their own custom checks against resource attributes in the Approved control using the
Approved > Custom
policy. These custom checks would be a part of the evaluation of the Approved control. Custom messages can also be added which are then displayed in the control details table. See Custom Checks for more information.
Bug fixes
- We've improved the process of deleting resources from Guardrails if their CMDB policy was set to
Enforce: Disabled
. The CMDB controls will now not look to resolve credentials via Guardrails' IAM role while deleting resources from Guardrails. This will allow the CMDB controls to process resource deletions from Guardrails more reliably than before.
Policy Types
- Azure > Storage > Container > Approved > Custom
- Azure > Storage > FileShare > Approved > Custom
- Azure > Storage > Storage Account > Approved > Custom
5.11.0 (2021-11-26)
What's new?
- Users now can cleanup resources and stop tracking changes for storage queues in Guardrails. To get started, set the
Azure > Storage > Queue > CMDB
policy toEnforce: Disabled
.
Bug fixes
- The
Azure > Storage > Storage Account > Public Access
control would sometimes evaluate the outcome incorrectly when the public access setting on a storage account wasnull
by default. This is now fixed.
5.10.1 (2021-10-21)
Bug fixes
- The Azure > Storage > Queue > Discovery control would incorrectly go into an invalid state when the storage provider was not registered. This is fixed and the control would now move to a skipped state instead for such cases.
5.10.0 (2021-08-06)
What's new?
- We've improved the details tables in the Tags controls to be more helpful, especially when a resource's tags are not set correctly as expected. Previously, to understand why the Tags controls were in an Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
Previously, if the
Azure > Storage > Storage Account > CMDB
control was in an error state, we'd still try and run theAzure > Storage > Queue > Discovery
control to discover queues under the storage account, which resulted in an error. TheAzure > Storage > Queue > Discovery
control now will be dependent on theAzure > Storage > Storage Account > CMDB
control and will try and discover queues only if the parent storage account's CMDB control is not in an error state.We've made a few improvements in the GraphQL queries for various router actions. You won't notice any difference, but things should run lighter and quicker than before.
Control Types
- Azure > Storage > Storage Account > Minimum TLS Version
Policy Types
- Azure > Storage > Storage Account > Minimum TLS Version
Action Types
- Azure > Storage > Storage Account > Set Minimum TLS Version
5.9.0 (2021-03-12)
What's new?
- We've improved the state reasons and details tables in various Approved and Active controls to be more helpful, especially when a resource is unapproved or inactive. Previously, to understand why one of these controls is in Alarm state, you would need to find and read the control's process logs. This felt like too much work for a simple task, so now these details are visible directly from the control page.
Bug fixes
- The
Azure > Storage > Storage Account > CMDB
control now will not attempt to fetch the default queue details for the storage account if theAzure > Storage > Queue > CMDB
policy is set to Skip.
5.8.3 (2021-02-02)
Bug fixes
- The
Azure > Storage > Container > Discovery
control would go into an error state forFileStorage
kind of storage accounts since they don't support containers. Now onwards theAzure > Storage > Container > Discovery
control will move toSkip
in such cases.
5.8.2 (2021-01-22)
Bug fixes
- Controls run faster now when in the
tbd
andskipped
states thanks to the new Guardrails Precheck feature (not to be confused with TSA PreCheck). With Guardrails Precheck, controls avoid running GraphQL input queries when intbd
andskipped
, resulting in faster and lighter control runs.
5.8.1 (2020-12-23)
Bug fixes
- The
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
policy data validation failed if the last octet of a public IP was less than 10. This is now fixed.
5.8.0 (2020-12-09)
What's new?
- With the addition of the
Azure > Storage > Container > Public Access Level
andAzure > Storage > Storage Account > Public Access
controls, you can now configure and restrict public access for containers and storage accounts by setting theAzure > Storage > Container > Public Access Level
andAzure > Storage > Storage Account > Public Access
policies respectively.
Control Types
- Azure > Storage > Container > Public Access Level
- Azure > Storage > Storage Account > Public Access
Policy Types
- Azure > Storage > Container > Public Access Level
- Azure > Storage > Storage Account > Public Access
Action Types
- Azure > Storage > Container > Set Public Access Level
- Azure > Storage > Storage Account > Set Public Access
5.7.1 (2020-11-13)
Bug fixes
- We've fixed a syntax error that would cause the
Azure > Storage > Storage Account > Firewall
control to always go into error state.
5.7.0 (2020-11-10)
What's new?
We've added guardrails to help secure access to your storage accounts' public endpoints. All storage accounts have public endpoints that are accessible through the internet by default. This access can be limited to specific IP ranges, virtual network subnets, and trusted Microsoft services by defining firewall and virtual network rules.
To get started configuring these rules through Guardrails, the following policies should set according to your desired firewall rules configuration:
Azure > Storage > Storage Account > Firewall
- Configure default access rules for the public endpointAzure > Storage > Storage Account > Firewall > Exceptions
- Configure trusted Microsoft servicesAzure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Remove unapproved IP rangesAzure > Storage > Storage Account > Firewall > IP Ranges > Required
- Grant access to specific IP rangesAzure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Remove unapproved virtual network subnetsAzure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Grant access to specific virtual network subnets
Please note that if the Azure > Storage > Storage Account > Firewall
policy is set to Enforce: Allow only approved virtual networks and IP ranges
, only applications in the configured IP ranges, virtual network subnets, and trusted Microsoft services will be allowed to access the storage accounts. If these boundaries are not properly configured beforehand or an application is outside of these boundaries, it will lose access to the storage accounts.
- We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to
Skip
, its Approved control will move toinvalid
to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
Bug fixes
- We've updated the Discovery controls for resources to now move to skipped instead of invalid if the provider is disabled in the subscription and the
Azure > Provider > {service} > Registered
policy is checking if the provider is disabled. This will reduce the amount of noisy controls that cannot be easily resolved without making changes to the provider.
Control Types
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
Policy Types
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > Exceptions > Items
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required > Items
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Subnets
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required > Items
Action Types
- Azure > Storage > Storage Account > Update Firewall Default Access Rule
- Azure > Storage > Storage Account > Update Firewall Exceptions
- Azure > Storage > Storage Account > Update Firewall IP Ranges
- Azure > Storage > Storage Account > Update Firewall Virtual Networks
5.6.0 (2020-10-15)
What's new?
- We've made improvements to how Approved controls interact with CMDB policies and controls for more reliable approved checks. Now, if a resource's CMDB policy is set to
Skip
, its Approved control will move toinvalid
to prevent the Approved control from making a decision based on outdated information. Also, Approved controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
5.5.0 (2020-09-28)
What's new?
- We've made improvements to how Active controls interact with CMDB policies and controls for more reliable active checks. Now, if a resource's CMDB policy is set to
Skip
, its Active control will move toinvalid
to prevent the Active control from making a decision based on outdated information. Also, Active controls will now wait until the resource's CMDB control has run at least once to ensure the required data is available.
5.4.0 (2020-09-22)
What's new?
- The
Azure > Storage > Storage Account > Configured
policy now includes the following new policy values:
These new values will replace the following current values, which have been deprecated and will be removed in the next major version:- Skip (unless claimed by a stack)- Check: Per Configured > Source (unless claimed by a stack)- Enforce: Per Configured > Source (unless claimed by a stack)
We recommend that you update your policy settings to use the new values, as these have replaced the deprecated values and are backwards compatible.- Skip if using Configured > Source- Check: Configured if using Configured > Source- Enforce: Configured if using Configured > Source
Policy Types
Renamed
- Azure > Storage > Storage Account > Configured > Precedence to Azure > Storage > Storage Account > Configured > Claim Precedence
5.3.0 (2020-08-27)
What's new?
- Discovery controls now have their own control category,
CMDB > Discovery
, to allow for easier filtering separately from other CMDB controls. - We've renamed the service's default regions policy from
Regions [Default]
toRegions
to be consistent with our other regions policies.
5.2.3 (2020-07-24)
Bug fixes
- When deleting inactive resources through an Active control, different warning periods in days can be set to delay deletion. We recently identified a bug that would cause these warning periods to be ignored, and any inactive resources would be deleted immediately. This bug has been fixed and now all Active controls will abide by the warning period set in the policy value.
5.2.2 (2020-06-10)
Bug fixes
- Discovery controls for queue and fileshare resources remained in error state due to an invalid syntax. This issue has now been fixed.
5.2.1 (2020-06-09)
Bug fixes
- Since Azure premium storage accounts do not support queues and fileshares, their CMDB controls will now remain in skipped state instead of being in error.
5.2.0 (2020-06-09)
What's new?
- Storage Account's Approved control is now equipped with
Azure > Storage > Storage Account > Approved > Azure Datalake Storage
policy which checks if the Azure Datalake Storage is enabled/disabled in the Storage Account.
Policy Types
- Azure > Storage > Storage Account > Approved > Azure Datalake Storage
5.1.7 (2020-06-04)
Bug fixes
- Sometimes when the
Azure > Storage > Storage Account > Access Tier
control would set a storage account's access tier to hot or cold, the control would not re-run automatically after the access tier was updated and remain in alarm state. This has been fixed.
5.1.6 (2020-06-03)
What's new?
- All resource Router actions now run even if Guardrails is outside of its allowed change window. This allows Guardrails to maintain an up-to-date CMDB by handling resource updates at all times. Note that this only affects Guardrails' ability to process resources changes that were made in the cloud provider - enforcement actions are still disabled outside of the change window.
5.1.5 (2020-05-12)
Bug fixes
- Links to documentation in the descriptions for several controls and policies were broken. These links have now been fixed.
Policy Types
Removed
- Azure > Storage > Container > Regions
5.1.4 (2020-04-22)
Bug fixes
- Queue CMDB and Discovery controls in the Azure Government regions failed to connect to the API due to use of an invalid service URL. This has been fixed and the controls are running smoothly again.