Control types for @turbot/azure-storage
- Azure > Storage > Container > Active
- Azure > Storage > Container > Approved
- Azure > Storage > Container > CMDB
- Azure > Storage > Container > Discovery
- Azure > Storage > Container > Public Access Level
- Azure > Storage > FileShare > Active
- Azure > Storage > FileShare > Approved
- Azure > Storage > FileShare > CMDB
- Azure > Storage > FileShare > Discovery
- Azure > Storage > Queue > CMDB
- Azure > Storage > Queue > Discovery
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Tier
- Azure > Storage > Storage Account > Active
- Azure > Storage > Storage Account > Approved
- Azure > Storage > Storage Account > CMDB
- Azure > Storage > Storage Account > Configured
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Discovery
- Azure > Storage > Storage Account > Encryption in Transit
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Azure > Storage > Storage Account > Minimum TLS Version
- Azure > Storage > Storage Account > Public Access
- Azure > Storage > Storage Account > Queue
- Azure > Storage > Storage Account > Queue > Logging
- Azure > Storage > Storage Account > Tags
Azure > Storage > Container > Active
Take an action when an Azure Storage container is not active based on theAzure > Storage > Container > Active > * policies
.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Container > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/control/types/containerActive
Azure > Storage > Container > Approved
Take an action when an Azure Storage container is not approved based on Azure > Storage > Container > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/control/types/containerApproved
Azure > Storage > Container > CMDB
Record and synchronize details for the Azure Storage container into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-storage#/control/types/containerCmdb
Azure > Storage > Container > Discovery
Discover all Azure Storage container resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/azure-storage#/control/types/containerDiscovery
Azure > Storage > Container > Public Access Level
Define the Public Access Level settings required for Azure > Storage > Container
.
The Public Access Level control determines whether the public access level for Azure Storage Container should be set to Private, Blob or Container.
Enabling public access level on a container, grants permission for anonymous read access for blobs only or for both blobs and containers.
tmod:@turbot/azure-storage#/control/types/containerPublicAccessLevel
Azure > Storage > FileShare > Active
Take an action when an Azure Storage fileshare is not active based on theAzure > Storage > FileShare > Active > * policies
.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > FileShare > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/control/types/fileShareActive
Azure > Storage > FileShare > Approved
Take an action when an Azure Storage fileshare is not approved based on Azure > Storage > FileShare > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/control/types/fileShareApproved
Azure > Storage > FileShare > CMDB
Record and synchronize details for the Azure Storage fileshare into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
This control will automatically re-run every 24 hours because Azure does not currently support real-time events for this resource type.
tmod:@turbot/azure-storage#/control/types/fileShareCmdb
Azure > Storage > FileShare > Discovery
Discover all Azure Storage fileshare resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
tmod:@turbot/azure-storage#/control/types/fileShareDiscovery
Azure > Storage > Queue > CMDB
Record and synchronize details for the Azure Storage queue into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-storage#/control/types/queueCmdb
Azure > Storage > Queue > Discovery
Discover all Azure Storage queue resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > Storage > Queue > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/azure-storage#/control/types/queueDiscovery
Azure > Storage > Storage Account > Access Keys
tmod:@turbot/azure-storage#/control/types/storageAccountAccessKeys
Azure > Storage > Storage Account > Access Keys > Rotation Reminder
Configure the access keys rotation reminder settings required for Azure > Storage > Storage Account
.
Enabling rotation reminder on a Storage Account will ensure that access keys can be rotated regularly and maintain high security.
tmod:@turbot/azure-storage#/control/types/storageAccountAccessKeysRotationReminder
Azure > Storage > Storage Account > Access Tier
Configure the Azure Storage storage account access tier.
tmod:@turbot/azure-storage#/control/types/storageAccountAccessTier
Azure > Storage > Storage Account > Active
Take an action when an Azure Storage storage account is not active based on theAzure > Storage > Storage Account > Active > * policies
.
The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Storage Account > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/control/types/storageAccountActive
Azure > Storage > Storage Account > Approved
Take an action when an Azure Storage storage account is not approved based on Azure > Storage > Storage Account > Approved > * policies
.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/control/types/storageAccountApproved
Azure > Storage > Storage Account > CMDB
Record and synchronize details for the Azure Storage storage account into the CMDB.
The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.
Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
CMDB controls also use the Regions policy associated with the resource. If
region is not in Azure > Storage > Storage Account > Regions
policy, the CMDB control will delete the
resource from the CMDB.
tmod:@turbot/azure-storage#/control/types/storageAccountCmdb
Azure > Storage > Storage Account > Configured
Maintain Azure > Storage > Storage Account configuration.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
tmod:@turbot/azure-storage#/control/types/storageAccountConfigured
Azure > Storage > Storage Account > Data Protection
tmod:@turbot/azure-storage#/control/types/storageAccountDataProtection
Azure > Storage > Storage Account > Data Protection > Soft Delete
Configure the data protection soft delete settings required for Azure > Storage > Storage Account
.
Soft delete provides an additional layer of data protection which allows to recover data that has been accidentally deleted or overwritten.
tmod:@turbot/azure-storage#/control/types/storageAccountDataProtectionSoftDelete
Azure > Storage > Storage Account > Discovery
Discover all Azure Storage storage account resources and add them to the CMDB.
The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.
Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > Storage > Storage Account > Regions
policy, the CMDB control will delete the resource from the CMDB.
tmod:@turbot/azure-storage#/control/types/storageAccountDiscovery
Azure > Storage > Storage Account > Encryption in Transit
Determine whether or not the storage account should enforce encryption in transit.
tmod:@turbot/azure-storage#/control/types/storageAccountencryptionInTransit
Azure > Storage > Storage Account > Firewall
Determine the firewall settings required for Azure > Storage > Storage Account
.
Azure Storage provides a layered security model. It enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewall
Azure > Storage > Storage Account > Firewall > Exceptions
Define the firewall exceptions for the Azure Storage storage account.
Some applications depend on Azure services or storage account logs and metrics that cannot be uniquely isolated through virtual network or IP address rules. Firewall exceptions allow you to define these exceptions, granting access to the storage account's data, logs, and metrics.
For more information on firewall exceptions, please see Azure Storage Firewall Exceptions.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallExceptions
Azure > Storage > Storage Account > Firewall > IP Ranges
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallIpRanges
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
Configure firewall IP address range checking. This control defines whether
to verify the firewall IP address ranges are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved IP address ranges
will be deleted from the firewall.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallIpRangesApproved
Azure > Storage > Storage Account > Firewall > IP Ranges > Required
Configure firewall IP address range checking. This control defines whether
to verify the firewall IP address ranges are required, as well as the
subsequent action to take on required items.
If set to Enforce: Required > Items
, the required IP address ranges
will be added to the firewall.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallIpRangesRequired
Azure > Storage > Storage Account > Firewall > Virtual Networks
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallVirtualNetworks
Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
Configure firewall virtual networks checking. This control defines whether
to verify the firewall virtual networks are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved virtual networks
will be deleted from the firewall.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallVirtualNetworksApproved
Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
Configure firewall virtual networks checking. This control defines whether
to verify the firewall virtual networks are required, as well as the
subsequent action to take on required items.
If set to Enforce: Required > Items
, the required virtual networks
will be added to the firewall.
tmod:@turbot/azure-storage#/control/types/storageAccountFirewallVirtualNetworksRequired
Azure > Storage > Storage Account > Minimum TLS Version
Define the Minimum TLS Version setting required for Azure > Storage > Storage Account
.
tmod:@turbot/azure-storage#/control/types/storageAccountMinimumTlsVersion
Azure > Storage > Storage Account > Public Access
Define the Public Access settings required for Azure > Storage > Storage Account
.
The Public Access control determines whether the public access for Azure Storage Account should be Enabled or Disabled.
Enabling public access on a storage account, permits to configure container ACLs to allow anonymous access to blobs within the storage account.
tmod:@turbot/azure-storage#/control/types/storageAccountPublicAccess
Azure > Storage > Storage Account > Queue
tmod:@turbot/azure-storage#/control/types/queueService
Azure > Storage > Storage Account > Queue > Logging
Take an action when Azure Storage Account logging for queue service is not configured based on Azure > Storage > Storage Account > Queue > Logging > * policies.
The logging control checks if logging is configured correctly for the queue service. If the resource is not configured according to any of these policies, this control raises an alarm and takes the defined enforcement action.
tmod:@turbot/azure-storage#/control/types/queueServiceLogging
Azure > Storage > Storage Account > Tags
Take an action when an Azure Storage storage account tags is not updated based on the Azure > Storage > Storage Account > Tags > *
policies.
If the resource is not updated with the tags defined in Azure > Storage > Storage Account > Tags > Template
, this control raises an alarm and takes the defined enforcement action.
See Tags for more information.
tmod:@turbot/azure-storage#/control/types/storageAccountTags