Control types for @turbot/azure-storage

• Azure > Storage > Container > Active
• Azure > Storage > Container > Approved
• Azure > Storage > Container > CMDB
• Azure > Storage > Container > Discovery
• Azure > Storage > Container > Public Access Level
• Azure > Storage > FileShare > Active
• Azure > Storage > FileShare > Approved
• Azure > Storage > FileShare > CMDB
• Azure > Storage > FileShare > Discovery
• Azure > Storage > Queue > CMDB
• Azure > Storage > Queue > Discovery
• Azure > Storage > Storage Account > Access Keys
• Azure > Storage > Storage Account > Access Keys > Rotation Reminder
• Azure > Storage > Storage Account > Access Tier
• Azure > Storage > Storage Account > Active
• Azure > Storage > Storage Account > Approved
• Azure > Storage > Storage Account > CMDB
• Azure > Storage > Storage Account > Configured
• Azure > Storage > Storage Account > Data Protection
• Azure > Storage > Storage Account > Data Protection > Soft Delete
• Azure > Storage > Storage Account > Discovery
• Azure > Storage > Storage Account > Encryption in Transit
• Azure > Storage > Storage Account > Firewall
• Azure > Storage > Storage Account > Firewall > Exceptions
• Azure > Storage > Storage Account > Firewall > IP Ranges
• Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
• Azure > Storage > Storage Account > Firewall > IP Ranges > Required
• Azure > Storage > Storage Account > Firewall > Virtual Networks
• Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
• Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
• Azure > Storage > Storage Account > Minimum TLS Version
• Azure > Storage > Storage Account > Public Access
• Azure > Storage > Storage Account > Queue
• Azure > Storage > Storage Account > Queue > Logging
• Azure > Storage > Storage Account > Tags

Azure > Storage > Container > Active

Take an action when an Azure Storage container is not active based on the
Azure > Storage > Container > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Container > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

Azure > Storage > Container > Approved

Take an action when an Azure Storage container is not approved based on Azure > Storage > Container > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

Azure > Storage > Container > CMDB

Record and synchronize details for the Azure Storage container into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

Azure > Storage > Container > Discovery

Discover all Azure Storage container resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Azure > Storage > Container > Public Access Level

Define the Public Access Level settings required for Azure > Storage > Container.

The Public Access Level control determines whether the public access level for Azure Storage Container should be set to Private, Blob or Container.

Enabling public access level on a container, grants permission for anonymous read access for blobs only or for both blobs and containers.

Azure > Storage > FileShare > Active

Take an action when an Azure Storage fileshare is not active based on the
Azure > Storage > FileShare > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > FileShare > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

Azure > Storage > FileShare > Approved

Take an action when an Azure Storage fileshare is not approved based on Azure > Storage > FileShare > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

Azure > Storage > FileShare > CMDB

Record and synchronize details for the Azure Storage fileshare into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

This control will automatically re-run every 24 hours because Azure does not currently support real-time events for this resource type.

Azure > Storage > FileShare > Discovery

Discover all Azure Storage fileshare resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Azure > Storage > Queue > CMDB

Record and synchronize details for the Azure Storage queue into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

Azure > Storage > Queue > Discovery

Discover all Azure Storage queue resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > Storage > Queue > Regions policy, the CMDB control will delete the resource from the CMDB.

Azure > Storage > Storage Account > Access Keys

Azure > Storage > Storage Account > Access Keys > Rotation Reminder

Configure the access keys rotation reminder settings required for Azure > Storage > Storage Account.

Enabling rotation reminder on a Storage Account will ensure that access keys can be rotated regularly and maintain high security.

Azure > Storage > Storage Account > Access Tier

Configure the Azure Storage storage account access tier.

Azure > Storage > Storage Account > Active

Take an action when an Azure Storage storage account is not active based on the
Azure > Storage > Storage Account > Active > * policies.

The Active control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated compliance
environment, it's common to end up with a wide range of alarms that are difficult
and time consuming to clear. The Active control brings automated, well-defined
control to this process.

The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Storage Account > Active > *),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.

Note: In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.

See Active for more information.

Azure > Storage > Storage Account > Approved

Take an action when an Azure Storage storage account is not approved based on Azure > Storage > Storage Account > Approved > * policies.

The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.

For any enforcement actions that specify if new, e.g., Enforce: Delete unapproved if new, this control will only take the enforcement actions for resources created within the last 60 minutes.

See Approved for more information.

Azure > Storage > Storage Account > CMDB

Record and synchronize details for the Azure Storage storage account into the CMDB.

The CMDB control is
responsible for populating and updating all the attributes for that
resource type in the Guardrails CMDB.

Note: If CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.

CMDB controls also use the Regions policy associated with the resource. If
region is not in Azure > Storage > Storage Account > Regions policy, the CMDB control will delete the
resource from the CMDB.

Azure > Storage > Storage Account > Configured

Maintain Azure > Storage > Storage Account configuration.

Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.

Azure > Storage > Storage Account > Data Protection

Azure > Storage > Storage Account > Data Protection > Soft Delete

Configure the data protection soft delete settings required for Azure > Storage > Storage Account.

Soft delete provides an additional layer of data protection which allows to recover data that has been accidentally deleted or overwritten.

Azure > Storage > Storage Account > Discovery

Discover all Azure Storage storage account resources and add them to the CMDB.

The Discovery control is responsible for finding resources of a specific type. It periodically searches for new resources and saves them to the CMDB. Once discovered, resources are then responsible for tracking changes to themselves through the CMDB control.

Note: Discovery and CMDB controls also use the Regions policy associated with the resource. If the region is not in Azure > Storage > Storage Account > Regions policy, the CMDB control will delete the resource from the CMDB.

Azure > Storage > Storage Account > Encryption in Transit

Determine whether or not the storage account should enforce encryption in transit.

Azure > Storage > Storage Account > Firewall

Determine the firewall settings required for Azure > Storage > Storage Account.

Azure Storage provides a layered security model. It enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used.

Azure > Storage > Storage Account > Firewall > Exceptions

Define the firewall exceptions for the Azure Storage storage account.

Some applications depend on Azure services or storage account logs and metrics that cannot be uniquely isolated through virtual network or IP address rules. Firewall exceptions allow you to define these exceptions, granting access to the storage account's data, logs, and metrics.

For more information on firewall exceptions, please see Azure Storage Firewall Exceptions.

Azure > Storage > Storage Account > Firewall > IP Ranges

Azure > Storage > Storage Account > Firewall > IP Ranges > Approved

Configure firewall IP address range checking. This control defines whether
to verify the firewall IP address ranges are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved IP address ranges
will be deleted from the firewall.

Azure > Storage > Storage Account > Firewall > IP Ranges > Required

Configure firewall IP address range checking. This control defines whether
to verify the firewall IP address ranges are required, as well as the
subsequent action to take on required items.

If set to Enforce: Required > Items, the required IP address ranges
will be added to the firewall.

Azure > Storage > Storage Account > Firewall > Virtual Networks

Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved

Configure firewall virtual networks checking. This control defines whether
to verify the firewall virtual networks are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules and then
evaluated.

If set to Enforce: Delete unapproved, any unapproved virtual networks
will be deleted from the firewall.

Azure > Storage > Storage Account > Firewall > Virtual Networks > Required

Configure firewall virtual networks checking. This control defines whether
to verify the firewall virtual networks are required, as well as the
subsequent action to take on required items.

If set to Enforce: Required > Items, the required virtual networks
will be added to the firewall.

Azure > Storage > Storage Account > Minimum TLS Version

Define the Minimum TLS Version setting required for Azure > Storage > Storage Account.

Azure > Storage > Storage Account > Public Access

Define the Public Access settings required for Azure > Storage > Storage Account.

The Public Access control determines whether the public access for Azure Storage Account should be Enabled or Disabled.

Enabling public access on a storage account, permits to configure container ACLs to allow anonymous access to blobs within the storage account.

Azure > Storage > Storage Account > Queue

Azure > Storage > Storage Account > Queue > Logging

Take an action when Azure Storage Account logging for queue service is not configured based on Azure > Storage > Storage Account > Queue > Logging > * policies.

The logging control checks if logging is configured correctly for the queue service. If the resource is not configured according to any of these policies, this control raises an alarm and takes the defined enforcement action.

Azure > Storage > Storage Account > Tags

Take an action when an Azure Storage storage account tags is not updated based on the Azure > Storage > Storage Account > Tags > * policies.

If the resource is not updated with the tags defined in Azure > Storage > Storage Account > Tags > Template, this control raises an alarm and takes the defined enforcement action.

See Tags for more information.