Policy types for @turbot/azure-storage
- Azure > Storage > Approved Regions [Default]
- Azure > Storage > Container > Active
- Azure > Storage > Container > Active > Age
- Azure > Storage > Container > Active > Last Modified
- Azure > Storage > Container > Approved
- Azure > Storage > Container > Approved > Custom
- Azure > Storage > Container > Approved > Usage
- Azure > Storage > Container > CMDB
- Azure > Storage > Container > Public Access Level
- Azure > Storage > Enabled
- Azure > Storage > FileShare > Active
- Azure > Storage > FileShare > Active > Age
- Azure > Storage > FileShare > Active > Last Modified
- Azure > Storage > FileShare > Approved
- Azure > Storage > FileShare > Approved > Custom
- Azure > Storage > FileShare > Approved > Usage
- Azure > Storage > FileShare > CMDB
- Azure > Storage > Permissions
- Azure > Storage > Permissions > Levels
- Azure > Storage > Permissions > Levels > Modifiers
- Azure > Storage > Queue > CMDB
- Azure > Storage > Regions
- Azure > Storage > Storage Account > Access Keys
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder
- Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
- Azure > Storage > Storage Account > Access Tier
- Azure > Storage > Storage Account > Active
- Azure > Storage > Storage Account > Active > Age
- Azure > Storage > Storage Account > Active > Last Modified
- Azure > Storage > Storage Account > Approved
- Azure > Storage > Storage Account > Approved > Azure Datalake Storage
- Azure > Storage > Storage Account > Approved > Custom
- Azure > Storage > Storage Account > Approved > Regions
- Azure > Storage > Storage Account > Approved > Usage
- Azure > Storage > Storage Account > CMDB
- Azure > Storage > Storage Account > Configured
- Azure > Storage > Storage Account > Configured > Claim Precedence
- Azure > Storage > Storage Account > Configured > Source
- Azure > Storage > Storage Account > Data Protection
- Azure > Storage > Storage Account > Data Protection > Soft Delete
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
- Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days
- Azure > Storage > Storage Account > Encryption in Transit
- Azure > Storage > Storage Account > Firewall
- Azure > Storage > Storage Account > Firewall > Exceptions
- Azure > Storage > Storage Account > Firewall > Exceptions > Items
- Azure > Storage > Storage Account > Firewall > IP Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Rules
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required
- Azure > Storage > Storage Account > Firewall > IP Ranges > Required > Items
- Azure > Storage > Storage Account > Firewall > Virtual Networks
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Compiled Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Rules
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Subnets
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
- Azure > Storage > Storage Account > Firewall > Virtual Networks > Required > Items
- Azure > Storage > Storage Account > Minimum TLS Version
- Azure > Storage > Storage Account > Public Access
- Azure > Storage > Storage Account > Queue
- Azure > Storage > Storage Account > Queue > Logging
- Azure > Storage > Storage Account > Queue > Logging > Properties
- Azure > Storage > Storage Account > Queue > Logging > Properties > Retention Days
- Azure > Storage > Storage Account > Regions
- Azure > Storage > Storage Account > Tags
- Azure > Storage > Storage Account > Tags > Template
- Azure > Storage > Tags Template [Default]
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-storage
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-storage
Azure > Storage > Approved Regions [Default]
A list of Azure regions in which Azure Storage resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all Azure Storage resources' Approved > Regions policies.
tmod:@turbot/azure-storage#/policy/types/storageApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > Storage > Container > Active
Determine the action to take when an Azure Storage container, based on the Azure > Storage > Container > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Container > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/containerActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > Storage > Container > Active > Age
The age after which the Azure Storage container
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Container > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/containerActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > Storage > Container > Active > Last Modified
The number of days since the Azure Storage container was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Container > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-storage#/policy/types/containerActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > Storage > Container > Approved
Determine the action to take when an Azure Storage container is not approved based on Azure > Storage > Container > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/containerApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Storage > Container > Approved > Custom
Determine whether the Azure Storage container is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage container is not approved, it will be subject to the action specified in the Azure > Storage > Container > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-storage#/policy/types/containerApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > Storage > Container > Approved > Usage
Determine whether the Azure Storage container is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage container is not approved, it will be subject to the action specified in the Azure > Storage > Container > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/containerApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > Storage > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > Storage > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > Storage > Enabled"}
Azure > Storage > Container > CMDB
Configure whether to record and synchronize details for the Azure Storage container into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/azure-storage#/policy/types/containerCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Storage provider is Registered"}
Azure > Storage > Container > Public Access Level
Define the Public Access Level settings required for Azure > Storage > Container
.
The Public Access Level policy determines whether the public access level for Azure Storage Container should be set to Private, Blob or Container.
Enabling public access level on a container, grants permission for anonymous read access for blobs only or for both blobs and containers.
tmod:@turbot/azure-storage#/policy/types/containerPublicAccessLevel
[ "Skip", "Check: Blob (Anonymous read access for blobs only)", "Check: Container (Anonymous read access for containers and blobs)", "Check: Private (No anonymous access)", "Enforce: Blob (Anonymous read access for blobs only)", "Enforce: Container (Anonymous read access for containers and blobs)", "Enforce: Private (No anonymous access)"]
{ "type": "string", "enum": [ "Skip", "Check: Blob (Anonymous read access for blobs only)", "Check: Container (Anonymous read access for containers and blobs)", "Check: Private (No anonymous access)", "Enforce: Blob (Anonymous read access for blobs only)", "Enforce: Container (Anonymous read access for containers and blobs)", "Enforce: Private (No anonymous access)" ], "example": [ "Check: Blob (Anonymous read access for blobs only)" ], "default": "Skip"}
Azure > Storage > Enabled
Enable Azure Storage service.
tmod:@turbot/azure-storage#/policy/types/storageEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
Azure > Storage > FileShare > Active
Determine the action to take when an Azure Storage fileshare, based on the Azure > Storage > FileShare > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > FileShare > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/fileShareActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > Storage > FileShare > Active > Age
The age after which the Azure Storage fileshare
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > FileShare > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/fileShareActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > Storage > FileShare > Active > Last Modified
The number of days since the Azure Storage fileshare was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > FileShare > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-storage#/policy/types/fileShareActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > Storage > FileShare > Approved
Determine the action to take when an Azure Storage fileshare is not approved based on Azure > Storage > FileShare > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/fileShareApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Storage > FileShare > Approved > Custom
Determine whether the Azure Storage fileshare is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage fileshare is not approved, it will be subject to the action specified in the Azure > Storage > FileShare > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-storage#/policy/types/fileShareApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > Storage > FileShare > Approved > Usage
Determine whether the Azure Storage fileshare is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage fileshare is not approved, it will be subject to the action specified in the Azure > Storage > FileShare > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/fileShareApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > Storage > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > Storage > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > Storage > Enabled"}
Azure > Storage > FileShare > CMDB
Configure whether to record and synchronize details for the Azure Storage fileshare into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
tmod:@turbot/azure-storage#/policy/types/fileShareCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Storage provider is Registered"}
Azure > Storage > Permissions
Configure whether permissions policies are in effect for Azure Storage
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)
tmod:@turbot/azure-storage#/policy/types/storagePermissions
[ "Enabled", "Disabled", "Enabled if Azure > Storage > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if Azure > Storage > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if Azure > Storage > Enabled"}
Azure > Storage > Permissions > Levels
Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
tmod:@turbot/azure-storage#/policy/types/storagePermissionsLevels
[ "{\n item: subscription {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "User", "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
Azure > Storage > Permissions > Levels > Modifiers
A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.<br />example:<br /> - "Microsoft.Storage/Storage/delete": operator<br /> - "Microsoft.Storage/Storage/write": admin<br /> - "Microsoft.Storage/Storage/read": readonly<br />
tmod:@turbot/azure-storage#/policy/types/storagePermissionsLevelsModifiers
Azure > Storage > Queue > CMDB
Configure whether to record and synchronize details for Azure
Storage queue(s) into the CMDB.
The CMDB control is responsible for populating and updating all the
attributes for that resource type in the Guardrails CMDB.
Note that if CMDB is set to Skip for a resource, then it will not be added
to the CMDB, and no controls that target it will run.
tmod:@turbot/azure-storage#/policy/types/queueCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Storage provider is Registered"}
Azure > Storage > Regions
A list of Azure regions in which Azure Storage resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all Azure Storage resources' Regions policies.
tmod:@turbot/azure-storage#/policy/types/storageRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > Storage > Storage Account > Access Keys
tmod:@turbot/azure-storage#/policy/types/storageAccountAccessKeys
Azure > Storage > Storage Account > Access Keys > Rotation Reminder
Configure the access keys rotation reminder settings required for Azure > Storage > Storage Account
.
Enabling rotation reminder on a Storage Account will ensure that access keys can be rotated regularly and maintain high security.
tmod:@turbot/azure-storage#/policy/types/storageAccountAccessKeysRotationReminder
[ "Skip", "Check: Enabled per Rotation Reminder > Days", "Check: Disabled", "Enforce: Enabled per Rotation Reminder > Days", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled per Rotation Reminder > Days", "Check: Disabled", "Enforce: Enabled per Rotation Reminder > Days", "Enforce: Disabled" ], "example": [ "Check: Enabled per Rotation Reminder > Days" ], "default": "Skip"}
Azure > Storage > Storage Account > Access Keys > Rotation Reminder > Days
Rotation reminder period in days for the Storage Account.
tmod:@turbot/azure-storage#/policy/types/storageAccountAccessKeysRotationReminderDays
{ "type": "integer", "minimum": 1, "maximum": 2147483340, "default": 90}
Azure > Storage > Storage Account > Access Tier
Configure the Azure Storage storage account access tier.
tmod:@turbot/azure-storage#/policy/types/storageAccountAccessTier
[ "Skip", "Check: Cool", "Check: Hot", "Enforce: Cool", "Enforce: Hot"]
{ "type": "string", "enum": [ "Skip", "Check: Cool", "Check: Hot", "Enforce: Cool", "Enforce: Hot" ], "default": "Skip"}
Azure > Storage > Storage Account > Active
Determine the action to take when an Azure Storage storage account, based on the Azure > Storage > Storage Account > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Storage Account > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > Storage > Storage Account > Active > Age
The age after which the Azure Storage storage account
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Storage Account > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > Storage > Storage Account > Active > Last Modified
The number of days since the Azure Storage storage account was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > Storage > Storage Account > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-storage#/policy/types/storageAccountActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > Storage > Storage Account > Approved
Determine the action to take when an Azure Storage storage account is not approved based on Azure > Storage > Storage Account > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > Storage > Storage Account > Approved > Azure Datalake Storage
Determine whether the Azure Storage storage account is allowed to have a Azure Datalake Storage enabled.
This policy will be evaluated by the Approved control. If an Azure Storage Storage Account is not approved, it will be subject to the action specified in the Azure > Storage > Storage Account > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountApprovedAzureDatalakeStorage
[ "Skip", "Approved if enabled", "Approved if disabled"]
{ "type": "string", "enum": [ "Skip", "Approved if enabled", "Approved if disabled" ], "example": [ "Approved if enabled" ], "default": "Skip"}
Azure > Storage > Storage Account > Approved > Custom
Determine whether the Azure Storage storage account is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage storage account is not approved, it will be subject to the action specified in the Azure > Storage > Storage Account > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-storage#/policy/types/storageAccountApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > Storage > Storage Account > Approved > Regions
A list of Azure regions in which Azure Storage storage accounts are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an Azure Storage storage account is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > Storage > Storage Account > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-storage#/policy/types/storageApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > Storage > Storage Account > Approved > Usage
Determine whether the Azure Storage storage account is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure Storage storage account is not approved, it will be subject to the action specified in the Azure > Storage > Storage Account > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > Storage > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > Storage > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > Storage > Enabled"}
Azure > Storage > Storage Account > CMDB
Configure whether to record and synchronize details for the Azure Storage storage account into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > Storage > Storage Account > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/azure-storage#/policy/types/storageAccountCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if Storage provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if Storage provider is Registered"}
Azure > Storage > Storage Account > Configured
Determine how to configure this resource.
Note: If the resource is managed by another stack, then the Skip/Check/Enforce values here are ignored
and inherit from the stack that owns it.
The policy values for Azure > Storage > Storage Account are deprecated and
replaced by new values. The deprecated values will be removed in the next major version.
| Deprecated Values | Current Values |
|--------------------------------------------------|----------------------------------------------------------------|
| Skip if using Configured > Source | Skip \\(unless claimed by a stack\\) |
| Check: Configured if using Configured > Source | Check: Per Configured > Source \\(unless claimed by a stack\\) |
| Enforce: Configured if using Configured > Source | Enforce: Per Configured > Source \\(unless claimed by a stack\\) |
tmod:@turbot/azure-storage#/policy/types/storageAccountConfigured
[ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)"]
{ "enum": [ "Skip if using Configured > Source", "Check: Configured if using Configured > Source", "Enforce: Configured if using Configured > Source", "Skip (unless claimed by a stack)", "Check: Per Configured > Source (unless claimed by a stack)", "Enforce: Per Configured > Source (unless claimed by a stack)" ], "default": "Skip (unless claimed by a stack)"}
Azure > Storage > Storage Account > Configured > Claim Precedence
An ordered list of who is allowed to claim a resource.
A stack cannot claim a resource if it is already claimed by another
stack at a higher level of precedence.
tmod:@turbot/azure-storage#/policy/types/storageAccountConfiguredPrecedence
"{\n defaultPrecedence: policy(uri:\"tmod:@turbot/turbot#/policy/types/claimPrecedenceDefault\")\n}\n"
"{%- if $.defaultPrecedence | length == 0 %}[]{%- else %}{% for item in $.defaultPrecedence %}- '{{ item }}'{% endfor %}{% endif %}"
{ "type": "array", "items": { "type": "string" }}
Azure > Storage > Storage Account > Configured > Source
A HCL or JSON format Terraform configuration source used to configure this resource.
tmod:@turbot/azure-storage#/policy/types/storageAccountConfiguredSource
{ "type": "string", "default": "", "x-schema-form": { "type": "code", "language": "hcl" }}
Azure > Storage > Storage Account > Data Protection
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtection
Azure > Storage > Storage Account > Data Protection > Soft Delete
Configure the data protection soft delete settings required for Azure > Storage > Storage Account
.
Soft delete provides an additional layer of data protection which allows to recover data that has been accidentally deleted or overwritten.
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtectionSoftDelete
[ "Skip", "Check: Configured per Soft Delete > * policies", "Enforce: Configured per Soft Delete > * policies"]
{ "type": "string", "enum": [ "Skip", "Check: Configured per Soft Delete > * policies", "Enforce: Configured per Soft Delete > * policies" ], "example": [ "Skip" ], "default": "Skip"}
Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs
Determine whether to enable or disable soft delete settings for blobs for the Azure Blob Storage for Azure > Storage > Storage Account
.
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtectionSoftDeleteBlobs
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
Azure > Storage > Storage Account > Data Protection > Soft Delete > Blobs > Retention Days
Configure blob retention duration in days. The retention days varies from 1 to 365 days where 7 is the default value.
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtectionSoftDeleteBlobsRetentionDays
{ "type": "integer", "minimum": 1, "maximum": 365, "default": 7}
Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers
Determine whether to enable or disable soft delete settings for containers for the Azure Containers for Azure > Storage > Storage Account
.
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtectionSoftDeleteContainers
[ "Enabled", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled" ], "default": "Enabled"}
Azure > Storage > Storage Account > Data Protection > Soft Delete > Containers > Retention Days
Configure container retention duration in days. The retention days varies from 1 to 365 days where 7 is the default value.
tmod:@turbot/azure-storage#/policy/types/storageAccountDataProtectionSoftDeleteContainersRetentionDays
{ "type": "integer", "minimum": 1, "maximum": 365, "default": 7}
Azure > Storage > Storage Account > Encryption in Transit
Configured whether Azure Storage storage account Encryption in Transit is enabled.
tmod:@turbot/azure-storage#/policy/types/storageAccountEncryptionInTransit
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall
Configure the firewall settings required for Azure > Storage > Storage Account.
Azure Storage provides a layered security model. It enables you to secure and control
the level of access to your storage accounts that your applications and enterprise
environments demand, based on the type and subset of networks used.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewall
[ "Skip", "Check: Allow all networks", "Check: Allow only approved virtual networks and IP ranges", "Enforce: Allow all networks", "Enforce: Allow only approved virtual networks and IP ranges"]
{ "type": "string", "enum": [ "Skip", "Check: Allow all networks", "Check: Allow only approved virtual networks and IP ranges", "Enforce: Allow all networks", "Enforce: Allow only approved virtual networks and IP ranges" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > Exceptions
Define the firewall exceptions for the Azure Storage storage account.
Some applications depend on Azure services or storage account logs and
metrics that cannot be uniquely isolated through virtual network or IP
address rules. Firewall exceptions allow you to define these exceptions,
granting access to the storage account's data, logs, and metrics.
For more information on firewall exceptions, please see Azure Storage Firewall Exceptions.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallExceptions
[ "Skip", "Check: Allow only Exceptions > Items", "Enforce: Allow only Exceptions > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Allow only Exceptions > Items", "Enforce: Allow only Exceptions > Items" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > Exceptions > Items
Define the firewall exceptions items that are allowed to bypass the firewall.
For more information on what type of traffic is allowed for each item, please
see Azure Storage Firewall Exceptions.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallExceptionsItems
{ "type": "array", "items": { "type": "string", "enum": [ "Azure services", "Logging", "Metrics" ] }, "default": [ "Azure services", "Logging", "Metrics" ]}
Azure > Storage > Storage Account > Firewall > IP Ranges
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRanges
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved
Configure firewall IP address range checking. This policy defines whether
to verify the firewall IP address ranges are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved IP address ranges
will be deleted from the firewall.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > CIDR Ranges
Configure storage accounts to allow access from specific public internet IP address ranges.
This configuration grants access to specific internet-based services and on-premises networks
and blocks general internet traffic.
Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as
individual IP addresses like 16.17.18.19.
Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should
be configured using individual IP address rules.
IP network rules are only allowed for public internet IP addresses. IP address ranges reserved
for private networks (as defined in RFC 1918) aren't allowed in IP rules. Private networks
include addresses that start with 10., 172.16. - 172.31., and 192.168..
Example:
- 45.127.45.223
- 223.235.113.55
- 45.64.0.0/10
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesApprovedCidrRanges
{ "type": "array", "items": { "type": "string", "pattern": "\\b(?!(?:10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-2])\\.|192\\.168\\.))((?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\\.){3}(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])))($|/([0-9]|[1-2][0-9]|3[0])$)\\b", "tests": [ { "input": "90.123.233.2/30" }, { "input": "34.192.235.43" }, { "input": "127.0.0.11" }, { "description": "Invalid - Not a valid IP address", "input": "267.32.0.12", "expected": false }, { "description": "Invalid - Private IP", "input": "192.168.1.0", "expected": false }, { "description": "Invalid - prefix must be smaller than or equal to 30.", "input": "182.168.0.0/31", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-storage#/definitions/firewallIp", "modUri": "tmod:@turbot/azure-storage" } }, "default": []}
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Compiled Rules
A read-only Object Control List (OCL) to approve or reject IP ranges
for a storage account firewall.
This policy is generated by Guardrails.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesApprovedCompiledRules
{ "type": "string"}
Azure > Storage > Storage Account > Firewall > IP Ranges > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject IP ranges for a storage account firewall.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesApprovedRules
{ "type": "string", "default": "APPROVE *", "x-schema-form": { "type": "textarea" }}
Azure > Storage > Storage Account > Firewall > IP Ranges > Required
Configure storage accounts to allow access from specific public internet IP address
ranges. This policy grants access to approved internet address ranges or individual
IP addresses and blocks unapproved internet traffic.
If set to Enforce: Required > Items
, this policy will grant access to the IP ranges
in Required > Items.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesRequired
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > IP Ranges > Required > Items
Configure storage accounts to allow access from specific public internet IP address ranges.
This configuration grants access to specific internet-based services and on-premises networks
and blocks general internet traffic.
Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as
individual IP addresses like 16.17.18.19.
Small address ranges using "/31" or "/32" prefix sizes are not supported. These ranges should
be configured using individual IP address rules.
IP network rules are only allowed for public internet IP addresses. IP address ranges
reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules.
Private networks include addresses that start with 10., 172.16. - 172.31., and 192.168..
Example:
- 45.127.45.223
- 223.235.113.55
- 45.64.0.0/10
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallIpRangesRequiredItems
{ "type": "array", "items": { "type": "string", "pattern": "\\b(?!(?:10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-2])\\.|192\\.168\\.))((?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\\.){3}(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])))($|/([0-9]|[1-2][0-9]|3[0])$)\\b", "tests": [ { "input": "90.123.233.2/30" }, { "input": "34.192.235.43" }, { "input": "127.0.0.11" }, { "description": "Invalid - Not a valid IP address", "input": "267.32.0.12", "expected": false }, { "description": "Invalid - Private IP", "input": "192.168.1.0", "expected": false }, { "description": "Invalid - prefix must be smaller than or equal to 30.", "input": "182.168.0.0/31", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-storage#/definitions/firewallIp", "modUri": "tmod:@turbot/azure-storage" } }, "default": []}
Azure > Storage > Storage Account > Firewall > Virtual Networks
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworks
Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved
Configure firewall virtual networks checking. This control defines whether
to verify the firewall virtual networks are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved virtual networks
will be deleted from the firewall.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Compiled Rules
A read-only Object Control List (OCL) to approve or reject virtual networks
for a storage account firewall.
This policy is generated by Guardrails.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksApprovedCompiledRules
{ "type": "string"}
Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject firewall rules.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksApprovedRules
{ "type": "string", "default": "APPROVE *", "x-schema-form": { "type": "textarea" }}
Azure > Storage > Storage Account > Firewall > Virtual Networks > Approved > Subnets
Configure storage accounts to allow access only from specific subnets. The allowed subnets
may belong to a virtual network in the same subscription, or those in a different subscription,
including subscriptions belonging to a different Azure Active Directory tenant. Add your
approved subnets through this policy.
For more information on granting access from a virtual network, please see
Grant access from a virtual network.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksApprovedSubnets
{ "type": "array", "items": { "type": "string", "pattern": "^/subscriptions/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/resourceGroups/[A-Za-z0-9-_().]*[A-Za-z0-9-_()]/providers/Microsoft.Network/virtualNetworks/[a-zA-Z0-9][a-zA-Z0-9-_.]{2,80}[a-zA-Z0-9_]/subnets/[[a-zA-Z0-9][a-zA-Z0-9-_.]{0,80}[a-zA-Z0-9_]$", "tests": [ { "description": "base", "input": "/subscriptions/3510ae4d-530b-497d-8f30-53b9616fc6c1/resourceGroups/parthtestrg/providers/Microsoft.Network/virtualNetworks/parth-test/subnets/testsubnet" }, { "description": "invalid service name", "input": "/subscriptions/9e3548cf-17e2-4751-b87e-b72bdd2c77f7/resourceGroups/test/providers/Microsoft.MySql/servers/test0012/databases/test01", "expected": false }, { "description": "invalid subscription id", "input": "/subscriptions/9e3548cf-17e2-4751-12345-b72bdd2c77f700/resourceGroups/test/providers/Microsoft.Sql/servers/test0012/databases/test01", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-storage#/definitions/subnetId", "modUri": "tmod:@turbot/azure-storage" } }, "default": []}
Azure > Storage > Storage Account > Firewall > Virtual Networks > Required
Configure storage accounts to allow access from specific virtual networks.
This policy grants access to approved virtual networks and blocks unapproved internet traffic.
If set to Enforce: Required > Items
, this policy will grant access to the subnets in Required > Items.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksRequired
[ "Skip", "Check: Required > Items", "Enforce: Required > Items"]
{ "type": "string", "enum": [ "Skip", "Check: Required > Items", "Enforce: Required > Items" ], "default": "Skip"}
Azure > Storage > Storage Account > Firewall > Virtual Networks > Required > Items
Configure storage accounts to allow access only from specific subnets.
The allowed subnets may belong to a virtual network in the same subscription,
or those in a different subscription, including subscriptions belonging to a
different Azure Active Directory tenant. This policy grants access to approved
virtual networks.
For more information on granting access from a virtual network, please see
Grant access from a virtual network.
tmod:@turbot/azure-storage#/policy/types/storageAccountFirewallVirtualNetworksRequiredItems
{ "type": "array", "items": { "type": "string", "pattern": "^/subscriptions/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/resourceGroups/[A-Za-z0-9-_().]*[A-Za-z0-9-_()]/providers/Microsoft.Network/virtualNetworks/[a-zA-Z0-9][a-zA-Z0-9-_.]{2,80}[a-zA-Z0-9_]/subnets/[[a-zA-Z0-9][a-zA-Z0-9-_.]{0,80}[a-zA-Z0-9_]$", "tests": [ { "description": "base", "input": "/subscriptions/3510ae4d-530b-497d-8f30-53b9616fc6c1/resourceGroups/parthtestrg/providers/Microsoft.Network/virtualNetworks/parth-test/subnets/testsubnet" }, { "description": "invalid service name", "input": "/subscriptions/9e3548cf-17e2-4751-b87e-b72bdd2c77f7/resourceGroups/test/providers/Microsoft.MySql/servers/test0012/databases/test01", "expected": false }, { "description": "invalid subscription id", "input": "/subscriptions/9e3548cf-17e2-4751-12345-b72bdd2c77f700/resourceGroups/test/providers/Microsoft.Sql/servers/test0012/databases/test01", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-storage#/definitions/subnetId", "modUri": "tmod:@turbot/azure-storage" } }, "default": []}
Azure > Storage > Storage Account > Minimum TLS Version
Define the Minimum TLS Version setting required for Azure > Storage > Storage Account
.
tmod:@turbot/azure-storage#/policy/types/storageAccountMinimumTlsVersion
[ "Skip", "Check: TLS 1.0", "Check: TLS 1.1", "Check: TLS 1.2", "Enforce: TLS 1.0", "Enforce: TLS 1.1", "Enforce: TLS 1.2"]
{ "type": "string", "enum": [ "Skip", "Check: TLS 1.0", "Check: TLS 1.1", "Check: TLS 1.2", "Enforce: TLS 1.0", "Enforce: TLS 1.1", "Enforce: TLS 1.2" ], "default": "Skip"}
Azure > Storage > Storage Account > Public Access
Define the Public Access settings required for Azure > Storage > Storage Account
.
The Public Access policy determines whether the public access for Azure Storage Account should be Enabled or Disabled.
Enabling public access on a storage account, permits to configure container ACLs to allow anonymous access to blobs within the storage account.
tmod:@turbot/azure-storage#/policy/types/storageAccountPublicAccess
[ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Check: Enabled" ], "default": "Skip"}
Azure > Storage > Storage Account > Queue
tmod:@turbot/azure-storage#/policy/types/queueService
Azure > Storage > Storage Account > Queue > Logging
Determine the action when Azure Storage Account logging for queue service is not configured based on Azure > Storage > Storage Account > Queue > Logging > * policies.
The logging control checks if logging is configured correctly for the queue service. If the resource is not configured according to any of these policies, this control raises an alarm and takes the defined enforcement action.
tmod:@turbot/azure-storage#/policy/types/queueServiceLogging
[ "Skip", "Check: Per Logging > Properties", "Enforce: Per Logging > Properties"]
{ "type": "string", "enum": [ "Skip", "Check: Per Logging > Properties", "Enforce: Per Logging > Properties" ], "example": [ "Skip" ], "default": "Skip"}
Azure > Storage > Storage Account > Queue > Logging > Properties
Defines the Queue Service Properties for a Storage Account that can be used to enable logging for Queue Services. This policy provides a default for Queue Service Properties in Azure Storage Account, however you can explicitly override the setting.
tmod:@turbot/azure-storage#/policy/types/queueServiceLoggingProperties
{ "type": "array", "items": { "type": "string", "enum": [ "Read", "Write", "Delete" ] }, "default": []}
Azure > Storage > Storage Account > Queue > Logging > Properties > Retention Days
Defines the the number of days that metrics or logging or soft-deleted data should be retained.
Note: Number of days neither should be less than 0 nor greater than 365.
tmod:@turbot/azure-storage#/policy/types/queueServiceLoggingPropertiesRetentionDays
{ "type": "integer", "minimum": 1, "maximum": 365, "default": 7}
Azure > Storage > Storage Account > Regions
A list of Azure regions in which Azure Storage storage accounts are supported for use.
Any storage accounts in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/azure-storage#/policy/types/storageAccountRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-storage#/policy/types/storageRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > Storage > Storage Account > Tags
Determine the action to take when an Azure Storage storage account tags are not updated based on the Azure > Storage > Storage Account > Tags > *
policies.
The control ensure Azure Storage storage account tags include tags defined in Azure > Storage > Storage Account > Tags > Template
.
Tags not defined in Storage Account Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
Azure > Storage > Storage Account > Tags > Template
The template is used to generate the keys and values for Azure Storage storage account.
Tags not defined in Storage Account Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-storage#/policy/types/storageAccountTagsTemplate
[ "{\n subscription {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure-storage#/policy/types/storageTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > Storage > Tags Template [Default]
A template used to generate the keys and values for Azure Storage resources.
By default, all Storage resource Tags > Template policies will use this value.
tmod:@turbot/azure-storage#/policy/types/storageTagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-storage
A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure Storage that is used as input to the
stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/azure-storage#/policy/types/azureLevelsCompiled
Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-storage
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure Storage that is used as input to the control that manages
the IAM stack.
tmod:@turbot/azure-storage#/policy/types/azureCompiledServicePermissions