Azure Policy 可以检测到资源的变化吗?
can azure policy detect changes in resources?
我希望使用 Azure 策略检测订阅中的 nsg(网络安全组)安全规则何时发生任何变化。
但是,我无法在资源中找到任何 property/alias 我可以监控以检测变化的资源。
以下是 Azure Policy Extension 在 vs code
上显示的属性
{
"id": "/subscriptions/xxxx/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx",
"name": "xxxx",
"type": "Microsoft.Network/networkSecurityGroups",
"location": "eastus",
"tags": {
"Company": "xxx"
},
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "xxxx",
"securityRules": [],
"defaultSecurityRules": [
{
"name": "AllowVnetInBound",
"id": "/subscriptions/xxxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetInBound",
"etag": "xxxx,
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowAzureLoadBalancerInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/nxxxx/defaultSecurityRules/AllowAzureLoadBalancerInBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from azure load balancer",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 65001,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllInBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all inbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowVnetOutBound",
"id": "/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetOutBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowInternetOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Network/networkSecurityGroups/xxx/defaultSecurityRules/AllowInternetOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to Internet",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 65001,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all outbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
}
我试图针对 activity 日志事件制定策略以检测更改。然而,事实证明您不能直接针对事件日志制定策略。有没有其他方法可以检测安全规则是否已更改?
没有。您不能制定监控事件的策略。策略旨在根据资源状态进行审计。因此,您可以指定某个 属性 并在给定要监视的正确别名的情况下审核该 属性 的状态。策略将根据您的更改策略规则自动评估该资源状态。但是,更改事件本身无法通过 Policy 进行监控。
我希望使用 Azure 策略检测订阅中的 nsg(网络安全组)安全规则何时发生任何变化。
但是,我无法在资源中找到任何 property/alias 我可以监控以检测变化的资源。 以下是 Azure Policy Extension 在 vs code
上显示的属性{
"id": "/subscriptions/xxxx/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx",
"name": "xxxx",
"type": "Microsoft.Network/networkSecurityGroups",
"location": "eastus",
"tags": {
"Company": "xxx"
},
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "xxxx",
"securityRules": [],
"defaultSecurityRules": [
{
"name": "AllowVnetInBound",
"id": "/subscriptions/xxxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetInBound",
"etag": "xxxx,
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowAzureLoadBalancerInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/nxxxx/defaultSecurityRules/AllowAzureLoadBalancerInBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow inbound traffic from azure load balancer",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "AzureLoadBalancer",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 65001,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllInBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllInBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all inbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Inbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowVnetOutBound",
"id": "/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetOutBound",
"etag": "xxx",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to all VMs in VNET",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "VirtualNetwork",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 65000,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "AllowInternetOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Network/networkSecurityGroups/xxx/defaultSecurityRules/AllowInternetOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Allow outbound traffic from all VMs to Internet",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "Internet",
"access": "Allow",
"priority": 65001,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
},
{
"name": "DenyAllOutBound",
"id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllOutBound",
"etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"",
"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules",
"properties": {
"provisioningState": "Succeeded",
"description": "Deny all outbound traffic",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 65500,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": []
}
}
]
}
}
我试图针对 activity 日志事件制定策略以检测更改。然而,事实证明您不能直接针对事件日志制定策略。有没有其他方法可以检测安全规则是否已更改?
没有。您不能制定监控事件的策略。策略旨在根据资源状态进行审计。因此,您可以指定某个 属性 并在给定要监视的正确别名的情况下审核该 属性 的状态。策略将根据您的更改策略规则自动评估该资源状态。但是,更改事件本身无法通过 Policy 进行监控。