如何为存储帐户创建自定义策略以拒绝 public 访问并允许选定网络绕过 AzureServices?
How to create a custom policy for storage account to deny public access and allow selected networks bypassing the AzureServices?
查看政策后我想合并政策:
- Storage accounts should restrict network access using virtual network rules Storage accounts
- should allow access from trusted Microsoft services
- [Preview]: Storage account public access should be disallowed
但是这三个都有不同的效果,要么是 audit 要么是 deny 。我想要的是检查存储帐户和三个规则,然后为新资源自动激活它们。
关于如何实现这个的任何想法?我正在使用 terraform 来部署策略定义和补救措施。
您可以创建以下策略来验证网络规则并拒绝 public 对 blob 的访问是否存在,然后为新资源部署它:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]"
},
"greaterOrEquals": 1
}
]
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "false"
}
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"sku": {
"type": "string"
},
"location": {
"type": "string"
},
"kind": {
"type": "string"
},
"virtualnetworklist": {
"type": "string",
"metadata": {
"description": "The list of locations that can be specified when deploying resources"
},
"defaultValue": "test"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"properties": {
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny"
}
},
"dependsOn": [],
"sku": {
"name": "[parameters('sku')]"
},
"kind": "[parameters('kind')]"
}
]
},
"parameters": {
"name": {
"value": "[field('name')]"
},
"sku": {
"value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"
},
"location": {
"value": "[field('location')]"
},
"kind": {
"value": "[field('kind')]"
}
}
}
}
}
}
},
"parameters": {}
}
输出:
查看政策后我想合并政策:
- Storage accounts should restrict network access using virtual network rules Storage accounts
- should allow access from trusted Microsoft services
- [Preview]: Storage account public access should be disallowed
但是这三个都有不同的效果,要么是 audit 要么是 deny 。我想要的是检查存储帐户和三个规则,然后为新资源自动激活它们。
关于如何实现这个的任何想法?我正在使用 terraform 来部署策略定义和补救措施。
您可以创建以下策略来验证网络规则并拒绝 public 对 blob 的访问是否存在,然后为新资源部署它:
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"notEquals": "Deny"
},
{
"count": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*]"
},
"greaterOrEquals": 1
}
]
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
"equals": "false"
}
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"name": "[field('name')]",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"sku": {
"type": "string"
},
"location": {
"type": "string"
},
"kind": {
"type": "string"
},
"virtualnetworklist": {
"type": "string",
"metadata": {
"description": "The list of locations that can be specified when deploying resources"
},
"defaultValue": "test"
}
},
"resources": [
{
"name": "[parameters('name')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"properties": {
"allowBlobPublicAccess": false,
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny"
}
},
"dependsOn": [],
"sku": {
"name": "[parameters('sku')]"
},
"kind": "[parameters('kind')]"
}
]
},
"parameters": {
"name": {
"value": "[field('name')]"
},
"sku": {
"value": "[field('Microsoft.Storage/storageAccounts/sku.name')]"
},
"location": {
"value": "[field('location')]"
},
"kind": {
"value": "[field('kind')]"
}
}
}
}
}
}
},
"parameters": {}
}
输出: