-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
ActivityLog_StorageAccountBYOK_Audit.json
69 lines (69 loc) · 2.22 KB
/
ActivityLog_StorageAccountBYOK_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
"properties": {
"displayName": "Storage account containing the container with activity logs must be encrypted with BYOK",
"policyType": "BuiltIn",
"mode": "All",
"description": "This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. ",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Insights/logProfiles"
},
{
"field": "Microsoft.Insights/logProfiles/storageAccountId",
"exists": "true"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Storage/storageAccounts",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"value": "[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), subscription().Id)]",
"equals": "true"
},
{
"field": "name",
"equals": "[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]"
},
{
"field": "Microsoft.Storage/storageAccounts/encryption.keySource",
"equals": "Microsoft.Keyvault"
}
]
}
}
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2",
"name": "fbb99e8e-e444-4da0-9ff1-75c92f5a85b2"
}