-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
StorageAccess_TrustedMicrosoftServices_Audit.json
54 lines (54 loc) · 1.69 KB
/
StorageAccess_TrustedMicrosoftServices_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
{
"properties": {
"displayName": "Storage accounts should allow access from trusted Microsoft services",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account.",
"metadata": {
"version": "1.0.0",
"category": "Storage"
},
"version": "1.0.0",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"exists": "true"
},
{
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"notContains": "AzureServices"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd",
"name": "c9d007d0-c057-4772-b18c-01e546713bcd"
}