-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
StorageAccountAllowSharedKeyAccess_Audit.json
66 lines (66 loc) · 2.06 KB
/
StorageAccountAllowSharedKeyAccess_Audit.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
{
"properties": {
"displayName": "Storage accounts should prevent shared key access",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft.",
"metadata": {
"version": "2.0.0",
"category": "Storage"
},
"version": "2.0.0",
"parameters": {
"effect": {
"type": "string",
"defaultValue": "Audit",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "The effect determines what happens when the policy rule is evaluated to match"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"anyOf": [
{
"anyOf": [
{
"field": "Microsoft.Storage/storageAccounts/allowSharedKeyAccess",
"exists": "false"
},
{
"field": "Microsoft.Storage/storageAccounts/allowSharedKeyAccess",
"equals": ""
}
]
},
{
"field": "Microsoft.Storage/storageAccounts/allowSharedKeyAccess",
"equals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"2.0.0"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54",
"name": "8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54"
}