Auto-Tag the Azure Resources using the Cloud Custodian

policies:
- name: azure-appserviceplan-auto-tag
resource: azure.appserviceplan
description: |
Find azure appserviceplan that has not been tagged with
mandatory owner tag while creation. Tag appserviceplan with the
user who created it. This policy does not apply on existing
appserviceplan.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Web/serverfarms’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-container-group-auto-tag
resource: azure.container-group
description: |
Find azure container-group that has not been tagged with
mandatory owner tag while creation. Tag container-group with the
user who created it. This policy does not apply on existing
container-group.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.ContainerInstance/containerGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-containerregistry-auto-tag
resource: azure.containerregistry
description: |
Find azure container-registry that has not been tagged with
mandatory owner tag while creation. Tag container-registry with
the user who created it. This policy does not apply on existing
container-registry.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.ContainerRegistry/registries’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-eventhub-auto-tag
resource: azure.eventhub
description: |
Find azure eventhub that has not been tagged with
mandatory owner tag while creation. Tag eventhub with
the user who created it. This policy does not apply on existing
eventhub.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.EventHub/Namespaces’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-keyvault-auto-tag
resource: azure.keyvault
description: |
Find azure keyvault that has not been tagged with
mandatory owner tag while creation. Tag keyvault with
the user who created it. This policy does not apply on existing
keyvault.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.KeyVault/vaults’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-networksecuritygroup-auto-tag
resource: azure.networksecuritygroup
description: |
Find azure network security group that has not been tagged with
mandatory owner tag while creation. Tag network security group
with the user who created it. This policy does not apply on
existing network security group.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Network/networkSecurityGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-resource-group-auto-tag
resource: azure.resourcegroup
description: |
Find azure resource group that has not been tagged with
mandatory owner tag while creation. Tag resource group
with the user who created it. This policy does not apply on
existing resource group.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Resources/subscriptions/resourceGroups’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-redis-auto-tag
resource: azure.redis
description: |
Find azure redis that has not been tagged with
mandatory owner tag while creation. Tag redis with the user who
created it. This policy does not apply on existing redis.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Cache/Redis’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-storage-auto-tag
resource: azure.storage
description: |
Find azure storage accounts that has not been tagged with
mandatory owner tag while creation. Tag storage accounts with
the user who created it. This policy does not apply on existing
storage accounts.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Storage/storageAccounts’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-storage-auto-tag
resource: azure.storage
description: |
Find azure sqlserver that has not been tagged with mandatory
owner tag while creation. Tag sqlserver with the user who
created it. This policy does not apply to existing sqlserver.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Sql/servers’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-vnet-auto-tag
resource: azure.vnet
description: |
Find azure vnet that has not been tagged with mandatory
owner tag while creation. Tag vnet with the user who
created it. This policy does not apply to existing vnet.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Network/virtualNetworks’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner
policies:
- name: azure-webapp-auto-tag
resource: azure.webapp
description: |
Find azure webapp that has not been tagged with mandatory
owner tag while creation. Tag webapp with the user who
created it. This policy does not apply to existing webapp.
filters:
 — “tag:owner”: absent
mode:
type: azure-event-grid
events: [{
resourceProvider: ‘Microsoft.Web/sites’,
event: ‘write’
}]
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
actions:
 — type: auto-tag-user
tag: owner

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Iogear Quantum Dual Mode Thunderbolt 3 Dock Pro REVIEW | MacSources

Hexspider Robot revisited!

A Power-packed Quarter full of Innovation & Learning

CUDA Memory Management & Use cases

Java8 | Optional

Differences between Static and Dynamic Libraries in C

Persisting view-state when using a custom backstack: Creating a Flow-like custom backstack (Part 4)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.

More from Medium

Cloud Custodian Policies for CIS Microsoft Azure Foundations Benchmark (Part 2)

Making progress with the pre-reqs

A Day in the life of a Multi Site packet on a Cisco ACI Hybrid Multi Cloud Environment (Azure)

NGINX ingress controller with Dapr