Azure- Cloud Custodian Policies for Azure Subscriptions

Example policies for Azure Subscription

In this story, we will be discussing the Cloud Custodian Policies related to Keyvault and Redis that can be deployed in Azure Subscriptions.

Command to deploy the policy

custodian run --output-dir=.  sec-n-keyvault-certificate-expiring-in-30-days.yml

The below screenshot shows the debug message in the terminal as the policy gets deployed

Debug Message

The below command helps you identify the versions of Cloud Custodian and other supporting tools.

(custodian) local-machine:first.last$ pip freeze | grep c7n
c7n==0.9.16
c7n-azure==0.7.13
c7n-gcp==0.4.15
c7n-mailer==0.6.15
c7n-org==0.6.15
c7n-trailcreator==0.2.15

Below are some examples of Custodian policies for Azure.

# Azure Key Vault Certificate

policies:
- name: sec-n-keyvault-certificate-expiring-in-30-days
  resource: azure.keyvault-certificate
  comment: |
    Find all Key Vault Certificates that will expire in the next 30 
    days.This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: value
      key: attributes.exp
      value_type: expiration
      op: lt
      value: 30
  mode:
    schedule: 0 10 10 * * Fri
    type…