Azure- Cloud Custodian Policies for Azure Subscriptions
Example policies for Azure Subscription
In this story, we will be discussing the Cloud Custodian Policies related to Keyvault and Redis that can be deployed in Azure Subscriptions.
Command to deploy the policy
custodian run --output-dir=. sec-n-keyvault-certificate-expiring-in-30-days.yml
The below screenshot shows the debug message in the terminal as the policy gets deployed
The below command helps you identify the versions of Cloud Custodian and other supporting tools.
(custodian) local-machine:first.last$ pip freeze | grep c7n
c7n==0.9.16
c7n-azure==0.7.13
c7n-gcp==0.4.15
c7n-mailer==0.6.15
c7n-org==0.6.15
c7n-trailcreator==0.2.15
Below are some examples of Custodian policies for Azure.
# Azure Key Vault Certificate
policies:
- name: sec-n-keyvault-certificate-expiring-in-30-days
resource: azure.keyvault-certificate
comment: |
Find all Key Vault Certificates that will expire in the next 30
days.This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: attributes.exp
value_type: expiration
op: lt
value: 30
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
# Azure Key Vault Keys
policies:
- name: sec-n-keyvault-keys-older-than-90-days
resource: azure.keyvault-key
comment: |
Find all Keys in the Key Vault that are older than 90 days.
This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: attributes.created
value_type: age
op: gt
value: 90
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
# Azure Key Vault Storage
policies:
- name: sec-n-keyvault-mg-storage-keys-not-rotated
resource: azure.keyvault-storage
comment: |
Find all Keys - (a)that does NOT have auto regenerate enabled or
(b)Do NOT rotate every 30 days. This policy runs every Friday at
10:10AM UTC (CDT time: 5:10 AM).
filters:
- or:
- type: auto-regenerate-key
value: false
- type: regeneration-period
op: ne
value: P30D
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
# Azure Network Security Group
policies:
- name: sec-n-nwsecgroup-ingress-SSH-open-to-world
resource: azure.networksecuritygroup
comment: |
Find all NSG with port 22 opened from any source (open to the
world).This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: ingress
ports: 22
access: allow
source: '*'
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
# Azure Redis — Encryption Related
policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
resource: azure.redis
comment: |
Find all Redis Cache where data-in-transit encryption
configuration is not enabled.Ensure that the SSL connection to
your Azure Redis Cache servers is enabled in order to meet cloud
security and compliance requirements. Enforcing an SSL
connection helps prevent unauthorized users from reading
sensitive data that is intercepted as it travels through the
network, between clients /applications and cache servers, known
as data in transit. If value = true, meaning non-SSL Redis Cache
port (ie., 6379) is enabled. Therefore, the data-in-transit
encryption is not enabled for the selected Redis Cache
Server.This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: enableNonSslPort
op: eq
value: true
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
# Azure Redis — TLS version
policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
resource: azure.redis
comment: |
Find all Redis Cache which are not using the latest TLS version
(v1.2).This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: minimumTlsVersion
op: ne
value: '1.2'
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
Other Stories