Azure- Cloud Custodian Policies for Azure Subscriptions

custodian run --output-dir=.  sec-n-keyvault-certificate-expiring-in-30-days.yml
Debug Message
(custodian) local-machine:first.last$ pip freeze | grep c7n
c7n==0.9.16
c7n-azure==0.7.13
c7n-gcp==0.4.15
c7n-mailer==0.6.15
c7n-org==0.6.15
c7n-trailcreator==0.2.15
policies:
- name: sec-n-keyvault-certificate-expiring-in-30-days
resource: azure.keyvault-certificate
comment: |
Find all Key Vault Certificates that will expire in the next 30
days.This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: attributes.exp
value_type: expiration
op: lt
value: 30
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: sec-n-keyvault-keys-older-than-90-days
resource: azure.keyvault-key
comment: |
Find all Keys in the Key Vault that are older than 90 days.
This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: attributes.created
value_type: age
op: gt
value: 90
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: sec-n-keyvault-mg-storage-keys-not-rotated
resource: azure.keyvault-storage
comment: |
Find all Keys - (a)that does NOT have auto regenerate enabled or
(b)Do NOT rotate every 30 days. This policy runs every Friday at
10:10AM UTC (CDT time: 5:10 AM).
filters:
- or:
- type: auto-regenerate-key
value: false
- type: regeneration-period
op: ne
value: P30D
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: sec-n-nwsecgroup-ingress-SSH-open-to-world
resource: azure.networksecuritygroup
comment: |
Find all NSG with port 22 opened from any source (open to the
world).This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: ingress
ports: 22
access: allow
source: '*'
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
resource: azure.redis
comment: |
Find all Redis Cache where data-in-transit encryption
configuration is not enabled.Ensure that the SSL connection to
your Azure Redis Cache servers is enabled in order to meet cloud
security and compliance requirements. Enforcing an SSL
connection helps prevent unauthorized users from reading
sensitive data that is intercepted as it travels through the
network, between clients /applications and cache servers, known
as data in transit. If value = true, meaning non-SSL Redis Cache
port (ie., 6379) is enabled. Therefore, the data-in-transit
encryption is not enabled for the selected Redis Cache
Server.This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: enableNonSslPort
op: eq
value: true
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}
policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
resource: azure.redis
comment: |
Find all Redis Cache which are not using the latest TLS version
(v1.2).This policy runs every Friday at 10:10AM UTC (CDT time:
5:10 AM).
filters:
- type: value
key: minimumTlsVersion
op: ne
value: '1.2'
mode:
schedule: 0 10 10 * * Fri
type: azure-periodic
provision-options:
identity:
type: UserAssigned
id: exampleid
execution-options:
output_dir: azure://example.blob.abcd.windows.net/{account_id}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Aakif Shaikh, CISSP, CEH, CHFI, CISA, GWAPT

Over 18 years of experience in a wide variety of technical domains within information security including information assurance, compliance, and risk management.