Azure- Cloud Custodian Policies for Azure Subscriptions

Example policies for Azure Subscription

In this story, we will be discussing the Cloud Custodian Policies related to Keyvault and Redis that can be deployed in Azure Subscriptions.

Command to deploy the policy

custodian run --output-dir=.  sec-n-keyvault-certificate-expiring-in-30-days.yml

The below screenshot shows the debug message in the terminal as the policy gets deployed

Debug Message

The below command helps you identify the versions of Cloud Custodian and other supporting tools.

(custodian) local-machine:first.last$ pip freeze | grep c7n
c7n==0.9.16
c7n-azure==0.7.13
c7n-gcp==0.4.15
c7n-mailer==0.6.15
c7n-org==0.6.15
c7n-trailcreator==0.2.15

Below are some examples of Custodian policies for Azure.

# Azure Key Vault Certificate

policies:
- name: sec-n-keyvault-certificate-expiring-in-30-days
  resource: azure.keyvault-certificate
  comment: |
    Find all Key Vault Certificates that will expire in the next 30 
    days.This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: value
      key: attributes.exp
      value_type: expiration
      op: lt
      value: 30
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

# Azure Key Vault Keys

policies:
- name: sec-n-keyvault-keys-older-than-90-days
  resource: azure.keyvault-key
  comment: |
    Find all Keys in the Key Vault that are older than 90 days. 
    This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: value
      key: attributes.created
      value_type: age
      op: gt
      value: 90
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

# Azure Key Vault Storage

policies:
- name: sec-n-keyvault-mg-storage-keys-not-rotated
  resource: azure.keyvault-storage
  comment: |
    Find all Keys - (a)that does NOT have auto regenerate enabled or 
    (b)Do NOT rotate every 30 days. This policy runs every Friday at 
    10:10AM UTC (CDT time: 5:10 AM).  
  filters:
    - or:
      - type: auto-regenerate-key
        value: false
      - type: regeneration-period
        op: ne
        value: P30D
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

# Azure Network Security Group

policies:
- name: sec-n-nwsecgroup-ingress-SSH-open-to-world
  resource: azure.networksecuritygroup
  comment: |
    Find all NSG with port 22 opened from any source (open to the 
    world).This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: ingress
      ports: 22
      access: allow
      source: '*'
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

# Azure Redis — Encryption Related

policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
  resource: azure.redis
  comment: |
    Find all Redis Cache where data-in-transit encryption  
    configuration is not enabled.Ensure that the SSL connection to 
    your Azure Redis Cache servers is enabled in order to meet cloud 
    security and compliance requirements. Enforcing an SSL 
    connection helps prevent unauthorized users from reading 
    sensitive data that is intercepted as it travels through the 
    network, between clients /applications and cache servers, known 
    as data in transit. If value = true, meaning non-SSL Redis Cache 
    port (ie., 6379) is enabled. Therefore, the data-in-transit 
    encryption is not enabled for the selected Redis Cache 
    Server.This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: value
      key: enableNonSslPort
      op: eq
      value: true
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

# Azure Redis — TLS version

policies:
- name: sec-n-redis-encryption-in-transit-not-enabled
  resource: azure.redis
  comment: |
    Find all Redis Cache which are not using the latest TLS version 
    (v1.2).This policy runs every Friday at 10:10AM UTC (CDT time: 
    5:10 AM).  
  filters:
    - type: value
      key: minimumTlsVersion
      op: ne
      value: '1.2'
  mode:
    schedule: 0 10 10 * * Fri
    type: azure-periodic
    provision-options: 
      identity: 
        type: UserAssigned 
        id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

Other Stories

Cloud Custodian Output Files

Cloud Custodian Policy Health Checks

Ingesting Custodian Logs into Sumo Logic