Policy: Azure > Network > Network Security Group > Ingress Rules > Approved > Rules
An Object Control List (OCL) with a list of filter rules to approve or reject security group rules.
Note that the Approved control does not operate directly from this policy, but from the Approved > Compiled Rules. The rules are processed in order, and any built-in Guardrails rules will appear first in the list of compiled rules.
Examples: Allow HTTP and HTTPS rules for RFC1918 private space APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:<=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16<br /><br /> Allow all rules from security groups in this account APPROVE $.UserIdGroupPairs.+.UserId:"969297701313"<br /><br /> Reject any rule from 0.0.0.0/0 REJECT $.turbot.cidr:0.0.0.0/0
Resource Types
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Controls
- Azure > Network > Network Security Group > Ingress Rules
- Azure > Network > Network Security Group > Ingress Rules > Approved
Policy Packs
This policy setting is used by the following policy packs:
- Azure CIS v2.0.0 - Section 4 - Database Services
- Azure CIS v2.0.0 - Section 6 - Networking
- Enforce Azure Network Security Groups to Reject All Ingress, RDP, and SSH Inbound Access
Policy Specification
Schema Type | |
|---|---|
Default | |
Category
In Your Workspace
Developers
- tmod:@turbot/turbot#/control/categories/resourceApproved
- tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedRules
- turbot graphql policy-type --id "tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedRules"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-network#/policy/types/networkSecurityGroupIngressRulesApprovedRules"
Get Policy TypeGet Policy Settings