Policy Packs

guardrails-samples

This section contains recommendations for configuring Azure logging and monitoring features.

Azure CIS v2.0.0 - Section 5 - Logging and Monitoring

main

azure_monitor_stack

Configure a custom stack on Azure, per the custom `Stack &gt; Source`.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

monitorStack

Azure > Monitor > Stack

azure_monitor_stack_source

The Terraform HCL source used to configure this stack.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails, as specified&#92;nvia Terraform source.  Stacks are responsible for the creation and deletion&#92;nof multiple resources. Once created, stack resources are responsible for&#92;nconfiguring themselves from the stack source via their `Configured` control.&#92;n

monitorStackSource

Azure > Monitor > Stack > Source

azure_monitor_stack_terraform_version

The Version of Terraform to use for this stack.&#92;nSpecify an [npm-style semver](https://docs.npmjs.com/misc/semver) string to&#92;ndetermine which version of the Terraform container&#92;nGuardrails will use to run this stack.&#92;n&#92;nA Guardrails `Stack` is a set of resources configured by Guardrails,&#92;nas specified  via Terraform source.  Stacks are responsible&#92;nfor the creation and deletion of multiple resources. Once created,&#92;nstack resources are responsible for configuring themselves from&#92;nthe stack source via their `Configured` control.&#92;n

monitorStackTerraformVersion

Azure > Monitor > Stack > Terraform Version

azure_networkwatcher_flowlog_approved

Determine the action to take when an Azure Network Watcher flow log is not approved based on `Azure &gt; Network Watcher &gt; Flow Log &gt; Approved &gt; *` policies.&#92;n&#92;nThe Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.&#92;n&#92;nFor any enforcement actions that specify `if new`, e.g., `Enforce: Delete unapproved if new`, this control will only take the enforcement actions for resources created within the last 60 minutes.&#92;n&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n

flowLogApproved

Azure > Network Watcher > Flow Log > Approved

azure_networkwatcher_flowlog_approved_custom

Determine whether the Azure Network Watcher flow log is allowed to exist.&#92;nThis policy will be evaluated by the Approved control. If an Azure Network Watcher flow log is not approved, it will be subject to the action specified in the `Azure &gt; Network Watcher &gt; Flow Log &gt; Approved` policy.&#92;nSee [Approved](https://turbot.com/guardrails/docs/concepts/guardrails/approved) for more information.&#92;n&#92;n**Note**: The policy value must be a string with a value of `Approved`, `Not approved` or `Skip`, or in the form of YAML objects. The object(s) must contain the key `result` with its value as `Approved` or `Not approved`. A custom title and message can also be added using the keys `title` and `message` respectively.&#92;n

flowLogApprovedCustom

Azure > Network Watcher > Flow Log > Approved > Custom

azure_resource_group_stack

resourceGroupStack

Azure > Resource Group > Stack

azure_resource_group_stack_source

resourceGroupStackSource

Azure > Resource Group > Stack > Source

azure_resource_group_stack_terraform_version

resourceGroupStackTerraformVersion

Azure > Resource Group > Stack > Terraform Version

azure_storage_container_public_access_level

Define the Public Access Level settings required for `Azure &gt; Storage &gt; Container`.&#92;n&#92;nThe Public Access Level policy determines whether the public access level for Azure Storage Container should be set to Private, Blob or Container.&#92;n&#92;nEnabling public access level on a container, grants permission for anonymous read access for blobs only or for both blobs and containers.&#92;n

Policy	Setting	Note
Azure > Monitor > Stack	Check: Configured	Azure CIS v2.0.0 - Controls: 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9 and 5.2.10
Azure > Monitor > Stack > Source	Calculated	Azure CIS v2.0.0 - Controls: 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9 and 5.2.10
Azure > Monitor > Stack > Terraform Version	0.15.*	Azure CIS v2.0.0 - Controls: 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9 and 5.2.10
Azure > Network Watcher > Flow Log > Approved	Check: Approved	Azure CIS v2.0.0 - Control: 5.1.6
Azure > Network Watcher > Flow Log > Approved > Custom	Calculated	Azure CIS v2.0.0 - Control: 5.1.6
Azure > Resource Group > Stack	Check: Configured	Azure CIS v2.0.0 - Controls: 5.3.1
Azure > Resource Group > Stack > Source	Calculated	Azure CIS v2.0.0 - Controls: 5.3.1
Azure > Resource Group > Stack > Terraform Version	0.15.*	Azure CIS v2.0.0 - Controls: 5.3.1
Azure > Storage > Container > Public Access Level	Check: Private (No anonymous access)	Azure CIS v2.0.0 - Control: 5.1.3

Policy Settings