AzPolicyAdvertizer

last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Azure Cosmos DB accounts should have firewall rules

Name Azure Cosmos DB accounts should have firewall rules
Azure Portal

Id 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb

Version 1.0.0
details on versioning

Category Cosmos DB
Microsoft docs

Description Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.

Mode All

Type BuiltIn

Preview FALSE

Deprecated FALSE

Effect Default: Deny
Allowed: (Audit, Deny, Disabled)

Used RBAC Role none

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2020-06-23 16:03:25	add	862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb

Used in Initiatives none

Json

{
  "properties": {
    "displayName": "Azure Cosmos DB accounts should have firewall rules",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "equals": "Enabled"
              }
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "equals": "false"
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRules",
                        "exists": "false"
                      },
                      {
                        "count": {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*]"
                        },
                        "equals": 0
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                        "equals": ""
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"
}

Azure Policy definition

Azure Cosmos DB accounts should have firewall rules

Popular