Skip to content

storage

Sample rules

A few rules that use objects from this package:

non_car_storage_account_default_network_access_denied 
from cloudrail.knowledge.context.azure.resources.storage.azure_storage_account_network_rules import NetworkRuleDefaultAction
from typing import List, Dict
from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureStorageAccountDefaultNetworkDenyRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_default_network_access_denied'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage in env_context.storage_accounts:
            if storage.network_rules.default_action == NetworkRuleDefaultAction.ALLOW:
                issues.append(
                    Issue(
                        f'The {storage.get_type()} `{storage.get_friendly_name()}` is not denying default network access',
                        storage,
                        storage))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)
non_car_storage_account_secure_transfer 
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class StorageAccountSecureTransferRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_secure_transfer'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage_account in env_context.storage_accounts:
            if not storage_account.enable_https_traffic_only:
                issues.append(
                    Issue(
                        f'The {storage_account.get_type()} `{storage_account.get_friendly_name()}` is not requiring secure transfer',
                        storage_account,
                        storage_account))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)
non_car_storage_account_public_access 
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class StorageAccountPublicAccessRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_public_access'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage_account in env_context.storage_accounts:
            if storage_account.allow_blob_public_access:
                issues.append(
                    Issue(
                        f'The {storage_account.get_type()} `{storage_account.get_friendly_name()}` is allowing public access to container and blobs.',
                        storage_account,
                        storage_account))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)

AzureStorageAccountNetworkRules (AzureResource)

Attributes:

Name Type Description
storage_name str

The name of the storage account.
default_action NetworkRuleDefaultAction

The default action when no other rules match.
ip_rules list

List of IP addresses to allow access from the internet to the storage account.
virtual_network_subnet_ids List[str]

List of virtual network subnet ids to secure the storage account.
bypass_traffic List[BypassTrafficType]

List of traffic services which will bypass the network rules, and will have access to the storage account.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

BypassTrafficType (str, Enum)

An enumeration.

NetworkRuleDefaultAction (str, Enum)

Enum

ALLOW - Default Action is set to Allow connections DENY - Default Action is set to Deny connections

AzureStorageAccount (AzureResource)

Attributes:

Name Type Description
storage_name str

The name of the storage account.
account_tier str

The Tier of the storage account.
account_replication_type str

The replication type of the storage account
network_rules AzureStorageAccountNetworkRules

The networking rules to allow or deny access from.
enable_https_traffic_only bool

A flag indicating if only https traffic is allowed
allow_blob_public_access bool

A flag indicator, True if enable public access to containers and blobs else disable.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureDataLakeStore (AzureResource, IMonitorSettings, IManagedIdentityResource)

Attributes:

Name Type Description
name str

The name of the Data Lake Analytics Store.
tier DataLakeStoreTier

The monthly commitment tier.
encryption_state FieldActive

Enabling or disable encryption (allowed values: 'Enabled' or 'Disabled').
encryption_type str

Type of encryption used (allowed values: 'ServiceManaged' or '').
managed_identities List[AzureManagedIdentity]

all managed identities associate with the data lake store.
firewall_allow_azure_ips FieldActive

whether to allow or not Azure Service IPs through the firewall.
firewall_state FieldActive

The state of the firewall (allowed values: 'Enabled' or 'Disabled')

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

DataLakeStoreTier (Enum)

An enumeration.

AzureDataLakeAnalyticsAccount (AzureResource, IMonitorSettings)

Attributes:

Name Type Description
name str

The name of the Data Lake Analytics Account.
default_store_account_name str

The name of the Data Lake Storage to be used.
tier DataLakeAnalyticsAccountTier

The monthly commitment tier.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

DataLakeAnalyticsAccountTier (str, Enum)

An enumeration.