Skip to content

storage

Sample rules

A few rules that use objects from this package:

non_car_storage_account_default_network_access_denied
from cloudrail.knowledge.context.azure.resources.storage.azure_storage_account_network_rules import NetworkRuleDefaultAction
from typing import List, Dict
from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureStorageAccountDefaultNetworkDenyRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_default_network_access_denied'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage in env_context.storage_accounts:
            if storage.network_rules.default_action == NetworkRuleDefaultAction.ALLOW:
                issues.append(
                    Issue(
                        f'The {storage.get_type()} `{storage.get_friendly_name()}` is not denying default network access',
                        storage,
                        storage))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)
non_car_storage_account_secure_transfer
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class StorageAccountSecureTransferRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_secure_transfer'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage_account in env_context.storage_accounts:
            if not storage_account.enable_https_traffic_only:
                issues.append(
                    Issue(
                        f'The {storage_account.get_type()} `{storage_account.get_friendly_name()}` is not requiring secure transfer',
                        storage_account,
                        storage_account))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)
non_car_storage_account_public_access
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class StorageAccountPublicAccessRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_storage_account_public_access'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for storage_account in env_context.storage_accounts:
            if storage_account.allow_blob_public_access:
                issues.append(
                    Issue(
                        f'The {storage_account.get_type()} `{storage_account.get_friendly_name()}` is allowing public access to container and blobs.',
                        storage_account,
                        storage_account))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.storage_accounts)

AzureStorageAccountNetworkRules (AzureResource)

Attributes:

Name Type Description
storage_name str

The name of the storage account.

default_action NetworkRuleDefaultAction

The default action when no other rules match.

ip_rules list

List of IP addresses to allow access from the internet to the storage account.

bypass_traffic List[BypassTrafficType]

List of traffic services which will bypass the network rules, and will have access to the storage account.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

BypassTrafficType (str, Enum)

An enumeration.

NetworkRuleDefaultAction (str, Enum)

Enum

ALLOW - Default Action is set to Allow connections DENY - Default Action is set to Deny connections

AzureStorageAccount (AzureResource)

Attributes:

Name Type Description
storage_name str

The name of the storage account.

account_tier str

The Tier of the storage account.

account_replication_type str

The replication type of the storage account

network_rules AzureStorageAccountNetworkRules

The networking rules to allow or deny access from.

enable_https_traffic_only bool

A flag indicating if only https traffic is allowed

allow_blob_public_access bool

A flag indicator, True if enable public access to containers and blobs else disable.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process