-
Notifications
You must be signed in to change notification settings - Fork 733
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Logic Apps for securing storage accounts
- Loading branch information
1 parent
6e76064
commit 2ccfc02
Showing
8 changed files
with
1,771 additions
and
0 deletions.
There are no files selected for viewing
28 changes: 28 additions & 0 deletions
28
...scripts/Storage Account - Deny Network Access DefaultAction/Logic App/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| ## Introduction | ||
| Use this deployment template to create a Logic App to set Deny as DefaultAction for storage acocunt NACLs. | ||
| ```json | ||
| "networkAcls": { | ||
| "defaultAction": "Deny" | ||
| } | ||
| ``` | ||
| The Logic App iterates through all storage account in enabled subscriptions. | ||
| The Logic App is configured as scheduled trigger with frequency of once per day. | ||
|
|
||
| ## Post Deployment | ||
| - Enable Logic App | ||
| - Enable System Manged Identity | ||
| - Assign System Managed Identity **Storage Account Contributor** role at subscription level | ||
|
|
||
| ## Contributing | ||
|
|
||
| This project welcomes contributions and suggestions. Most contributions require you to agree to a | ||
| Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us | ||
| the rights to use your contribution. For details, visit https://cla.microsoft.com. | ||
|
|
||
| When you submit a pull request, a CLA-bot will automatically determine whether you need to provide | ||
| a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions | ||
| provided by the bot. You will only need to do this once across all repos using our CLA. | ||
|
|
||
| This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). | ||
| For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or | ||
| contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. |
413 changes: 413 additions & 0 deletions
413
...on scripts/Storage Account - Deny Network Access DefaultAction/Logic App/azuredeploy.json
Large diffs are not rendered by default.
Oops, something went wrong.
29 changes: 29 additions & 0 deletions
29
...iation scripts/Storage Account - Disable Blob Public Access/Logic App/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| ## Introduction | ||
| Use this deployment template to create a Logic App to Disable as public acces for blobs. | ||
|
|
||
| ```json | ||
| { | ||
| "allowBlobPublicAccess": false | ||
| } | ||
| ``` | ||
| The Logic App iterates through all storage account in enabled subscriptions. | ||
| The Logic App is configured as scheduled trigger with frequency of once per day. | ||
|
|
||
| ## Post Deployment | ||
| - Enable Logic App | ||
| - Enable System Manged Identity | ||
| - Assign System Managed Identity **Storage Account Contributor** role at subscription level | ||
|
|
||
| ## Contributing | ||
|
|
||
| This project welcomes contributions and suggestions. Most contributions require you to agree to a | ||
| Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us | ||
| the rights to use your contribution. For details, visit https://cla.microsoft.com. | ||
|
|
||
| When you submit a pull request, a CLA-bot will automatically determine whether you need to provide | ||
| a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions | ||
| provided by the bot. You will only need to do this once across all repos using our CLA. | ||
|
|
||
| This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). | ||
| For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or | ||
| contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. |
411 changes: 411 additions & 0 deletions
411
Remediation scripts/Storage Account - Disable Blob Public Access/Logic App/azuredeploy.json
Large diffs are not rendered by default.
Oops, something went wrong.
29 changes: 29 additions & 0 deletions
29
...ion scripts/Storage Account - Disable Public Network Access/Logic App/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| ## Introduction | ||
| Use this deployment template to create a Logic App to Disable as public acces for storage account. | ||
|
|
||
| ```json | ||
| { | ||
| "publicNetworkAccess": "Disabled" | ||
| } | ||
| ``` | ||
| The Logic App iterates through all storage account in enabled subscriptions. | ||
| The Logic App is configured as scheduled trigger with frequency of once per day. | ||
|
|
||
| ## Post Deployment | ||
| - Enable Logic App | ||
| - Enable System Manged Identity | ||
| - Assign System Managed Identity **Storage Account Contributor** role at subscription level | ||
|
|
||
| ## Contributing | ||
|
|
||
| This project welcomes contributions and suggestions. Most contributions require you to agree to a | ||
| Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us | ||
| the rights to use your contribution. For details, visit https://cla.microsoft.com. | ||
|
|
||
| When you submit a pull request, a CLA-bot will automatically determine whether you need to provide | ||
| a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions | ||
| provided by the bot. You will only need to do this once across all repos using our CLA. | ||
|
|
||
| This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). | ||
| For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or | ||
| contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. |
411 changes: 411 additions & 0 deletions
411
...iation scripts/Storage Account - Disable Public Network Access/Logic App/azuredeploy.json
Large diffs are not rendered by default.
Oops, something went wrong.
30 changes: 30 additions & 0 deletions
30
Remediation scripts/Storage Account - Enable Secure Transfer/Logic App/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| ## Introduction | ||
| Use this deployment template to create a Logic App to enable secure transfer for storage acocunt and set's the protocol as TLS 1.2. | ||
|
|
||
| ```json | ||
| { | ||
| "minimumTlsVersion": "TLS1_2", | ||
| "supportsHttpsTrafficOnly": true | ||
| } | ||
| ``` | ||
| The Logic App iterates through all storage account in enabled subscriptions. | ||
| The Logic App is configured as scheduled trigger with frequency of once per day. | ||
|
|
||
| ## Post Deployment | ||
| - Enable Logic App | ||
| - Enable System Manged Identity | ||
| - Assign System Managed Identity **Storage Account Contributor** role at subscription level | ||
|
|
||
| ## Contributing | ||
|
|
||
| This project welcomes contributions and suggestions. Most contributions require you to agree to a | ||
| Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us | ||
| the rights to use your contribution. For details, visit https://cla.microsoft.com. | ||
|
|
||
| When you submit a pull request, a CLA-bot will automatically determine whether you need to provide | ||
| a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions | ||
| provided by the bot. You will only need to do this once across all repos using our CLA. | ||
|
|
||
| This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). | ||
| For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or | ||
| contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. |
Oops, something went wrong.