如何解决天蓝色的策略可以检测到资源的变化吗?
我希望使用azure策略检测我的订阅中nsg(网络安全组)的安全规则是否发生任何变化。
但是,我在资源中找不到可以监视以检测到更改的任何属性/别名。 这是vs代码上的天蓝色策略扩展所显示的属性
{
"id": "/subscriptions/xxxx/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxx","name": "xxxx","type": "Microsoft.Network/networkSecurityGroups","location": "eastus","tags": {
"Company": "xxx"
},"properties": {
"provisioningState": "Succeeded","resourceGuid": "xxxx","securityRules": [],"defaultSecurityRules": [
{
"name": "AllowVnetInBound","id": "/subscriptions/xxxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetInBound","etag": "xxxx,"type": "Microsoft.Network/networkSecurityGroups/defaultSecurityRules","properties": {
"provisioningState": "Succeeded","description": "Allow inbound traffic from all VMs in VNET","protocol": "*","sourcePortRange": "*","destinationPortRange": "*","sourceAddressprefix": "VirtualNetwork","destinationAddressprefix": "VirtualNetwork","access": "Allow","priority": 65000,"direction": "Inbound","sourcePortRanges": [],"destinationPortRanges": [],"sourceAddressprefixes": [],"destinationAddressprefixes": []
}
},{
"name": "AllowAzureLoadBalancerInBound","id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/nxxxx/defaultSecurityRules/AllowAzureLoadBalancerInBound","etag": "W/\"9613f8c0-57ab-40fd-83e0-8da551bd3d96\"","description": "Allow inbound traffic from azure load balancer","sourceAddressprefix": "AzureLoadBalancer","destinationAddressprefix": "*","priority": 65001,{
"name": "DenyAllInBound","id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllInBound","etag": "xxx","description": "Deny all inbound traffic","sourceAddressprefix": "*","access": "Deny","priority": 65500,{
"name": "AllowVnetoutBound","id": "/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/AllowVnetoutBound","description": "Allow outbound traffic from all VMs to all VMs in VNET","direction": "Outbound",{
"name": "AllowInternetoutBound","id": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Network/networkSecurityGroups/xxx/defaultSecurityRules/AllowInternetoutBound","description": "Allow outbound traffic from all VMs to Internet","destinationAddressprefix": "Internet",{
"name": "DenyAllOutBound","id": "/subscriptions/xxxx/resourceGroups/xxxx/providers/Microsoft.Network/networkSecurityGroups/xxxx/defaultSecurityRules/DenyAllOutBound","description": "Deny all outbound traffic","destinationAddressprefixes": []
}
}
]
}
}
我试图针对活动日志事件制定策略以检测更改。但是事实证明,您不能直接针对事件日志制定策略。我是否还有其他方法可以检测安全规则是否已更改?
解决方法
不。您无法制定监视事件的策略。策略旨在根据资源状态进行审核。因此,您可以指定一个特定的属性,并根据要监视的正确别名来审核该属性的状态。策略将根据您的更改策略规则自动评估该资源状态。但是,更改事件本身无法通过策略进行监控。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
