[英]Azure Policy to disallow Storage account creation
I'm an Azure administrator, and seems like some users can create Azure Storage Accounts without my consent.我是 Azure 管理员,似乎有些用户可以在未经我同意的情况下创建 Azure 存储帐户。 I would like to see how I can enforce a policy such that I'm the only user that can create them and other users won't be able to do so.
我想看看如何执行一项策略,使我是唯一可以创建它们的用户,而其他用户将无法这样做。 I know there are multiple ways to do it, however I'm mostly inerested in a custom policy in Azure.
我知道有多种方法可以做到这一点,但是我对 Azure 中的自定义策略最感兴趣。 I couldn't really find any examples online.
我在网上真的找不到任何例子。 Please note I'm going to use this policy so that it can overwrite any existing RBAC roles etc. Can't go any further with the JSON code below.
请注意,我将使用此策略,以便它可以覆盖任何现有的 RBAC 角色等。不能使用下面的 JSON 代码进一步使用 go。
{
"policyRule": {
"if": {
"allOf": [{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts",
"like": "*"
}
]
},
"then": {
"effect": "deny"
}
}
You almost did it but with minor mistake.你几乎做到了,但犯了一个小错误。 HEre is working example
这是工作示例
Create policy创建策略
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Then during assignment set non-complient message然后在分配期间设置不合规消息
So now anyone who wants to create will see this所以现在任何想要创建的人都会看到这个
There is a built-in, strongly typed Azure Policy Definition out there.有一个内置的强类型 Azure 策略定义。 Using it will allow you to easily block next services in the future by changing the assignment parameters.
使用它将允许您通过更改分配参数轻松地阻止未来的下一个服务。
(/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749). (/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.