diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego index c8a84b9b815..9438fc98431 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego @@ -73,3 +73,32 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(childPath, ["properties", "publicAccess"]), } } + + + +CxPolicy[result] { + doc := input.document[i] + + [path, value] = walk(doc) + value.type == "Microsoft.Storage/storageAccounts" + + [childPath, childValue] := walk(value.resources) + childValue.type == "blobServices" + + [subchildPath, subchildValue] := walk(childValue.resources) + subchildValue.type == "containers" + + [val, val_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, subchildValue.properties.publicAccess) + val == publicOptions[o] + + result := { + "documentId": input.document[i].id, + "resourceType": value.type, + "resourceName": value.name, + "searchKey": sprintf("%s.name=%s.resources.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name, subchildValue.name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]), + "keyActualValue": sprintf("resource with type 'containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]), + "searchLine": common_lib.build_search_line(path, ["resources", childPath[0], "resources", subchildPath[0], "properties", "publicAccess"]), + } +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json new file mode 100644 index 00000000000..d36035e0934 --- /dev/null +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json @@ -0,0 +1,105 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "existingVNETName": { + "type": "string", + "metadata": { + "description": "Name of the virtual network to use for cloud shell containers." + } + }, + "existingStorageSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for storage account." + } + }, + "existingContainerSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for cloud shell containers." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account in subnet." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]", + "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + }, + "accessTier": "Cool" + }, + "resources": [ + { + "type": "blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('storageAccountName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "deleteRetentionPolicy": { + "enabled": false + } + }, + "resources": [ + { + "type": "containers", + "apiVersion": "2019-06-01", + "name": "container", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Blob", + "metadata": {} + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json index 89e56633bd6..5b6961233e3 100644 --- a/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json +++ b/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access/test/positive_expected_result.json @@ -34,5 +34,11 @@ "severity": "HIGH", "line": 52, "fileName": "positive6.json" + }, + { + "queryName": "Storage Blob Service Container With Public Access", + "severity": "HIGH", + "line": 96, + "fileName": "positive7.json" } ]