我正在尝试在此处创建 Azure 策略,以便在未为自动化帐户设置诊断设置时进行审核。
我找不到验证自动化帐户是否保存的字段。
现在,我注意到了这一点,设置似乎在这里: Microsoft.Insights/diagnosticSettings
我的诊断设置可用: /subscriptions/SUBSCRIPTIONID/resourcegroups/RESOURCEGROUP/providers/microsoft.automation/automationaccounts/AUTOMATIONACC/providers/microsoft.insights/diagnosticSettings/DIAGSETTINGNAME
但是我如何使用这些信息来制定政策来检查资源是否合规?
【问题讨论】:
您是否在寻找下面的策略,在这里您可以在参数中传递自动化帐户(资源类型)。您可以找到内置策略列表here。
请关注此link 在 Azure 门户上查看策略定义。
{
"properties": {
"displayName": "Audit diagnostic setting",
"policyType": "BuiltIn",
"mode": "All",
"description": "Audit diagnostic setting for selected resource types",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"parameters": {
"listOfResourceTypes": {
"type": "Array",
"metadata": {
"displayName": "Resource Types",
"strongType": "resourceTypes"
}
}
},
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourceTypes')]"
},
"then": {
"effect": "AuditIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
}
]
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "7f89b1eb-583c-429a-8828-af049802c1d9"
}
【讨论】: