• Stars
    star
    181
  • Rank 212,110 (Top 5 %)
  • Language HCL
  • Created over 3 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rapidly apply hundreds of security controls in Azure

Azure Guardrails

Azure Guardrails allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.

Continuous Integration Tests Downloads Twitter

Table of contents

Overview

Azure Policies - similar to AWS Service Control Policies (SCPs) - allows Azure customers to enforce organizational standards and enforce security policies at scale. You can use Azure Policies to evaluate the overall state of your environment, and drill down to the security status per resource and per policy. For example, you can prevent users from creating any unencrypted resources or security group rules that allow SSH/RDP Access to 0.0.0.0/0.

Azure provides 400+ built-in security policies. This presents an incredible opportunity for customers who want to enforce preventative security guardrails from the start. However, deciding which of the 400+ built-in policies you want to enforce, and which stages you want to roll them out in can be a bit intimidating at the start.

To help maximize coverage and ease the rollout process, I created this tool so that you can:

  • Cherry-pick and bulk-select the security policies you want according to your specific criteria
  • Enforce low-friction policies within minutes
  • Easily roll back policies that you don't want

Cheatsheet

Quick start

# Install Terraform (prerequisite)
brew install tfenv
tfenv install 0.12.31

# Install via pip
pip3 install cloud-guardrails --user

# Generate Terraform to create security guardrails (audit mode only)
cloud-guardrails generate-terraform --no-params --subscription example

# Generate Terraform to prevent insecure resources from being created (deny mode)
cloud-guardrails generate-terraform --no-params --subscription example --enforce

# Log into Azure and set your subscription
az login
az account set --subscription example

# Apply the policies
terraform init
terraform plan
terraform apply -auto-approve

Writing Policies

# No Parameters
cloud-guardrails generate-terraform --no-params --subscription example

# Optional Parameters (i.e., all the policies have default parameter values)
cloud-guardrails generate-terraform --params-optional --subscription example

# Required Parameters
cloud-guardrails generate-terraform --params-required \
    --service Kubernetes \
    --subscription example

# Create Config file
cloud-guardrails create-config-file --output config.yml

# Create Parameters file
cloud-guardrails create-parameters-file --output parameters.yml

Querying Policy Data

# list-services: List all the services supported by Azure built-in Policies
cloud-guardrails list-services

# list-policies: List all the existing built-in Azure Policies
cloud-guardrails list-policies --service "Kubernetes" --all-policies
cloud-guardrails list-policies --service "Kubernetes" --no-params
cloud-guardrails list-policies --service "Kubernetes" --audit-only

# describe-policy: Describe a specific policy based on display name or the short policy ID
cloud-guardrails describe-policy --id 7c1b1214-f927-48bf-8882-84f0af6588b1
cloud-guardrails describe-policy --name "Storage accounts should use customer-managed key for encryption"

Installation

Option 1: Homebrew

brew tap salesforce/cloud-guardrails https://github.com/salesforce/cloud-guardrails
brew install cloud-guardrails

Option 2: Pip3

pip3 install --user cloud-guardrails

Terraform

  • Install Terraform if you haven't already. I recommend using tfenv, a Terraform version manager:
brew install tfenv
tfenv install 0.12.31

Now you can follow the rest of the tutorial.

Tutorial

Example: No Parameters

  • First, log into Azure and set your subscription
az login
az account set --subscription my-subscription
  • Then generate the Terraform files:
cloud-guardrails generate-terraform --no-params \
    --subscription example
  • Navigate to the Terraform directory and apply the policies:
cd examples/terraform-demo/
terraform init
terraform plan
terraform apply -auto-approve

The output will look like this:

Example output

It will generate a file called no_params.tf. The file contents will look like this: examples/terraform-demo-no-params/main.tf.

Example: Single Service

You can also generate policies for a single service. Consider the example below where we generate Terraform for Key Vault only:

cloud-guardrails generate-terraform --no-params \
    --service "Key Vault" \
    --subscription example
Click to expand!

locals {
  name_no_params = "example_NP_Audit"
  subscription_name_no_params = "example"
  management_group_no_params = ""
  enforcement_mode_no_params = false
  policy_ids_no_params = [
    # -----------------------------------------------------------------------------------------------------------------
    # Key Vault
    # -----------------------------------------------------------------------------------------------------------------
    "c39ba22d-4428-4149-b981-70acb31fc383", # Azure Key Vault Managed HSM should have purge protection enabled
    "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", # Key vaults should have purge protection enabled
    "1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", # Key vaults should have soft delete enabled
    "55615ac9-af46-4a59-874e-391cc3dfb490", # Firewall should be enabled on Key Vault
    "152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", # Key Vault keys should have an expiration date
    "98728c90-32c7-4049-8429-847dc0f4fe37", # Key Vault secrets should have an expiration date
    "587c79fe-dd04-4a5e-9d0b-f89598c7261b", # Keys should be backed by a hardware security module (HSM)
    "5f0bc445-3935-4915-9981-011aa2b46147", # Private endpoint should be configured for Key Vault
    "75262d3e-ba4a-4f43-85f8-9f72c090e5e3", # Secrets should have content type set

  ]
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy name lookups:
# Because the policies are built-in, we can just look up their IDs by their names.
# ---------------------------------------------------------------------------------------------------------------------
data "azurerm_policy_definition" "no_params" {
  count        = length(local.policy_ids_no_params)
  name         = element(local.policy_ids_no_params, count.index)
}

locals {
  no_params_policy_definitions = flatten([tolist([
    for definition in data.azurerm_policy_definition.no_params.*.id :
    map("policyDefinitionId", definition)
    ])
  ])
}

# ---------------------------------------------------------------------------------------------------------------------
# Conditional data lookups: If the user supplies management group, look up the ID of the management group
# ---------------------------------------------------------------------------------------------------------------------
data "azurerm_management_group" "no_params" {
  count = local.management_group_no_params != "" ? 1 : 0
  display_name  = local.management_group_no_params
}

### If the user supplies subscription, look up the ID of the subscription
data "azurerm_subscriptions" "no_params" {
  count                 = local.subscription_name_no_params != "" ? 1 : 0
  display_name_contains = local.subscription_name_no_params
}

locals {
  no_params_scope = local.management_group_no_params != "" ? data.azurerm_management_group.no_params[0].id : element(data.azurerm_subscriptions.no_params[0].subscriptions.*.id, 0)
}

# ---------------------------------------------------------------------------------------------------------------------
# Policy Initiative
# ---------------------------------------------------------------------------------------------------------------------
resource "azurerm_policy_set_definition" "no_params" {
  name                  = local.name_no_params
  policy_type           = "Custom"
  display_name          = local.name_no_params
  description           = local.name_no_params
  management_group_name = local.management_group_no_params == "" ? null : local.management_group_no_params
  policy_definitions    = tostring(jsonencode(local.no_params_policy_definitions))
  metadata = tostring(jsonencode({
    category = local.name_no_params
  }))
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy Assignments
# Apply the Policy Initiative to the specified scope
# ---------------------------------------------------------------------------------------------------------------------
resource "azurerm_policy_assignment" "no_params" {
  name                 = local.name_no_params
  policy_definition_id = azurerm_policy_set_definition.no_params.id
  scope                = local.no_params_scope
  enforcement_mode     = local.enforcement_mode_no_params
}

# ---------------------------------------------------------------------------------------------------------------------
# Outputs
# ---------------------------------------------------------------------------------------------------------------------
output "no_params_policy_assignment_ids" {
  value       = azurerm_policy_assignment.no_params.id
  description = "The IDs of the Policy Assignments."
}

output "no_params_scope" {
  value       = local.no_params_scope
  description = "The target scope - either the management group or subscription, depending on which parameters were supplied"
}

output "no_params_policy_set_definition_id" {
  value       = azurerm_policy_set_definition.no_params.id
  description = "The ID of the Policy Set Definition."
}

output "no_params_count_of_policies_applied" {
  description = "The number of Policies applied as part of the Policy Initiative"
  value       = length(local.policy_ids_no_params)
}

Example: Parameters

Background and Motivation

Azure Parameters are similar to fields on a form - name, address, city, state. These parameters always stay the same, however their values change based on the individual filling out the form. Parameters work the same way when building policies. By including parameters in a policy definition, you can reuse that policy for different scenarios by using different values.

However, the process that Microsoft lays out for managing Policy as Code workflows is less preferable to some, due to the amount of policy files and the lack of a single view of parameters. Their documentation suggests this file structure for laying out your policy files and parameters.

.
|
|- policies/  ________________________ # Root folder for policy resources
|  |- policy1/  ______________________ # Subfolder for a policy
|     |- policy.json _________________ # Policy definition
|     |- policy.parameters.json ______ # Policy definition of parameters
|     |- policy.rules.json ___________ # Policy rule
|     |- assign.<name1>.json _________ # Assignment 1 for this policy definition
|     |- assign.<name2>.json _________ # Assignment 2 for this policy definition
|  |- policy2/  ______________________ # Subfolder for a policy
|     |- policy.json _________________ # Policy definition
|     |- policy.parameters.json ______ # Policy definition of parameters
|     |- policy.rules.json ___________ # Policy rule
|     |- assign.<name1>.json _________ # Assignment 1 for this policy definition
|     |- assign.<name2>.json _________ # Assignment 2 for this policy definition
|

That's a lot of JSON, and a lot of clicks.

cloud-guardrails offers a more elegant solution. You can specify your paramters in the form of a YAML file. The YAML file allows you to modify the parameters per policy in a fine-grained manner. Additionally, you don't have to write the parameters file yourself! Just run the create-parameters-file command, and it will create the file for you. You just have to fill in the values like a form.

Let's take a tour.

Parameters tutorial

  • Generate the parameters file:
cloud-guardrails create-parameters-file \
    --optional-only \
    -o parameters-optional.yml

The generated parameters-optional.yml file will only contain policies that have parameters with default values. The policies are sorted by service for improved readability. Consider the snippet below from the Key Vault section:

# ---------------------------------------------------------------------------------------------------------------------
# Key Vault
# ---------------------------------------------------------------------------------------------------------------------
Key Vault:
  "Resource logs in Key Vault should be enabled":
    effect: AuditIfNotExists  # Allowed: ["AuditIfNotExists", "Disabled"]
    requiredRetentionDays: 365

  "[Preview]: Certificates should be issued by the specified integrated certificate authority":
    allowedCAs:
        - DigiCert
        - GlobalSign # Allowed: ["DigiCert", "GlobalSign"]
    effect: audit  # Allowed: ["audit", "deny", "disabled"]

  "[Preview]: Certificates should have the specified maximum validity period":
    maximumValidityInMonths: 12
    effect: audit  # Allowed: ["audit", "deny", "disabled"]

Notice how some parameters only allow specific values. For example, the policy named "Certificates should be issued by the specified integrated certificate authority" has a parameter called allowedCAs. However, you can't just provide any value to that parameter - it has to be one of two allowed values. cloud-guardrails simplifies this process by including the allowed values in the comments - # Allowed: ["DigiCert", "GlobalSign"].

  • Now let's generate Terraform using this parameters file. Run the following command:
cloud-guardrails generate-terraform --params-optional \
    -s "Key Vault" \
    --subscription example \
    -p parameters-optional.yml
  • Observe that the output will include the parameters that you supplied in your config file:
Click to expand!

locals {
  name_example_PO_Audit = "example_PO_Audit"
  subscription_name_example_PO_Audit = "example"
  management_group_example_PO_Audit = ""
  category_example_PO_Audit = "Testing"
  enforcement_mode_example_PO_Audit = false
  policy_ids_example_PO_Audit = [
    # -----------------------------------------------------------------------------------------------------------------
    # Key Vault
    # -----------------------------------------------------------------------------------------------------------------
    "a2a5b911-5617-447e-a49e-59dbe0e0434b", # Resource logs in Azure Key Vault Managed HSM should be enabled
    "cf820ca0-f99e-4f3e-84fb-66e913812d21", # Resource logs in Key Vault should be enabled
    "8e826246-c976-48f6-b03e-619bb92b3d82", # Certificates should be issued by the specified integrated certificate authority
    "0a075868-4c26-42ef-914c-5bc007359560", # Certificates should have the specified maximum validity period
    "1151cede-290b-4ba0-8b38-0ad145ac888f", # Certificates should use allowed key types
    "bd78111f-4953-4367-9fd5-7e08808b54bf", # Certificates using elliptic curve cryptography should have allowed curve names
    "75c4f823-d65c-4f29-a733-01d0077fdbcb", # Keys should be the specified cryptographic type RSA or EC
    "ff25f3c8-b739-4538-9d07-3d6d25cfb255", # Keys using elliptic curve cryptography should have the specified curve names

  ]
  policy_definition_map = {
    "Resource logs in Azure Key Vault Managed HSM should be enabled" = "/providers/Microsoft.Authorization/policyDefinitions/a2a5b911-5617-447e-a49e-59dbe0e0434b",
    "Resource logs in Key Vault should be enabled" = "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21",
    "Certificates should be issued by the specified integrated certificate authority" = "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82",
    "Certificates should have the specified maximum validity period" = "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
    "Certificates should use allowed key types" = "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f",
    "Certificates using elliptic curve cryptography should have allowed curve names" = "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf",
    "Keys should be the specified cryptographic type RSA or EC" = "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb",
    "Keys using elliptic curve cryptography should have the specified curve names" = "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
    }
}

# ---------------------------------------------------------------------------------------------------------------------
# Conditional data lookups: If the user supplies management group, look up the ID of the management group
# ---------------------------------------------------------------------------------------------------------------------
data "azurerm_management_group" "example_PO_Audit" {
  count = local.management_group_example_PO_Audit != "" ? 1 : 0
  display_name  = local.management_group_example_PO_Audit
}

### If the user supplies subscription, look up the ID of the subscription
data "azurerm_subscriptions" "example_PO_Audit" {
  count                 = local.subscription_name_example_PO_Audit != "" ? 1 : 0
  display_name_contains = local.subscription_name_example_PO_Audit
}

locals {
  scope = local.management_group_example_PO_Audit != "" ? data.azurerm_management_group.example_PO_Audit[0].id : element(data.azurerm_subscriptions.example_PO_Audit[0].subscriptions.*.id, 0)
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy Definition Lookups
# ---------------------------------------------------------------------------------------------------------------------

data "azurerm_policy_definition" "example_PO_Audit_definition_lookups" {
  count = length(local.policy_ids_example_PO_Audit)
  name  = local.policy_ids_example_PO_Audit[count.index]
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy Initiative Definition
# ---------------------------------------------------------------------------------------------------------------------

resource "azurerm_policy_set_definition" "example_PO_Audit" {
  name                  = local.name_example_PO_Audit
  policy_type           = "Custom"
  display_name          = local.name_example_PO_Audit
  description           = local.name_example_PO_Audit
  management_group_name = local.management_group_example_PO_Audit == "" ? null : local.management_group_example_PO_Audit
  metadata = tostring(jsonencode({
    category = local.category_example_PO_Audit
  }))
  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Resource logs in Azure Key Vault Managed HSM should be enabled")
    parameter_values = jsonencode({
        effect = { "value" : "AuditIfNotExists" }
        requiredRetentionDays = { "value" : "365" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Resource logs in Key Vault should be enabled")
    parameter_values = jsonencode({
        effect = { "value" : "AuditIfNotExists" }
        requiredRetentionDays = { "value" : "365" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Certificates should be issued by the specified integrated certificate authority")
    parameter_values = jsonencode({
        allowedCAs = { "value" : ["DigiCert", "GlobalSign"] }
        effect = { "value" : "audit" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Certificates should have the specified maximum validity period")
    parameter_values = jsonencode({
        maximumValidityInMonths = { "value" : 12 }
        effect = { "value" : "audit" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Certificates should use allowed key types")
    parameter_values = jsonencode({
        allowedKeyTypes = { "value" : ["RSA", "RSA-HSM"] }
        effect = { "value" : "audit" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Certificates using elliptic curve cryptography should have allowed curve names")
    parameter_values = jsonencode({
        allowedECNames = { "value" : ["P-256", "P-256K", "P-384", "P-521"] }
        effect = { "value" : "audit" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Keys should be the specified cryptographic type RSA or EC")
    parameter_values = jsonencode({
        allowedKeyTypes = { "value" : ["RSA", "RSA-HSM", "EC", "EC-HSM"] }
        effect = { "value" : "Audit" }
    })
    reference_id = null
  }

  policy_definition_reference {
    policy_definition_id = lookup(local.policy_definition_map, "Keys using elliptic curve cryptography should have the specified curve names")
    parameter_values = jsonencode({
        allowedECNames = { "value" : ["P-256", "P-256K", "P-384", "P-521"] }
        effect = { "value" : "Audit" }
    })
    reference_id = null
  }
}

# ---------------------------------------------------------------------------------------------------------------------
# Azure Policy Assignments
# Apply the Policy Initiative to the specified scope
# ---------------------------------------------------------------------------------------------------------------------
resource "azurerm_policy_assignment" "example_PO_Audit" {
  name                 = local.name_example_PO_Audit
  policy_definition_id = azurerm_policy_set_definition.example_PO_Audit.id
  scope                = local.scope
  enforcement_mode     = local.enforcement_mode_example_PO_Audit
}


# ---------------------------------------------------------------------------------------------------------------------
# Outputs
# ---------------------------------------------------------------------------------------------------------------------
output "example_PO_Audit_policy_assignment_ids" {
  value       = azurerm_policy_assignment.example_PO_Audit.id
  description = "The IDs of the Policy Assignments."
}

output "example_PO_Audit_scope" {
  value       = local.scope
  description = "The target scope - either the management group or subscription, depending on which parameters were supplied"
}

output "example_PO_Audit_policy_set_definition_id" {
  value       = azurerm_policy_set_definition.example_PO_Audit.id
  description = "The ID of the Policy Set Definition."
}

Tutorial: Selecting Policies using the Config File

Let's say that you want more granular control over which policies to apply. You can create a config file to manage this.

To create the config file, run the following command:

# Create Config file
cloud-guardrails create-config-file --output config.yml

This generates a file called config.yml with the following contents:

Click to expand!

####
# match_only_keywords: Use this to only apply policies that match any of these keywords
# exclude_keywords: Use this to skip policies that have any of these keywords in the display name
# exclude_services: Specify services that you want to exclude entirely.
# exclude_policies: Specify Azure Policy Definition displayNames that you want to exclude from the results, sorted by service
####

# Use this to only apply policies that match any of these keywords
# Example: "encrypt", "SQL", "HTTP"
match_only_keywords:
  - ""


exclude_keywords:
  - ""
  - "virtual network service endpoint"
  #- "private link"


# Specify services that you want to exclude entirely.
# Uncomment the services mentioned below if you want to exclude them.
exclude_services:
  - ""
  - "Guest Configuration"

  #- "API Management"
  #- "API for FHIR"
  #- "App Configuration"
  #- "App Platform"
  #- "App Service"
  #- "Attestation"
  #- "Automanage"
  #- "Automation"
  #- "Azure Active Directory"
  #- "Azure Data Explorer"
  #- "Azure Stack Edge"
  #- "Backup"
  #- "Batch"
  #- "Bot Service"
  #- "Cache"
  #- "Cognitive Services"
  #- "Compute"
  #- "Container Instance"
  #- "Container Registry"
  #- "Cosmos DB"
  #- "Custom Provider"
  #- "Data Box"
  #- "Data Factory"
  #- "Data Lake"
  #- "Event Grid"
  #- "Event Hub"
  #- "General"
  #- "HDInsight"
  #- "Internet of Things"
  #- "Key Vault"
  #- "Kubernetes"
  #- "Kubernetes service"
  #- "Lighthouse"
  #- "Logic Apps"
  #- "Machine Learning"
  #- "Managed Application"
  #- "Media Services"
  #- "Migrate"
  #- "Monitoring"
  #- "Network"
  #- "Portal"
  #- "SQL"
  #- "Search"
  #- "Security Center"
  #- "Service Bus"
  #- "Service Fabric"
  #- "SignalR"
  #- "Site Recovery"
  #- "Storage"
  #- "Stream Analytics"
  #- "Synapse"
  #- "Tags"
  #- "VM Image Builder"
  #- "Web PubSub"


# Specify Azure Policy Definition displayNames that you want to exclude from the results
exclude_policies:
  General:
    - "Allow resource creation only in Asia data centers"
    - "Allow resource creation only in European data centers"
    - "Allow resource creation only in India data centers"
    - "Allow resource creation only in United States data centers"
  Tags:
    - "Allow resource creation if 'department' tag set"
    - "Allow resource creation if 'environment' tag value in allowed values"
  API Management:
    # This collides with the same one from App Platform
    - "API Management services should use a virtual network"
  App Platform:
    # This collides with the same one from API Management
    - "Azure Spring Cloud should use network injection"
  Guest Configuration:
    # This outputs a parameter called "Cert:" that breaks the parameter yaml format
    - "Audit Windows machines that contain certificates expiring within the specified number of days"
  Network:
    # This one is overly cumbersome for most organizations
    - "Network interfaces should not have public IPs"



  API for FHIR:
    - ""

  App Configuration:
    - ""

  App Service:
    - ""

  Attestation:
    - ""

  Automanage:
    - ""

  Automation:
    - ""

  Azure Active Directory:
    - ""

  Azure Data Explorer:
    - ""

  Azure Stack Edge:
    - ""

  Backup:
    - ""

  Batch:
    - ""

  Bot Service:
    - ""

  Cache:
    - ""

  Cognitive Services:
    - ""

  Compute:
    - ""

  Container Instance:
    - ""

  Container Registry:
    - ""

  Cosmos DB:
    - ""

  Custom Provider:
    - ""

  Data Box:
    - ""

  Data Factory:
    - ""

  Data Lake:
    - ""

  Event Grid:
    - ""

  Event Hub:
    - ""

  HDInsight:
    - ""

  Internet of Things:
    - ""

  Key Vault:
    - ""

  Kubernetes:
    - ""

  Kubernetes service:
    - ""

  Lighthouse:
    - ""

  Logic Apps:
    - ""

  Machine Learning:
    - ""

  Managed Application:
    - ""

  Media Services:
    - ""

  Migrate:
    - ""

  Monitoring:
    - ""

  Portal:
    - ""

  SQL:
    - ""

  Search:
    - ""

  Security Center:
    - ""

  Service Bus:
    - ""

  Service Fabric:
    - ""

  SignalR:
    - ""

  Site Recovery:
    - ""

  Storage:
    - ""

  Stream Analytics:
    - ""

  Synapse:
    - ""

  VM Image Builder:
    - ""

  Web PubSub:
    - ""

It has a few different sections, which we cover below.

Matching Keywords

If you want to select policies based on the keywords of the policy name, you can insert those keywords in the match_only_keywords list in the config.yml file. For example, let's say you only want to apply the SQL-related policies:

match_only_keywords:
  - "SQL"

Don't know the names of the policies? If you want to show the names of all the policies, you can use the list-policies command to list all of them. You can also filter the results based on which service or whether parameters are required, optional, or not required:

cloud-guardrails list-policies --service "Kubernetes" --all-policies
cloud-guardrails list-policies --service "Kubernetes" --no-params
cloud-guardrails list-policies --service "Kubernetes" --audit-only

Excluding Policies based on Keywords

Let's say that you don't want to apply any of the policies that mention Private Link or Virtual Network Service Endpoints. You can insert those keywords in the exclude_keywords list to skip policies that have any of these keywords in the display name:

exclude_keywords:
  - "virtual network service endpoint"
  - "private link"

Don't know the names of the policies? If you want to show the names of all the policies, you can use the list-policies command to list all of them. You can also filter the results based on which service or whether parameters are required/optional/not required:

cloud-guardrails list-policies --service "Kubernetes" --all-policies
cloud-guardrails list-policies --service "Kubernetes" --no-params
cloud-guardrails list-policies --service "Kubernetes" --audit-only

Excluding specific policies

If you want to exclude specific policies entirely, you can specify the display names for those policies that you want to exclude using the exclude_policies list, like below:

exclude_policies:
  General:
    - "Allow resource creation only in Asia data centers"
    - "Allow resource creation only in European data centers"
    - "Allow resource creation only in India data centers"
    - "Allow resource creation only in United States data centers"

Don't know the names of the policies? If you don't know the names of the services to include, you can use the list-policies command to list all the services supported by Azure built-in Policies:

cloud-guardrails list-policies --service "Kubernetes" --all-policies
cloud-guardrails list-policies --service "Kubernetes" --no-params
cloud-guardrails list-policies --service "Kubernetes" --audit-only

Policy Characteristics and Support Statuses

Characteristic Support Description

Parameters

Policies with No Parameters These policies do not require any parameters. These are the easiest policies to apply.
Policies with Optional Parameters These policies allow the use of parameters, but the parameters have default values. These are easy to apply at first, but you will likely want to adjust the parameters throughout the lifecycle.
Policies with Required Parameters These policies require parameters which do not have default values. While rollout is significantly less time consuming than the Azure recommended workflow, finding the best values for your environment requires careful thinking.

Effects

Policies with "Deny" Effects
These Policies block bad actions, acting as true guardrails.
Policies with "Audit" Effects These Policies do not actually prevent bad actions, even if “enforcement mode” is set to True - they just flag the bad actions.
Policies with "Deploy" Effects Some Azure Policies have DeployIfNotExists effects, which create resources via an ARM Template when the condition is met. For example, the policy "Deploy network watcher when virtual networks are created" will create a resource group called networkWatcherRG.
Policies with "Modify" Effects Some Azure Policies have Policy Effects that allow the modification of resources, such as the "Modify" or "Append" effects.

Built-in vs. Custom

Built-in Policies Microsoft provides 400+ built-in policy definitions. cloud-guardrails leverages these Built-in Policy definitions so you can get rapidly started and maximize your coverage.
Custom Policies cloud-guardrails does not support creation of Custom Policies. Consider leveraging Custom Policies after you have built out your process and workflow using cloud-guardrails.

Contributing

Setup

  • Set up the virtual environment
# Set up the virtual environment
python3 -m venv ./venv && source venv/bin/activate
pip3 install -r requirements.txt
  • Build the package
# To build only
make build

# To build and install
make install

# To run tests
make test

# To clean local dev environment
make clean

Other tasks

  • Update with the latest Azure Compliance data
make update-data
  • Update the policy summary tables
make update-policy-table
  • Update the Azure Policy Git submodule and merge it
# Without merge
make update-submodule

# With merge
make update-submodule-with-merge

Authors and Contributors

References

More Repositories

1

LAVIS

LAVIS - A One-stop Library for Language-Vision Intelligence
Jupyter Notebook
9,587
star
2

CodeGen

CodeGen is a family of open-source model for program synthesis. Trained on TPU-v4. Competitive with OpenAI Codex.
Python
4,594
star
3

BLIP

PyTorch code for BLIP: Bootstrapping Language-Image Pre-training for Unified Vision-Language Understanding and Generation
Jupyter Notebook
3,879
star
4

akita

🚀 State Management Tailored-Made for JS Applications
TypeScript
3,442
star
5

Merlion

Merlion: A Machine Learning Framework for Time Series Intelligence
Python
3,355
star
6

ja3

JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
Python
2,666
star
7

CodeT5

Home of CodeT5: Open Code LLMs for Code Understanding and Generation
Python
2,437
star
8

decaNLP

The Natural Language Decathlon: A Multitask Challenge for NLP
Python
2,301
star
9

TransmogrifAI

TransmogrifAI (pronounced trăns-mŏgˈrə-fī) is an AutoML library for building modular, reusable, strongly typed machine learning workflows on Apache Spark with minimal hand-tuning
Scala
2,234
star
10

policy_sentry

IAM Least Privilege Policy Generator
Python
1,986
star
11

cloudsplaining

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
JavaScript
1,972
star
12

awd-lstm-lm

LSTM and QRNN Language Model Toolkit for PyTorch
Python
1,900
star
13

ctrl

Conditional Transformer Language Model for Controllable Generation
Python
1,766
star
14

lwc

⚡️ LWC - A Blazing Fast, Enterprise-Grade Web Components Foundation
JavaScript
1,619
star
15

WikiSQL

A large annotated semantic parsing corpus for developing natural language interfaces.
HTML
1,606
star
16

sloop

Kubernetes History Visualization
Go
1,457
star
17

CodeTF

CodeTF: One-stop Transformer Library for State-of-the-art Code LLM
Python
1,375
star
18

ALBEF

Code for ALBEF: a new vision-language pre-training method
Python
1,276
star
19

pytorch-qrnn

PyTorch implementation of the Quasi-Recurrent Neural Network - up to 16 times faster than NVIDIA's cuDNN LSTM
Python
1,255
star
20

ai-economist

Foundation is a flexible, modular, and composable framework to model socio-economic behaviors and dynamics with both agents and governments. This framework can be used in conjunction with reinforcement learning to learn optimal economic policies, as done by the AI Economist (https://www.einstein.ai/the-ai-economist).
Python
964
star
21

design-system-react

Salesforce Lightning Design System for React
JavaScript
919
star
22

jarm

Python
914
star
23

tough-cookie

RFC6265 Cookies and CookieJar for Node.js
TypeScript
858
star
24

OmniXAI

OmniXAI: A Library for eXplainable AI
Jupyter Notebook
853
star
25

reactive-grpc

Reactive stubs for gRPC
Java
826
star
26

xgen

Salesforce open-source LLMs with 8k sequence length.
Python
717
star
27

UniControl

Unified Controllable Visual Generation Model
Python
614
star
28

vulnreport

Open-source pentesting management and automation platform by Salesforce Product Security
HTML
593
star
29

hassh

HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.
Python
529
star
30

progen

Official release of the ProGen models
Python
518
star
31

base-components-recipes

A collection of base component recipes for Lightning Web Components on Salesforce Platform
JavaScript
509
star
32

Argus

Time series monitoring and alerting platform.
Java
501
star
33

CodeRL

This is the official code for the paper CodeRL: Mastering Code Generation through Pretrained Models and Deep Reinforcement Learning (NeurIPS22).
Python
488
star
34

matchbox

Write PyTorch code at the level of individual examples, then run it efficiently on minibatches.
Python
488
star
35

PCL

PyTorch code for "Prototypical Contrastive Learning of Unsupervised Representations"
Python
483
star
36

DialogStudio

DialogStudio: Towards Richest and Most Diverse Unified Dataset Collection and Instruction-Aware Models for Conversational AI
Python
472
star
37

cove

Python
470
star
38

warp-drive

Extremely Fast End-to-End Deep Multi-Agent Reinforcement Learning Framework on a GPU (JMLR 2022)
Python
452
star
39

PyRCA

PyRCA: A Python Machine Learning Library for Root Cause Analysis
Python
408
star
40

observable-membrane

A Javascript Membrane implementation using Proxies to observe mutation on an object graph
TypeScript
368
star
41

DeepTime

PyTorch code for Learning Deep Time-index Models for Time Series Forecasting (ICML 2023)
Python
351
star
42

ULIP

Python
316
star
43

MultiHopKG

Multi-hop knowledge graph reasoning learned via policy gradient with reward shaping and action dropout
Jupyter Notebook
300
star
44

logai

LogAI - An open-source library for log analytics and intelligence
Python
298
star
45

CodeGen2

CodeGen2 models for program synthesis
Python
272
star
46

provis

Official code repository of "BERTology Meets Biology: Interpreting Attention in Protein Language Models."
Python
269
star
47

causalai

Salesforce CausalAI Library: A Fast and Scalable framework for Causal Analysis of Time Series and Tabular Data
Jupyter Notebook
256
star
48

jaxformer

Minimal library to train LLMs on TPU in JAX with pjit().
Python
255
star
49

EDICT

Jupyter Notebook
247
star
50

rules_spring

Bazel rule for building Spring Boot apps as a deployable jar
Starlark
224
star
51

ETSformer

PyTorch code for ETSformer: Exponential Smoothing Transformers for Time-series Forecasting
Python
221
star
52

TabularSemanticParsing

Translating natural language questions to a structured query language
Jupyter Notebook
220
star
53

themify

👨‍🎨 CSS Themes Made Easy. A robust, opinionated solution to manage themes in your web application
TypeScript
216
star
54

simpletod

Official repository for "SimpleTOD: A Simple Language Model for Task-Oriented Dialogue"
Python
212
star
55

grpc-java-contrib

Useful extensions for the grpc-java library
Java
208
star
56

GeDi

GeDi: Generative Discriminator Guided Sequence Generation
Python
207
star
57

aws-allowlister

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Python
207
star
58

generic-sidecar-injector

A generic framework for injecting sidecars and related configuration in Kubernetes using Mutating Webhook Admission Controllers
Go
203
star
59

mirus

Mirus is a cross data-center data replication tool for Apache Kafka
Java
201
star
60

CoST

PyTorch code for CoST: Contrastive Learning of Disentangled Seasonal-Trend Representations for Time Series Forecasting (ICLR 2022)
Python
196
star
61

factCC

Resources for the "Evaluating the Factual Consistency of Abstractive Text Summarization" paper
Python
192
star
62

runway-browser

Interactive visualization framework for Runway models of distributed systems
JavaScript
188
star
63

glad

Global-Locally Self-Attentive Dialogue State Tracker
Python
186
star
64

ALPRO

Align and Prompt: Video-and-Language Pre-training with Entity Prompts
Python
177
star
65

densecap

Jupyter Notebook
176
star
66

kafka-junit

This library wraps Kafka's embedded test cluster, allowing you to more easily create and run integration tests using JUnit against a "real" kafka server running within the context of your tests. No need to stand up an external kafka cluster!
Java
167
star
67

booksum

Python
167
star
68

sfdx-lwc-jest

Run Jest against LWC components in SFDX workspace environment
JavaScript
162
star
69

hierarchicalContrastiveLearning

Python
149
star
70

ctrl-sum

Resources for the "CTRLsum: Towards Generic Controllable Text Summarization" paper
Python
146
star
71

cos-e

Commonsense Explanations Dataset and Code
Python
144
star
72

secure-filters

Anti-XSS Security Filters for EJS and More
JavaScript
138
star
73

metabadger

Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
Python
129
star
74

dockerfile-image-update

A tool that helps you get security patches for Docker images into production as quickly as possible without breaking things
Java
127
star
75

Converse

Python
125
star
76

refocus

The Go-To Platform for Visualizing Service Health
JavaScript
125
star
77

CoMatch

Code for CoMatch: Semi-supervised Learning with Contrastive Graph Regularization
Python
117
star
78

BOLAA

Python
114
star
79

fsnet

Python
111
star
80

rng-kbqa

Python
110
star
81

near-membrane

JavaScript Near Membrane Library that powers Lightning Locker Service
TypeScript
110
star
82

botsim

BotSIM - a data-efficient end-to-end Bot SIMulation toolkit for evaluation, diagnosis, and improvement of commercial chatbots
Jupyter Notebook
108
star
83

bazel-eclipse

This repo holds two IDE projects. One is the Eclipse Feature for developing Bazel projects in Eclipse. The Bazel Eclipse Feature supports importing, building, and testing Java projects that are built using the Bazel build system. The other is the Bazel Java Language Server, which is a build integration for IDEs such as VS Code.
Java
108
star
84

MUST

PyTorch code for MUST
Python
103
star
85

bro-sysmon

How to Zeek Sysmon Logs!
Zeek
100
star
86

Timbermill

A better logging service
Java
99
star
87

AuditNLG

AuditNLG: Auditing Generative AI Language Modeling for Trustworthiness
Python
97
star
88

eslint-plugin-lwc

Official ESLint rules for LWC
JavaScript
96
star
89

best

🏆 Delightful Benchmarking & Performance Testing
TypeScript
95
star
90

craft

CRAFT removes the language barrier to create Kubernetes Operators.
Go
93
star
91

eslint-config-lwc

Opinionated ESLint configurations for LWC projects
JavaScript
93
star
92

online_conformal

Methods for online conformal prediction.
Jupyter Notebook
90
star
93

lobster-pot

Scans every git push to your Github organisations to find unwanted secrets.
Go
88
star
94

ml4ir

Machine Learning for Information Retrieval
Jupyter Notebook
85
star
95

violet-conversations

Sophisticated Conversational Applications/Bots
JavaScript
84
star
96

apex-mockery

Lightweight mocking library in Apex
Apex
83
star
97

fast-influence-functions

Python
83
star
98

MoPro

MoPro: Webly Supervised Learning
Python
79
star
99

TaiChi

Open source library for few shot NLP
Python
79
star
100

helm-starter-istio

An Istio starter template for Helm
Shell
78
star