azure - 所有网络端口均受具有 dev 标签的网络安全组限制

Question

我正在根据我的要求创建自定义策略，我想要定义策略，其中“所有网络端口应限制在具有的网络安全组”仅开发标签”。

错误: 无法解析策略规则:“在“LeafExpressionDefinition”类型的对象上找不到成员“退出”。路径“退出”。

Azure 策略定义中存在两个内置策略:

1. 所有网络端口都应受到与虚拟机关联的网络安全组的限制。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2f9daedab3-fb2d-461e-b861-71790eead4f6

2. 需要资源组上的标记。 链接https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F871b6d14-10aa-478d-b590-94f262ecfa99

我合并并更新了我的需求，您可以检查创建的自定义策略，我认为一切都可以。

{
"properties": {
  "displayName": "All network ports should be restricted on network security groups associated to your virtual machine",
  "policyType":"Indexed",
  "mode": "All",
  "description": "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources.",
  "metadata": {
    "version": "3.0.0",
    "category": "Security Center"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "AuditIfNotExists",
        "Disabled"
      ],
      "defaultValue": "AuditIfNotExists"
    },
    "tagName": {
      "type": "String",
      "metadata": {
        "displayName": "dev",
        "description": "Name of the tag, such as 'develpment'"
      }
    }
  },
  "policyRule": {
      "if": {
      "allOf": [
        {
          "field":"Microsoft.Network/networkInterfaces/networkSecurityGroup.id",
           "exits": "true"
        },
        {
          "field": "[concat('tags[', parameters('dev'), ']')]",
         "Equals": "[parameters('tagValue')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/assessments",
        "name": "3b20e985-f71f-483b-b078-f30d73936d43",
        "existenceCondition": {
          "field": "Microsoft.Security/assessments/status.code",
          "in": [
            "NotApplicable",
            "Healthy"
          ]
        }
      }
    }
  }
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "9daedab3-fb2d-461e-b861-71790eead4f6"
}

@syedasadrazadevops

Answer 1

1. 您似乎在“exists”--“exits”-->“exists”中有拼写错误
2. 我认为您无法基于依赖于评估代码(“字段”:“Microsoft.Security/assessments/status.code”)的内置安全中心策略创建自定义策略。这些是通过内部 API 实现的，因此无法复制进行定制。