Skip to main content

azure_security_center_policy resource

Use the azure_security_center_policy InSpec audit resource to test the properties and configuration of an Azure security policy.

Azure REST API version, endpoint, and HTTP client parameters

This resource interacts with API versions supported by the resource provider. You can specify the api_version as a resource parameter to use a specific version of the Azure REST API. If you don’t specify an API version, this resource uses the latest version available. For more information about API versioning, see the azure_generic_resource.

By default, this resource uses the azure_cloud global endpoint and default HTTP client settings. You can override these settings if you need to connect to a different Azure environment (such as Azure Government or Azure China). For more information about configuration options, see the resource pack README.

Syntax

An azure_security_center_policy resource block will lookup the default policy unless resource_group and name, or the resource_id parameter is given.

# The default security policy will be interrogated.

describe azure_security_center_policy do
  its('name') { should cmp 'default' }
end

describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do
  it { should exist }
end

describe azure_security_center_policy(resource_id: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.Security/policies/{policy-name}') do
  it { should exist }
end

Parameters

resource_group
Azure resource group where the targeted resource resides.
name
Name of the security policy to test.
resource_id
The unique resource ID. /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/microsoft.Security/policies/{policy-name}.
default_policy_api_version<superscript>*</superscript>
The endpoint API version for the default_policy property. The latest version will be used unless provided.
auto_provisioning_settings_api_version<superscript>*</superscript>
The endpoint API version for the auto_provisioning_settings property. The latest version will be used unless provided.

* It will be ignored unless the default policy is tested.

Either one of the parameter sets can be provided for a valid query:

  • resource_id
  • resource_group and name
  • name: 'default': This is for backward compatibility. It is advised not to pass any parameters if the default security policy is tested.

Properties

log_collection
Indicates if the log collection is enabled (On, Off).
pricing_tier
Cost/Feature Model under which the subscription is operating.
patch
Indicates if patch scanner notifications are enabled (On, Off).
baseline
Indicates if baseline scanner notifications are enabled (On, Off).
anti_malware
Indicates if anti-malware protection task notifications are enabled (On, Off).
network_security_groups
Indicates if network security group recommendations are enabled are enabled (On, Off).
web_application_firewall
Indicates if WAF protection task notifications are enabled (On, Off).
vulnerability_assessment
Indicates if vulnerability assessment recommendations are enabled (On, Off).
storage_encryption
Indicates if storage encryption recommendations are enabled (On, Off).
just_in_time_network_access
Indicates if just in time network access recommendations are enabled (On, Off).
app_whitelisting
Indicates if app whitelisting recommendations are enabled (On, Off).
sql_auditing
Indicates if sql auditing recommendations are enabled (On, Off).
sql_transparent_data_encryption
Indicates if sql transparent data encryption recommendations are enabled (On, Off).
notifications_enabled
Indicates if security alerts are emailed to the security contact (true, false).
send_security_email_to_admin
Indicates if the subscription admin will receive security alerts (true, false).
contact_emails
Contains a list of security email addresses.
contact_phone
Contains the security contact phone number.
default_policy<superscript>*</superscript>
This is the default set of policies monitored by Azure security center.
auto_provisioning_settings<superscript>*</superscript>
This is the default auto provisioning setting for the subscription.

*Only applicable to the default security policy.

For properties applicable to all resources, such as type, name, id, and properties, refer to azure_generic_resource.

You can access any attribute in the response with the key names separated by dots (.). For example, properties.<attribute>.

Examples

Test if log collection is enabled:

describe azure_security_center_policy(resource_group: 'my-rg', name: 'my_policy') do
  its('log_collection') { should cmp 'On' }
end

Test If Notifications are Enabled:

describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do
  its('notifications_enabled') { should be true }
end

See integration tests for more examples.

Matchers

For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.

have_auto_provisioning_enabled

Test if auto provisioning is enabled. This can be used via the default security policy only.

describe azure_security_center_policy do
  it { should have_auto_provisioning_enabled }
end

exists

# If we expect a resource to always exist.

describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do
  it { should exist }
end

not_exists

# If we expect a resource to never exist.

describe azure_security_center_policy(resource_group: 'RESOURCE_GROUP', name: 'POLICY_NAME') do
  it { should_not exist }
end

Azure permissions

Your Service Principal must be set up with at least a contributor role on the subscription you wish to test.

Thank you for your feedback!

×