Skip to content

Analyzing resources#

The current state of Azure resources can be tested with PSRule for Azure, referred to as in-flight analysis. This is a two step process that works in high security environments with separation of roles.

Abstract

This topics covers how you can test the state of deployed Azure resources that have been exported.

Important

This step requires that you have already exported the state of deployed Azure resources. Before continuing, complete Exporting rule data for the resources that will be tested.

Analyzing exported state#

The state of resources can be analyzed for exported state by using the Invoke-PSRule PowerShell cmdlet.

For example:

Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure';

To filter results to only failed rules, use Invoke-PSRule -Outcome Fail. Passed, failed and error results are shown by default.

For example:

# Only show failed results
Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -Outcome Fail;

The output of this example is:

   TargetName: storage

RuleName                            Outcome    Recommendation
--------                            -------    --------------
Azure.Storage.UseReplication        Fail       Storage accounts not using GRS may be at risk
Azure.Storage.SecureTransferRequ... Fail       Storage accounts should only accept secure traffic
Azure.Storage.SoftDelete            Fail       Enable soft delete on Storage Accounts

A summary of results can be displayed by using Invoke-PSRule -As Summary.

For example:

# Display as summary results
Invoke-PSRule -InputPath 'out/' -Module 'PSRule.Rules.Azure' -As Summary;

The output of this example is:

RuleName                            Pass  Fail  Outcome
--------                            ----  ----  -------
Azure.ACR.MinSku                    0     1     Fail
Azure.AppService.PlanInstanceCount  0     1     Fail
Azure.AppService.UseHTTPS           0     2     Fail
Azure.Resource.UseTags              73    36    Fail
Azure.SQL.ThreatDetection           0     1     Fail
Azure.SQL.Auditing                  0     1     Fail
Azure.Storage.UseReplication        1     7     Fail
Azure.Storage.SecureTransferRequ... 2     6     Fail
Azure.Storage.SoftDelete            0     8     Fail

Ignoring rules#

To prevent a rule executing you can either:

  • Exclude — The rule is not executed for any resource.
  • Suppress — The rule is not executed for a specific resource by name.

To exclude a rule, set Rule.Exclude option within the ps-rule.yaml file.

Docs

rule:
  exclude:
  # Ignore the following rules for all resources
  - Azure.VM.UseHybridUseBenefit
  - Azure.VM.Standalone

To suppress a rule, set Suppression option within the ps-rule.yaml file.

Docs

suppression:
  Azure.AKS.AuthorizedIPs:
  # Exclude the following externally managed AKS clusters
  - aks-cluster-prod-eus-001
  Azure.Storage.SoftDelete:
  # Exclude the following non-production storage accounts
  - storagedeveus6jo36t
  - storagedeveus1df278

Tip

Use comments within ps-rule.yaml to describe the reason why rules are excluded or suppressed. Meaningful comments help during peer review within a Pull Request (PR). Also consider including a date if the exclusions or suppressions are temporary.

Advanced configuration#

Docs

PSRule for Azure comes with many configuration options. The setup section explains in detail how to configure each option.


Last update: 2022-01-26