使用Azure策略拒绝Azure磁盘加密解密/禁用
我试图创建一个拒绝策略来拒绝磁盘解密(通过Azure磁盘加密进行加密),但拒绝没有生效。但我确实看到磁盘不符合要求 政策如下:使用Azure策略拒绝Azure磁盘加密解密/禁用,azure,azure-virtual-machine,azure-security,azure-policy,azure-disk,Azure,Azure Virtual Machine,Azure Security,Azure Policy,Azure Disk,我试图创建一个拒绝策略来拒绝磁盘解密(通过Azure磁盘加密进行加密),但拒绝没有生效。但我确实看到磁盘不符合要求 政策如下: { "properties": { "displayName": "Prevent disk decryption on virtual machines", "policyType": "Custom", "mode": "All", "description": "VMs once encrypted, should no
{
"properties": {
"displayName": "Prevent disk decryption on virtual machines",
"policyType": "Custom",
"mode": "All",
"description": "VMs once encrypted, should not be allowed to be decrypted",
"metadata": {
"category": "Compute",
"createdBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",
"createdOn": "2019-08-12T15:35:43.7697071Z",
"updatedBy": "454393d8-e9f1-424d-8054-52d45c90cf6c",
"updatedOn": "2019-08-12T18:41:36.6828893Z"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Deny",
"Disabled",
"Audit"
],
"defaultValue": "Deny"
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryptionSettingsCollection.enabled",
"notequals": "true"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/encryptionSettings.enabled",
"notequals": "true"
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.encryptionSettings.enabled",
"notequals": "true"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},
"type": "Microsoft.Authorization/policyDefinitions",
"name": "ce6bfec6-c4db-46e0-a475-baf5b81063fc"
}
我认为这是不符合规定的,但拒绝不起作用。我仍然可以运行“az vm加密禁用”。锁是到这里的路吗?在VM操作系统和数据磁盘上使用锁定时出现任何意外问题。是否尝试使用Microsoft.Compute/disks/encryption.type或Microsoft.Compute/disks/encryption别名?在我的现有资源中,这是唯一与加密相关的别名 是否尝试包含Microsoft.Compute/disks/encryption.type或Microsoft.Compute/disks/encryption别名?在我的现有资源中,这是唯一与加密相关的别名 欢迎来到SO!您能否编辑您的问题,以解释您正在使用什么方法来应用该策略?我将该策略作为订阅的一项计划应用。另外,我想添加一个选项,即拒绝策略在创建新VM时有效,但在解密现有VM时无效。欢迎使用SO!您能否编辑您的问题,以解释您正在使用什么方法来应用该策略?我将该策略作为订阅的一项计划应用。此外,我还想添加一个选项,即拒绝策略在创建新VM时有效,但在解密现有VM时无效。