@Sahith Thatipalli Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Adding more information to the above response!
The policy you have written looks correct for auditing any new or updated RBAC role definitions that grant permissions on Azure Storage Accounts. The policy checks if the type is "Microsoft.Authorization/roleDefinitions" and if any of the permissions have actions or dataActions that include "Microsoft.Storage/*". If the conditions are met, the policy will generate an audit alert.
However, if you want to specifically audit RBAC role assignments that grant blob data action permissions on a storage account, you will need to modify the policy rule to include the "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" action in the dataActions field. Here is an example policy rule that you can use:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"field": "Microsoft.Authorization/roleAssignments/roleDefinitionId",
"like": "*<role-definition-id>*"
},
{
"field": "Microsoft.Authorization/roleAssignments/scope",
"like": "*<storage-account-id>*"
},
{
"anyOf": [
{
"field": "Microsoft.Authorization/roleAssignments/permissions/actions",
"like": "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
},
{
"field": "Microsoft.Authorization/roleAssignments/permissions/dataActions",
"like": "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
}
]
}
]
},
"then": {
"effect": "audit"
}
}
Replace <role-definition-id>
with the ID of the RBAC role definition that grants blob data action permissions, and <storage-account-id>
with the ID of the storage account you want to audit. This policy rule will audit any RBAC role assignments that grant the "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" action in the dataActions field on the specified storage account.
Additional information:
- Replaced
"like"
operator with"contains"
operator: When checking if a permission action or data action contains"Microsoft.Storage/*"
, it's more accurate to use"contains"
instead of"like"
. This ensures that the policy applies even if the action is part of a larger string. - Adjusted the condition to use
"anyOf"
: Since you want to audit if either permissions or data actions include"Microsoft.Storage/*"
, it's more appropriate to use"anyOf"
instead of wrapping each condition in a separate"allOf"
block.
With these adjustments, your Azure Policy should effectively audit RBAC role definitions for permissions related to Azure Storage Accounts. Make sure to assign the policy to the appropriate scope within your Azure environment and monitor the audit results accordingly.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.