Azure Auditor
Auditor for Azure resources and settings with Prometheus metrics (violations) for alerting
Audit reports:
- ResourceGroups
- RoleAssignments
- ResourceProviders
- ResourceProviderFeatures
- Keyvault AccessPolicies
- ResourceGraph queries
Usage
Usage:
azure-auditor [OPTIONS]
Application Options:
--log.debug debug mode [$LOG_DEBUG]
--log.trace trace mode [$LOG_TRACE]
--log.json Switch log output to json format [$LOG_JSON]
--azure.environment= Azure environment name (default: AZUREPUBLICCLOUD)
[$AZURE_ENVIRONMENT]
--azure.subscription= Azure subscription ID [$AZURE_SUBSCRIPTION_ID]
--report.title= Report title [$REPORT_TITLE]
--cron.keytvaultaccesspolicies= Cronjob for KeyVault AccessPolicies report (default: 0 * * * *)
[$CRON_KEYTVAULTACCESSPOLICIES]
--cron.resourcegroups= Cronjob for ResourceGroups report (default: */30 * * * *)
[$CRON_RESOURCEGROUPS]
--cron.resourceproviders= Cronjob for ResourceProviders report (default: 0 * * * *)
[$CRON_RESOURCEPROVIDERS]
--cron.roleassignments= Cronjob for RoleAssignments report (default: */5 * * * *)
[$CRON_ROLEASSIGNMENTS]
--cron.resourcegraph= Cronjob for ResourceGraph report (default: 15 * * * *)
[$CRON_RESOURCEGRAPH]
--config= Config file path [$CONFIG]
--dry-run Dry Run (report only) [$DRYRUN]
--bind= Server address (default: :8080) [$SERVER_BIND]
--server.path.report= Server path for report (default: /report) [$SERVER_PATH_REPORT]
Help Options:
-h, --help Show this help message
crons can be disabled by setting them to empty string or false
for Azure API authentication (using ENV vars)
see https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication
For AzureCLI authentication set AZURE_AUTH=az
Configuration file
see (example.yaml)[/example.yaml] as for example audit rules
Metrics
Metric |
Description |
azurerm_audit_violation_roleassignment |
RoleAssingment violations |
azurerm_audit_violation_resourcegroup |
ResourceGroup violations |
azurerm_audit_violation_resourceprovider |
ResourceProvider violations |
azurerm_audit_violation_resourceproviderfeature |
ResourceProviderFeature violations |
azurerm_audit_violation_keyvaultaccesspolicy |
Keyvault AccessPolicy violations |
azurerm_audit_violation_resourcegraph_XXX |
ResourceGraph violations |
AzureTracing metrics
(with 22.2.0 and later)
Azuretracing metrics collects latency and latency from azure-sdk-for-go and creates metrics and is controllable using
environment variables (eg. setting buckets, disabling metrics or disable autoreset).
Metric |
Description |
azurerm_api_ratelimit |
Azure ratelimit metrics (only on /metrics, resets after query due to limited validity) |
azurerm_api_request_* |
Azure request count and latency as histogram |
Settings
Environment variable |
Example |
Description |
METRIC_AZURERM_API_REQUEST_BUCKETS |
1, 2.5, 5, 10, 30, 60, 90, 120 |
Sets buckets for azurerm_api_request histogram metric |
METRIC_AZURERM_API_REQUEST_ENABLE |
false |
Enables/disables azurerm_api_request_* metric |
METRIC_AZURERM_API_REQUEST_LABELS |
apiEndpoint, method, statusCode |
Controls labels of azurerm_api_request_* metric |
METRIC_AZURERM_API_RATELIMIT_ENABLE |
false |
Enables/disables azurerm_api_ratelimit metric |
METRIC_AZURERM_API_RATELIMIT_AUTORESET |
false |
Enables/disables azurerm_api_ratelimit autoreset after fetch |
azurerm_api_request label |
Status |
Description |
apiEndpoint |
enabled by default |
hostname of endpoint (max 3 parts) |
routingRegion |
enabled by default |
detected region for API call, either routing region from Azure Management API or Azure resource location |
subscriptionID |
enabled by default |
detected subscriptionID |
tenantID |
enabled by default |
detected tenantID (extracted from jwt auth token) |
resourceProvider |
enabled by default |
detected Azure Management API provider |
method |
enabled by default |
HTTP method |
statusCode |
enabled by default |
HTTP status code |
Endpoints
Metric |
Description |
/metrics |
Prometheus metrics incl. audit violations |
/config |
Parsed and processes config file |
/report |
Audit report ui |
/healthz |
Healthz endpoint |