Configuring Advanced Threat Protection for Azure Storage accounts.
TypeScriptAdvanced Threat Protection (ATP) for Azure Storage accounts is a feature that provides an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit storage accounts. This protection feature is part of the Azure Security Center offerings.
To configure ATP for Azure Storage accounts using Pulumi, we'll utilize the
azure-native.security.AdvancedThreatProtection
resource from theazure-native
provider. This resource enables you to set up advanced threat protection for various Azure resources, including Storage accounts.The configuration process involves specifying the
resourceId
of the storage account for which you want to enable ATP and settingisEnabled
totrue
. Here's an example of how to do it in Pulumi with TypeScript:import * as pulumi from "@pulumi/pulumi"; import * as azure_native from "@pulumi/azure-native"; // Create a new resource group, if it doesn't already exist const resourceGroupName = 'myResourceGroup'; const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupName); // Create a new storage account, if it doesn't already exist const storageAccountName = 'mystorageaccount'; const storageAccount = new azure_native.storage.StorageAccount(storageAccountName, { resourceGroupName: resourceGroup.name, sku: { name: azure_native.storage.SkuName.Standard_LRS, }, kind: azure_native.storage.Kind.StorageV2, }); // Enabling Advanced Threat Protection for the storage account const advancedThreatProtection = new azure_native.security.AdvancedThreatProtection(`atp-${storageAccountName}`, { isEnabled: true, resourceId: storageAccount.id, // Here we reference the storage account's ID, which is the target of the ATP setting settingName: "current", // Use "current" as settingName for the ATP setting as per Azure Resource Manager requirements }); // Export the resource group name and the storage account name export const rgName = resourceGroup.name; export const stAccountName = storageAccount.name;
In the program above:
- We first import the necessary modules from
@pulumi/pulumi
and@pulumi/azure-native
. - We create a resource group and a storage account within that resource group using the
ResourceGroup
andStorageAccount
classes, respectively, from theazure-native.storage
namespace. - Then, we instantiate the
AdvancedThreatProtection
class, which represents the ATP setting we want to apply to our storage account. - We set
isEnabled
totrue
to turn on ATP. - The
resourceId
is a reference to the ID of theStorageAccount
resource we created. - We use the
current
setting name as this is a requirement of the Azure Resource Manager for the ATP setting.
Finally, we export the names of the created resources to show in the Pulumi stack output. This can help you identify and reference the resources after the deployment.
To apply this Pulumi program:
- Ensure that you have the Pulumi CLI installed and the Azure provider configured.
- Run
pulumi up
within the directory of this script to deploy the resources. - Pulumi will show a preview of the changes before they are applied, and you can confirm to proceed.
For more information about Advanced Threat Protection and other security settings in Azure, you can refer to the Azure documentation:
- We first import the necessary modules from