Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
16Dashboards
1651Benchmarks
486Queries
8Variables
GitHub

Control: 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'

Description

None of the settings offered by ASC Default policy should be set to effect Disabled.

A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. ASC Default policy is associated with every subscription by default. ASC default policy assignment is a set of security recommendations based on best practices. Enabling recommendations in ASC default policy ensures that Azure security center provides the ability to monitor all of the supported recommendations and optionally allow automated action for a few of the supported recommendations.

Remediation

From Azure Portal

  1. From Azure Home select the Portal Menu.
  2. Select Microsoft Defender for Cloud.
  3. Select Environment Settings.
  4. Click on a subscription.
  5. Select Security Policy in the left column.
  6. Click on ASC Default under Default initiative.
  7. Ensure Policy Enforcement is Enabled.
  8. Click on the Parameters tab and uncheck Only show parameters that need input or review.
  9. For any parameters set to Disabled or empty, update to a valid value for the organization.
  10. Click Save.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v200_2_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v200_2_1_14 --share

SQL

This control uses a named query:

with policy_assignment_parameters as (
  select
    id,
    name,
    key,
    parameters -> key ->> 'value' as value,
    subscription_id
  from
    azure_policy_assignment,
    jsonb_object_keys(parameters) as key
  where
    name = 'SecurityCenterBuiltIn'
)
select
  sub.id as resource,
  case
    when count(value = 'Disabled') > 0 then 'alarm'
    else 'ok'
  end as status,
  case
    when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.'
    else 'Settings enabled for all the parameters.'
  end as reason
  
  , sub.display_name as subscription
from
  policy_assignment_parameters pol_assignment
  right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id
group by
  sub.id,
  pol_assignment.id,
  sub._ctx,
  sub.subscription_id,
  pol_assignment.subscription_id,
  sub.display_name;

Tags

category = Compliance
cis = true
cis_item_id = 2.1.14
cis_level = 1
cis_section_id = 2.1
cis_type = manual
cis_version = v2.0.0
plugin = azure
service = Azure/SecurityCenter