Control: Azure subscriptions should have a log profile for Activity Log

Description

This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.log_profile_enabled_for_all_subscription

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.log_profile_enabled_for_all_subscription --share

SQL

This control uses a named query:

with log_profiles as (
  select
    subscription_id
  from
    azure_log_profile
  group by
    subscription_id
)
select
  sub.id as resource,
  case
    when i.subscription_id is null then 'alarm'
    else 'ok'
  end as status,
  case
    when i.subscription_id is null then sub.display_name || ' does not collect activity logs.'
    else sub.display_name || ' collects activity logs.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_subscription as sub
  left join log_profiles as i on i.subscription_id = sub.subscription_id;

Control: Azure subscriptions should have a log profile for Activity Log

Description

Usage

SQL

Tags