Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →

Plugins Docs Home

turbot/steampipe-mod-azure-compliance

ad_guest_user_reviewed_monthly ad_manual_control apimanagement_service_client_certificate_enabled apimanagement_service_with_virtual_network app_configuration_encryption_enabled app_configuration_private_link_used app_configuration_sku_standard app_service_environment_internal_encryption_enabled application_gateway_waf_enabled application_gateway_waf_uses_specified_mode application_insights_block_log_ingestion_and_querying_from_public application_insights_linked_to_log_analytics_workspace appservice_api_app_client_certificates_on appservice_api_app_cors_no_star appservice_api_app_ftps_enabled appservice_api_app_latest_tls_version appservice_api_app_remote_debugging_disabled appservice_api_app_use_https appservice_api_app_uses_managed_identity appservice_authentication_enabled appservice_ftp_deployment_disabled appservice_function_app_authentication_on appservice_function_app_client_certificates_on appservice_function_app_cors_no_star appservice_function_app_ftps_enabled appservice_function_app_latest_http_version appservice_function_app_latest_java_version appservice_function_app_latest_python_version appservice_function_app_latest_tls_version appservice_function_app_only_https_accessible appservice_function_app_remote_debugging_disabled appservice_function_app_restrict_public_acces appservice_function_app_uses_managed_identity appservice_plan_minimum_sku appservice_web_app_always_on appservice_web_app_client_certificates_on appservice_web_app_cors_no_star appservice_web_app_diagnostic_log_category_http_log_enabled appservice_web_app_diagnostic_logs_enabled appservice_web_app_failed_request_tracing_enabled appservice_web_app_ftps_enabled appservice_web_app_health_check_enabled appservice_web_app_http_logs_enabled appservice_web_app_incoming_client_cert_on appservice_web_app_latest_dotnet_framework_version appservice_web_app_latest_http_version appservice_web_app_latest_java_version appservice_web_app_latest_php_version appservice_web_app_latest_python_version appservice_web_app_latest_tls_version appservice_web_app_register_with_active_directory_enabled appservice_web_app_remote_debugging_disabled appservice_web_app_slot_use_https appservice_web_app_use_https appservice_web_app_use_virtual_service_endpoint appservice_web_app_uses_managed_identity appservice_web_app_worker_more_than_one arc_compute_machine_linux_log_analytics_agent_installed arc_compute_machine_windows_log_analytics_agent_installed automation_account_variable_encryption_enabled batch_account_encrypted_with_cmk batch_account_identity_provider_enabled batch_account_logging_enabled cognitive_account_encrypted_with_cmk cognitive_account_private_link_used cognitive_account_public_network_access_disabled cognitive_account_restrict_public_access cognitive_service_local_auth_disabled compute_disk_access_uses_private_link compute_disk_data_access_auth_mode_enabled compute_disk_public_access_disabled compute_disk_unattached_encrypted_with_cmk compute_os_and_data_disk_encrypted_with_cmk compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed compute_unattached_disk_encrypted_with_cmk compute_vm_account_with_password_linux compute_vm_and_sacle_set_encryption_at_host_enabled compute_vm_attached_with_network compute_vm_data_and_os_disk_uses_managed_disk compute_vm_disaster_recovery_enabled compute_vm_guest_configuration_installed compute_vm_guest_configuration_installed_linux compute_vm_guest_configuration_installed_windows compute_vm_guest_configuration_with_no_managed_identity compute_vm_guest_configuration_with_system_assigned_managed_identity compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity compute_vm_jit_access_protected compute_vm_log_analytics_agent_installed compute_vm_log_analytics_agent_installed_windows compute_vm_malware_agent_automatic_upgrade_enabled compute_vm_malware_agent_installed compute_vm_max_password_age_70_days_windows compute_vm_meet_security_baseline_requirements_linux compute_vm_meet_security_baseline_requirements_windows compute_vm_min_password_age_1_day_windows compute_vm_min_password_length_14_windows compute_vm_network_traffic_data_collection_linux_agent_installed compute_vm_network_traffic_data_collection_windows_agent_installed compute_vm_password_complexity_setting_enabled_windows compute_vm_passwords_stored_using_reversible_encryption_windows compute_vm_remote_access_restricted compute_vm_remote_access_restricted_all_ports compute_vm_restrict_previous_24_passwords_resuse_windows compute_vm_restrict_remote_connection_from_accounts_without_password_linux compute_vm_scale_set_automatic_upgrade_enabled compute_vm_scale_set_boot_diagnostics_enabled compute_vm_scale_set_log_analytics_agent_installed compute_vm_scale_set_logging_enabled compute_vm_scale_set_ssh_key_authentication_linux compute_vm_scale_set_uses_managed_disks compute_vm_secure_communication_protocols_configured compute_vm_ssh_key_authentication_linux compute_vm_system_updates_installed compute_vm_tcp_udp_access_restricted_internet compute_vm_trust_launch_enabled compute_vm_uses_azure_resource_manager compute_vm_utilizing_managed_disk compute_vm_vulnerability_assessment_solution_enabled compute_vm_windows_defender_exploit_guard_enabled compute_windows_vm_secure_boot_enabled container_instance_container_group_encrypted_using_cmk container_instance_container_group_identity_provider_enabled container_instance_container_group_in_virtual_network container_instance_container_group_secured_environment_variable container_registry_admin_user_disabled container_registry_encrypted_with_cmk container_registry_geo_replication_enabled container_registry_public_network_access_disabled container_registry_quarantine_policy_enabled container_registry_restrict_public_access container_registry_retention_policy_enabled container_registry_trust_policy_enabled container_registry_use_virtual_service_endpoint container_registry_uses_private_link cosmosdb_account_encryption_at_rest_using_cmk cosmosdb_account_key_based_metadata_write_access_disabled cosmosdb_account_uses_aad_and_rbac cosmosdb_account_uses_private_link cosmosdb_account_virtual_network_filter_enabled cosmosdb_account_with_firewall_rules cosmosdb_use_virtual_service_endpoint data_factory_encrypted_with_cmk data_factory_public_network_access_disabled data_factory_uses_git_repository data_factory_uses_private_link databox_edge_device_double_encryption_enabled databricks_workspace_cmk_configured databricks_workspace_deployed_in_custom_vnet databricks_workspace_diagnostic_log_delivery_configured databricks_workspace_subnet_with_nsg_configured datalake_analytics_account_logging_enabled datalake_store_account_encryption_enabled datalake_store_account_logging_enabled eventgrid_domain_identity_provider_enabled eventgrid_domain_private_link_used eventgrid_domain_restrict_public_access eventgrid_topic_identity_provider_enabled eventgrid_topic_local_auth_enabled eventgrid_topic_private_link_used eventhub_namespace_cmk_encryption_enabled eventhub_namespace_logging_enabled eventhub_namespace_private_link_used eventhub_namespace_use_virtual_service_endpoint frontdoor_waf_enabled hdinsight_cluster_encrypted_at_rest_with_cmk hdinsight_cluster_encryption_at_host_enabled hdinsight_cluster_encryption_in_transit_enabled healthcare_fhir_azure_api_encrypted_at_rest_with_cmk healthcare_fhir_uses_private_link hpc_cache_encrypted_with_cmk iam_conditional_access_mfa_enabled iam_conditional_access_mfa_enabled_for_administrators iam_conditional_access_trusted_location_configured iam_deprecated_account iam_deprecated_account_with_owner_roles iam_external_user_with_owner_role iam_external_user_with_read_permission iam_external_user_with_write_permission iam_global_administrator_max_5 iam_no_custom_role iam_no_custom_subscription_owner_roles_created iam_subscription_owner_max_3 iam_subscription_owner_more_than_1 iam_subscriptions_with_custom_roles_no_overly_permissive iam_user_access_administrator_role_restricted iam_user_consent_to_apps_accessing_data_on_their_behalf_disabled iam_user_no_built_in_contributor_role iam_user_not_allowed_to_create_security_group iam_user_not_allowed_to_create_tenants iam_user_not_allowed_to_register_application iot_hub_logging_enabled iot_hub_private_link_used keyvault_firewall_enabled keyvault_key_automatic_rotation_enabled keyvault_key_expiration_set keyvault_logging_enabled keyvault_managed_hms_logging_enabled keyvault_managed_hms_purge_protection_enabled keyvault_public_network_access_disabled keyvault_purge_protection_enabled keyvault_rbac_enabled keyvault_secret_expiration_set keyvault_soft_delete_enabled keyvault_vault_private_link_used keyvault_vault_public_network_access_disabled keyvault_vault_recoverable keyvault_vault_use_virtual_service_endpoint keyvault_with_non_rbac_key_expiration_set keyvault_with_non_rbac_secret_expiration_set keyvault_with_rbac_key_expiration_set keyvault_with_rbac_secret_expiration_set kubernetes_cluster_add_on_azure_policy_enabled kubernetes_cluster_addon_azure_policy_enabled kubernetes_cluster_authorized_ip_range_defined kubernetes_cluster_http_application_routing_disabled kubernetes_cluster_key_vault_secret_rotation_enabled kubernetes_cluster_logging_enabled kubernetes_cluster_max_pod_50 kubernetes_cluster_network_plugin_azure kubernetes_cluster_network_policy_enabled kubernetes_cluster_node_restrict_public_access kubernetes_cluster_os_and_data_disks_encrypted_with_cmk kubernetes_cluster_restrict_public_access kubernetes_cluster_sku_standard kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host kubernetes_cluster_upgrade_channel kubernetes_cluster_upgraded_with_non_vulnerable_version kubernetes_instance_rbac_enabled kusto_cluster_disk_encryption_enabled kusto_cluster_double_encryption_enabled kusto_cluster_encrypted_at_rest_with_cmk kusto_cluster_sku_with_sla log_analytics_workspace_block_log_ingestion_and_querying_from_public log_analytics_workspace_block_non_azure_ingestion log_profile_enabled_for_all_subscription logic_app_workflow_logging_enabled machine_learning_workspace_encrypted_with_cmk manual_control manual_control_hipaa mariadb_server_geo_redundant_backup_enabled mariadb_server_private_link_used mariadb_server_public_network_access_disabled mariadb_server_ssl_enabled monitor_application_insights_configured monitor_diagnostic_settings_captures_proper_categories monitor_log_alert_create_policy_assignment monitor_log_alert_create_update_nsg monitor_log_alert_create_update_nsg_rule monitor_log_alert_create_update_public_ip_address monitor_log_alert_create_update_security_solution monitor_log_alert_create_update_sql_servers_firewall_rule monitor_log_alert_delete_nsg monitor_log_alert_delete_nsg_rule monitor_log_alert_delete_policy_assignment monitor_log_alert_delete_public_ip_address monitor_log_alert_delete_security_solution monitor_log_alert_delete_sql_servers_firewall_rule monitor_log_alert_for_administrative_operations monitor_log_alert_service_health monitor_log_alert_sql_firewall_rule monitor_log_profile_enabled_for_all_categories monitor_log_profile_enabled_for_all_regions monitor_log_profile_retention_365_days monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok monitor_logs_storage_container_insights_activity_logs_not_public_accessible monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok monitor_logs_storage_container_insights_operational_logs_not_public_accessible mssql_managed_instance_encryption_at_rest_using_cmk mssql_managed_instance_vulnerability_assessment_enabled mysql_db_server_geo_redundant_backup_enabled mysql_flexible_server_audit_logging_enabled mysql_flexible_server_audit_logging_events_connection_set mysql_flexible_server_min_tls_1_2 mysql_flexible_server_ssl_enabled mysql_server_audit_logging_enabled mysql_server_audit_logging_events_connection_set mysql_server_encrypted_at_rest_using_cmk mysql_server_infrastructure_encryption_enabled mysql_server_min_tls_1_2 mysql_server_private_link_used mysql_server_public_network_access_disabled mysql_ssl_enabled network_bastion_host_min_1 network_ddos_enabled network_interface_ip_forwarding_disabled network_lb_diagnostics_logs_enabled network_lb_no_basic_sku network_network_peering_connected network_public_ip_no_basic_sku network_security_group_diagnostic_setting_deployed network_security_group_https_access_restricted network_security_group_https_port_80_443_access_restricted network_security_group_not_configured_gateway_subnets network_security_group_outbound_access_restricted network_security_group_rdp_access_restricted network_security_group_remote_access_restricted network_security_group_restrict_inbound_icmp_port network_security_group_restrict_inbound_tcp_port_135 network_security_group_restrict_inbound_tcp_port_1433 network_security_group_restrict_inbound_tcp_port_20 network_security_group_restrict_inbound_tcp_port_21 network_security_group_restrict_inbound_tcp_port_23 network_security_group_restrict_inbound_tcp_port_25 network_security_group_restrict_inbound_tcp_port_3306 network_security_group_restrict_inbound_tcp_port_4333 network_security_group_restrict_inbound_tcp_port_445 network_security_group_restrict_inbound_tcp_port_53 network_security_group_restrict_inbound_tcp_port_5432 network_security_group_restrict_inbound_tcp_port_5500 network_security_group_restrict_inbound_tcp_port_5900 network_security_group_restrict_inbound_udp_port_137 network_security_group_restrict_inbound_udp_port_138 network_security_group_restrict_inbound_udp_port_1434 network_security_group_restrict_inbound_udp_port_445 network_security_group_restrict_inbound_udp_port_53 network_security_group_ssh_access_restricted network_security_group_subnet_associated network_security_group_udp_service_restricted network_sg_flowlog_enabled network_sg_flowlog_retention_period_greater_than_90 network_virtual_network_gateway_no_basic_sku network_virtual_network_watcher_flow_log_retention_90_days network_virtual_network_watcher_flow_log_send_to_log_analytics network_watcher_enabled network_watcher_flow_log_enabled network_watcher_flow_log_traffic_analytics_enabled network_watcher_in_regions_with_virtual_network nsg_network_watcher_flow_log_send_to_log_analytics postgres_db_server_allow_access_to_azure_services_disabled postgres_db_server_connection_throttling_on postgres_db_server_geo_redundant_backup_enabled postgres_db_server_latest_tls_version postgres_db_server_log_checkpoints_on postgres_db_server_log_connections_on postgres_db_server_log_disconnections_on postgres_db_server_log_duration_on postgres_db_server_log_retention_days_3 postgres_flexible_server_allow_access_to_azure_services_disabled postgres_flexible_server_connection_throttling_on postgres_flexible_server_log_checkpoints_on postgres_flexible_server_log_retention_days_3 postgres_server_private_link_used postgres_sql_flexible_server_ssl_enabled postgres_sql_server_encrypted_at_rest_using_cmk postgres_sql_ssl_enabled postgresql_server_infrastructure_encryption_enabled postgresql_server_public_network_access_disabled recovery_service_vault_uses_managed_identity recovery_service_vault_uses_private_link recovery_service_vault_uses_private_link_for_backup redis_cache_in_virtual_network redis_cache_min_tls_1_2 redis_cache_no_basic_sku redis_cache_ssl_enabled redis_cache_uses_private_link search_service_logging_enabled search_service_public_network_access_disabled search_service_replica_count_3 search_service_uses_managed_identity search_service_uses_private_link search_service_uses_sku_supporting_private_link security_center_attack_path_alerts_enabled security_center_defender_for_servers_enabled securitycenter_additional_email_configured securitycenter_asc_default_setting_not_disabled securitycenter_automatic_provisioning_monitoring_agent_on securitycenter_azure_defender_on_for_appservice securitycenter_azure_defender_on_for_containerregistry securitycenter_azure_defender_on_for_containers securitycenter_azure_defender_on_for_cosmosdb securitycenter_azure_defender_on_for_database securitycenter_azure_defender_on_for_dns securitycenter_azure_defender_on_for_k8s securitycenter_azure_defender_on_for_keyvault securitycenter_azure_defender_on_for_opensource_relational_db securitycenter_azure_defender_on_for_resource_manager securitycenter_azure_defender_on_for_server securitycenter_azure_defender_on_for_sqldb securitycenter_azure_defender_on_for_sqlservervm securitycenter_azure_defender_on_for_storage securitycenter_container_image_scan_enabled securitycenter_email_configured securitycenter_mcas_integration securitycenter_notify_alerts_configured securitycenter_pricing_standard securitycenter_security_alerts_to_owner_enabled securitycenter_wdatp_integration servicebus_name_space_private_link_used servicebus_namespace_azure_ad_authentication_enabled servicebus_namespace_logging_enabled servicebus_namespace_no_overly_permissive_network_access servicebus_premium_namespace_cmk_encrypted servicebus_use_virtual_service_endpoint servicefabric_cluster_active_directory_authentication_enabled servicefabric_cluster_protection_level_as_encrypt_and_sign signalr_service_no_free_tier_sku signalr_service_private_link_used spring_cloud_service_network_injection_enabled sql_database_allow_internet_access sql_database_long_term_geo_redundant_backup_enabled sql_database_transparent_data_encryption_enabled sql_database_vulnerability_findings_resolved sql_db_active_directory_admin_configured sql_db_public_network_access_disabled sql_server_and_databases_va_enabled sql_server_atp_enabled sql_server_auditing_on sql_server_auditing_retention_period_90 sql_server_auditing_storage_account_destination_retention_90_days sql_server_azure_ad_authentication_enabled sql_server_azure_defender_enabled sql_server_tde_protector_cmk_encrypted sql_server_threat_detection_all_enabled sql_server_transparent_data_encryption_enabled sql_server_use_virtual_service_endpoint sql_server_uses_private_link sql_server_va_setting_periodic_scan_enabled sql_server_va_setting_reports_notify_admins sql_server_va_setting_scan_reports_configured storage_account_blob_and_container_soft_delete_enabled storage_account_blob_containers_public_access_disabled storage_account_blob_public_access_disabled storage_account_blob_service_classic_logging_enabled storage_account_blob_service_logging_enabled storage_account_blob_soft_delete_enabled storage_account_blob_versioning_enabled storage_account_block_public_access storage_account_containing_vhd_os_disk_cmk_encrypted storage_account_cross_tenant_replication_disabled storage_account_default_network_access_deny storage_account_default_network_access_rule_denied storage_account_default_to_oauth_authentication storage_account_encryption_at_rest_using_cmk storage_account_encryption_at_rest_using_mmk storage_account_encryption_scopes_encrypted_at_rest_with_cmk storage_account_file_share_smb_channel_encryption_aes_256_gcm storage_account_file_share_smb_protocol_version_3_1_1 storage_account_file_share_soft_delete_enabled storage_account_geo_redundant_enabled storage_account_infrastructure_encryption_enabled storage_account_key_rotation_reminder_enabled storage_account_min_tls_1_2 storage_account_public_network_access_disabled storage_account_queue_service_classic_logging_enabled storage_account_queue_services_logging_enabled storage_account_restrict_network_access storage_account_secure_transfer_required_enabled storage_account_shared_key_access_disabled storage_account_soft_delete_enabled storage_account_table_service_classic_logging_enabled storage_account_table_service_logging_enabled storage_account_trusted_microsoft_services_enabled storage_account_use_virtual_service_endpoint storage_account_uses_azure_resource_manager storage_account_uses_private_link storage_sync_private_link_used stream_analytics_job_logging_enabled synapse_workspace_data_exfiltration_protection_enabled synapse_workspace_encryption_at_rest_using_cmk synapse_workspace_private_link_used synapse_workspace_vulnerability_assessment_enabled

Queries in Azure Compliance

The Azure Compliance mod includes 461 queries: