Control: Windows machines should meet requirements of the Azure compute security baseline

Description

Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.compute_vm_meet_security_baseline_requirements_windows

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.compute_vm_meet_security_baseline_requirements_windows --share

SQL

This control uses a named query:

with compute_machine as(
  select
    id,
    name,
    subscription_id,
    resource_group
  from
    azure_compute_virtual_machine,
    jsonb_array_elements(guest_configuration_assignments) as e
  where
  e ->> 'name' = 'AzureWindowsBaseline'
  and e ->> 'complianceStatus' = 'Compliant'
)
select
  a.vm_id as resource,
  case
    when a.os_type <> 'Windows' then 'skip'
    when m.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'
    when m.id is not null then a.name || ' meet requirements for azure compute security baseline.'
    else a.name || ' does not meet requirements for azure compute security baseline.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_compute_virtual_machine as a
  left join compute_machine as m on m.id = a.id,
  azure_subscription as sub
where
  sub.subscription_id = a.subscription_id;

Control: Windows machines should meet requirements of the Azure compute security baseline

Description

Usage

SQL

Tags