turbot/steampipe-mod-azure-compliance

Control: Azure Stack Edge devices should use double-encryption

Description

To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.databox_edge_device_double_encryption_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.databox_edge_device_double_encryption_enabled --share

SQL

This control uses a named query:

select
a.id as resource,
case
when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then 'ok'
else 'alarm'
end as status,
case
when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then a.name || ' double encryption enabled.'
else a.name || ' double encryption disabled.'
end as reason
, a.resource_group as resource_group
, sub.display_name as subscription
from
azure_databox_edge_device as a,
azure_subscription as sub
where
sub.subscription_id = a.subscription_id;

Tags