Benchmark: Protection of Information at Rest (SC-28)
Description
The information system protects the confidentiality and integrity of organization-defined information at rest.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select Protection of Information at Rest (SC-28).
Run this benchmark in your terminal:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5_sc_28 --share
Benchmarks
Controls
- App Service Environment should enable internal encryption
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- Azure Stack Edge devices should use double-encryption
- Azure Data Box jobs should enable double encryption for data at rest on the device
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- Disk encryption should be enabled on Azure Data Explorer
- Double encryption should be enabled on Azure Data Explorer
- Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
- Infrastructure encryption should be enabled for Azure Database for MySQL servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Transparent Data Encryption on SQL databases should be enabled
- Storage accounts should have infrastructure encryption