turbot/steampipe-mod-azure-compliance

Control: Ensure Trusted Launch is enabled on Virtual Machines

Description

When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.compute_vm_trust_launch_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.compute_vm_trust_launch_enabled --share

SQL

This control uses a named query:

select
vm.id as resource,
case
when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then 'skip'
when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool
and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then 'ok'
else 'alarm'
end as status,
case
when (security_profile ->> 'securityType') is null or (security_profile ->> 'securityType') <> 'TrustedLaunch' then vm.name || ' not using trust launch security type.'
when (security_profile -> 'uefiSettings' -> 'secureBootEnabled')::bool
and (security_profile -> 'uefiSettings' -> 'vTpmEnabled')::bool then vm.name || ' trusted launch enabled.'
else vm.name || ' trusted launch disabled.'
end as reason
, vm.resource_group as resource_group
, sub.display_name as subscription
from
azure_compute_virtual_machine vm,
azure_subscription sub
where
sub.subscription_id = vm.subscription_id;

Tags