Benchmark: Compute
Description
This benchmark provides a set of controls that detect Terraform Azure Compute resources deviating from security best practices.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-terraform-azure-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Compute.
Run this benchmark in your terminal:
powerpipe benchmark run terraform_azure_compliance.benchmark.computeSnapshot and share results via Turbot Pipes:
powerpipe benchmark run terraform_azure_compliance.benchmark.compute --shareControls
- Managed disks should be encrypted
- Virtual machines should not allow extension operations
- Virtual machines and scale sets should have agent installed
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Linux Virtual machines and scale sets should enable SSH key authentication
- Windows Virtual machines and scale sets should have automatic updates enabled
- Azure Defender for servers should be enabled
- Linux virtual machines should disable password authentication
- Virtual machines should disable password authentication
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Guest Configuration extension should be installed on your machines
- Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Compute virtual machine scale sets should have automatic OS image patching enabled
- Linux virtual machines scale sets should disable password authentication
- System updates should be installed on your machines
- Virtual machines should be migrated to new Azure Resource Manager resources
- IP Forwarding on your virtual machine should be disabled