Azure Compliance Mod
Run individual configuration, compliance and security controls or full CIS
, HIPAA HITRUST
, NIST
and PCI DSS
compliance benchmarks across all your Azure subscriptions.
References
Azure provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.
CIS Azure Benchmarks provide a predefined set of compliance and security best-practice checks for Microsoft Azure usage.
HIPAA HITRUST 9.2 provides a combined set of predefined compliance and security best-practice checks for Health Insurance Portability and Accountability Act.
NIST SP 800-53 Revision 5 defines the standards and guidelines for federal agencies to architect and manage their information security systems.
PCI DSS v3.2.1 applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Steampipe Mods are collections of named queries
, and codified controls
that can be used to test current configuration of your cloud resources against a desired configuration.
Documentation
Getting started
Installation
Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:
brew tap turbot/tapbrew install steampipe
Install the Azure and the Azure Active Directory plugins with Steampipe:
steampipe plugin install azuresteampipe plugin install azuread
Clone:
git clone https://github.com/turbot/steampipe-mod-azure-compliance.gitcd steampipe-mod-azure-compliance
Usage
Start your dashboard server to get started:
steampipe dashboard
By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.
Instead of running benchmarks in a dashboard, you can also run them within your
terminal with the steampipe check
command:
Run all benchmarks:
steampipe check all
Run a benchmark:
steampipe check benchmark.cis_v130
Run a specific control:
steampipe check control.cis_v130_2_1_1
Different output formats are also available, for more information please see Output Formats.
Credentials
This mod uses the credentials configured in the Steampipe Azure plugin and the Steampipe Azure Active Directory plugin.
Configuration
No extra configuration is required.
Common and Tag Dimensions
The benchmark queries use common properties (like connection_name
, resource_group
, region
, subscription
and subscription_id
) and tags that are defined in the form of a default list of strings in the mod.sp
file. These properties can be overwritten in several ways:
Copy and rename the
steampipe.spvars.example
file tosteampipe.spvars
, and then modify the variable values inside that filePass in a value on the command line:
steampipe check benchmark.cis_v140 --var 'common_dimensions=["resource_group", "region", "subscription", "subscription_id"]'steampipe check benchmark.cis_v140 --var 'tag_dimensions=["Department", "Environment"]'Set an environment variable:
SP_VAR_common_dimensions='["resource_group", "region", "subscription", "subscription_id"]' steampipe check control.storage_account_use_virtual_service_endpointSP_VAR_tag_dimensions='["Department", "Environment"]' steampipe check control.storage_account_use_virtual_service_endpoint
Contributing
If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.
- Join our Slack community → and hang out with other Mod developers.
Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.
Want to help but not sure where to start? Pick up one of the help wanted
issues: