apimanagement_backend_uses_httpsapimanagement_service_client_certificate_enabledapimanagement_service_restrict_public_accessapimanagement_service_uses_latest_tls_versionapimanagement_service_with_virtual_networkapp_configuration_encryption_enabledapp_configuration_local_auth_disabledapp_configuration_purge_protection_enabledapp_configuration_restrict_public_accessapp_configuration_sku_standardapplication_gateway_restrict_message_lookup_log4j2application_gateway_use_secure_ssl_cipherapplication_gateway_uses_https_listenerapplication_gateway_waf_enabledappservice_authentication_enabledappservice_azure_defender_enabledappservice_environment_internal_encryption_enabledappservice_environment_zone_redundant_enabledappservice_ftp_deployment_disabledappservice_function_app_builtin_logging_enabledappservice_function_app_client_certificates_onappservice_function_app_cors_no_starappservice_function_app_ftps_enabledappservice_function_app_latest_http_versionappservice_function_app_latest_java_versionappservice_function_app_latest_python_versionappservice_function_app_latest_tls_versionappservice_function_app_only_https_accessibleappservice_function_app_public_access_disabledappservice_function_app_uses_managed_identityappservice_plan_minimum_skuappservice_plan_zone_redundantappservice_web_app_always_onappservice_web_app_client_certificates_onappservice_web_app_cors_no_starappservice_web_app_detailed_error_messages_enabledappservice_web_app_diagnostic_logs_enabledappservice_web_app_failed_request_tracing_enabledappservice_web_app_ftps_enabledappservice_web_app_health_check_enabledappservice_web_app_http_logs_enabledappservice_web_app_incoming_client_cert_onappservice_web_app_latest_dotnet_framework_versionappservice_web_app_latest_http_versionappservice_web_app_latest_java_versionappservice_web_app_latest_php_versionappservice_web_app_latest_python_versionappservice_web_app_latest_tls_versionappservice_web_app_public_access_disabledappservice_web_app_register_with_active_directory_enabledappservice_web_app_remote_debugging_disabledappservice_web_app_slot_latest_tls_versionappservice_web_app_slot_remote_debugging_disabledappservice_web_app_slot_use_httpsappservice_web_app_use_httpsappservice_web_app_use_virtual_service_endpointappservice_web_app_uses_azure_fileappservice_web_app_uses_managed_identityappservice_web_app_worker_more_than_oneautomation_account_variables_encryption_enabledazure_redis_cache_in_virtual_networkazure_redis_cache_ssl_enabledbatch_account_encrypted_with_cmkbatch_account_logging_enabledcdn_endpoint_custom_domain_uses_latest_tls_versioncdn_endpoint_http_disabledcdn_endpoint_https_enabledcognitive_account_encrypted_with_cmkcognitive_account_public_network_access_disabledcognitive_account_restrict_public_accesscognitive_service_local_auth_disabledcompute_managed_disk_set_encryption_enabledcompute_vm_allow_extension_operations_disabledcompute_vm_and_scale_set_agent_installedcompute_vm_and_scale_set_encryption_at_host_enabledcompute_vm_and_scale_set_ssh_key_enabled_linuxcompute_vm_automatic_updates_enabled_windowscompute_vm_disable_password_authenticationcompute_vm_disable_password_authentication_linuxcompute_vm_guest_configuration_installedcompute_vm_guest_configuration_installed_linuxcompute_vm_guest_configuration_installed_windowscompute_vm_malware_agent_installedcompute_vm_scale_set_automatic_os_upgrade_enabledcompute_vm_scale_set_disable_password_authentication_linuxcompute_vm_system_updates_installedcompute_vm_uses_azure_resource_managercompute_vm_utilizing_managed_diskcontainer_instance_container_group_in_virtual_networkcontainer_instance_container_group_secure_environment_variablecontainer_registry_admin_user_disabledcontainer_registry_anonymous_pull_disabledcontainer_registry_azure_defender_enabledcontainer_registry_encrypted_with_cmkcontainer_registry_geo_replication_enabledcontainer_registry_image_scan_enabledcontainer_registry_public_network_access_disabledcontainer_registry_quarantine_policy_enabledcontainer_registry_restrict_public_accesscontainer_registry_retention_policy_enabledcontainer_registry_trust_policy_enabledcontainer_registry_use_virtual_service_endpointcontainer_registry_zone_redundant_enabledcosmodb_account_access_key_metadata_writes_disabledcosmodb_account_local_authentication_disabledcosmodb_account_public_network_access_disabledcosmodb_account_restrict_public_accesscosmosdb_account_encryption_at_rest_using_cmkcosmosdb_account_with_firewall_rulescosmosdb_use_virtual_service_endpointdata_factory_encrypted_with_cmkdata_factory_restrict_public_accessdata_factory_uses_git_repositorydatabricks_workspace_restrict_public_accessdatalake_store_account_encryption_enableddns_azure_defender_enabledeventgrid_domain_local_auth_disabledeventgrid_domain_restrict_public_accesseventgrid_domain_uses_managed_identityeventgrid_topic_local_auth_disabledeventgrid_topic_restrict_public_accesseventgrid_topic_uses_managed_identityeventhub_namespace_cmk_encryption_enabledeventhub_namespace_use_virtual_service_endpointeventhub_namespace_uses_latest_tls_versioneventhub_namespace_zone_redundantfirewall_has_firewall_policy_setfirewall_policy_intrusion_detection_mode_set_to_denyfirewall_threat_intel_mode_set_to_denyfrontdoor_firewall_policy_restrict_message_lookup_log4j2frontdoor_waf_enabledhealthcare_fhir_azure_api_encrypted_at_rest_with_cmkhealthcare_fhir_public_network_access_disablediam_no_custom_subscription_owner_roles_creatediot_hub_logging_enablediot_hub_restrict_public_accesskeyvault_azure_defender_enabledkeyvault_key_expiration_setkeyvault_logging_enabledkeyvault_managed_hms_logging_enabledkeyvault_managed_hms_purge_protection_enabledkeyvault_purge_protection_enabledkeyvault_secret_content_type_setkeyvault_secret_expiration_setkeyvault_vault_public_network_access_disabledkeyvault_vault_use_virtual_service_endpointkubernetes_azure_defender_enabledkubernetes_cluster_add_on_azure_policy_enabledkubernetes_cluster_authorized_ip_range_definedkubernetes_cluster_critical_pods_on_system_nodeskubernetes_cluster_key_vault_secret_rotation_enabledkubernetes_cluster_local_admin_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_max_pod_50kubernetes_cluster_network_policy_enabledkubernetes_cluster_node_pool_type_scale_setkubernetes_cluster_node_restrict_public_accesskubernetes_cluster_os_and_data_disks_encrypted_with_cmkkubernetes_cluster_os_disk_ephemeralkubernetes_cluster_restrict_public_accesskubernetes_cluster_sku_standardkubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_hostkubernetes_cluster_upgrade_channelkubernetes_instance_rbac_enabledkusto_cluster_disk_encryption_enabledkusto_cluster_double_encryption_enabledkusto_cluster_encrypted_at_rest_with_cmkkusto_cluster_sku_with_slakusto_cluster_uses_managed_identitylogic_app_workflow_logging_enabledmachine_learning_compute_cluster_local_auth_disabledmachine_learning_compute_cluster_minimum_node_zeromachine_learning_workspace_encrypted_with_cmkmachine_learning_workspace_restrict_public_accessmariadb_server_geo_redundant_backup_enabledmariadb_server_public_network_access_disabledmariadb_server_ssl_enabledmonitor_log_profile_enabled_for_all_categoriesmonitor_log_profile_enabled_for_all_regionsmonitor_log_profile_retention_365_daysmonitor_logs_storage_container_not_public_accessiblemysql_db_server_geo_redundant_backup_enabledmysql_server_encrypted_at_rest_using_cmkmysql_server_infrastructure_encryption_enabledmysql_server_min_tls_1_2mysql_server_public_network_access_disabledmysql_server_threat_detection_enabledmysql_ssl_enablednetwork_dns_server_2network_interface_ip_forwarding_disablednetwork_security_group_http_access_restrictednetwork_security_group_not_configured_gateway_subnetsnetwork_security_group_rdp_access_restrictednetwork_security_group_ssh_access_restrictednetwork_security_group_subnet_associatednetwork_security_group_udp_access_restrictednetwork_security_rule_http_access_restrictednetwork_security_rule_rdp_access_restrictednetwork_security_rule_ssh_access_restrictednetwork_security_rule_udp_access_restrictednetwork_virtual_network_dns_server_2network_watcher_flow_log_retention_period_90_dayspostgres_db_flexible_server_geo_redundant_backup_enabledpostgres_db_server_connection_throttling_onpostgres_db_server_geo_redundant_backup_enabledpostgres_db_server_latest_tls_versionpostgres_db_server_log_checkpoints_onpostgres_db_server_log_connections_onpostgres_db_server_log_disconnections_onpostgres_db_server_log_retention_days_3postgres_db_server_threat_detection_policy_enabledpostgresql_server_encrypted_at_rest_using_cmkpostgresql_server_infrastructure_encryption_enabledpostgresql_server_public_network_access_disabledpostgresql_ssl_enabledredis_cache_min_tls_1_2redis_cache_restrict_public_accessredis_cache_standard_replication_enabledresource_manager_azure_defender_enabledsearch_service_public_allowed_ip_restrict_public_accesssearch_service_public_network_access_disabledsearch_service_replica_count_3search_service_uses_managed_identitysearch_service_uses_sku_supporting_private_linksecuritycenter_automatic_provisioning_monitoring_agent_onsecuritycenter_azure_defender_on_for_appservicesecuritycenter_azure_defender_on_for_containerregistrysecuritycenter_azure_defender_on_for_k8ssecuritycenter_azure_defender_on_for_keyvaultsecuritycenter_azure_defender_on_for_serversecuritycenter_azure_defender_on_for_sqldbsecuritycenter_azure_defender_on_for_sqlservervmsecuritycenter_azure_defender_on_for_storagesecuritycenter_contact_number_configuredsecuritycenter_email_configuredsecuritycenter_notify_alerts_configuredsecuritycenter_security_alerts_to_owner_enabledsecuritycenter_uses_standard_pricing_tierservice_bus_namespace_encrypted_with_cmkservice_bus_namespace_infrastructure_encryption_enabledservice_bus_namespace_latest_tls_versionservice_bus_namespace_local_auth_disabledservice_bus_namespace_restrict_public_accessservice_bus_namespace_uses_managed_identityservicefabric_cluster_active_directory_authentication_enabledservicefabric_cluster_protection_level_as_encrypt_and_signsignalr_services_uses_paid_skuspring_cloud_api_https_only_enabledspring_cloud_api_restrict_public_accessspring_cloud_service_network_injection_enabledsql_database_allow_internet_accesssql_database_ledger_enabledsql_database_log_monitoring_enabledsql_database_long_term_geo_redundant_backup_enabledsql_database_server_azure_defender_enabledsql_database_zone_redundant_enabledsql_db_active_directory_admin_configuredsql_db_public_network_access_disabledsql_server_admins_email_security_alert_enabledsql_server_all_security_alerts_enabledsql_server_atp_enabledsql_server_auditing_storage_account_destination_retention_90_dayssql_server_audting_retention_period_90sql_server_azure_ad_authentication_enabledsql_server_email_security_alert_enabledsql_server_uses_latest_tls_versionsql_server_vm_azure_defender_enabledstorage_account_blob_containers_public_access_privatestorage_account_blob_service_logging_enabledstorage_account_block_public_accessstorage_account_default_network_access_rule_deniedstorage_account_encryption_at_rest_using_cmkstorage_account_encryption_scopes_encrypted_at_rest_with_cmkstorage_account_infrastructure_encryption_enabledstorage_account_queue_services_logging_enabledstorage_account_replication_type_setstorage_account_restrict_network_accessstorage_account_secure_transfer_required_enabledstorage_account_trusted_microsoft_services_enabledstorage_account_use_virtual_service_endpointstorage_account_uses_azure_resource_managerstorage_account_uses_latest_minimum_tls_versionstorage_account_uses_private_linkstorage_azure_defender_enabledstorage_container_restrict_public_accessstorage_sync_private_link_usedsynapse_workspace_data_exfiltration_protection_enabledsynapse_workspace_encryption_at_rest_using_cmksynapse_workspace_private_link_usedweb_pubsub_sku_with_slaweb_pubsub_uses_managed_identity
Query: application_gateway_use_secure_ssl_cipher
Usage
powerpipe query terraform_azure_compliance.query.application_gateway_use_secure_ssl_cipherSteampipe Tables
SQL
select address as resource, case when (attributes_std -> 'ssl_policy') is null then 'alarm' when (attributes_std -> 'ssl_policy' -> 'policy_type') is null then 'alarm' when (attributes_std -> 'ssl_policy' ->> 'policy_type') = 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'policy_name') = 'AppGwSslPolicy20220101S' then 'ok' when (attributes_std -> 'ssl_policy' ->> 'policy_type') = 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'policy_name') <> 'AppGwSslPolicy20220101S' then 'alarm' when (attributes_std -> 'ssl_policy' ->> 'policy_type') <> 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'min_protocol_version') IN ('TLSv1_2', 'TLSv1_3') and exists ( select 1 from jsonb_array_elements_text(attributes_std -> 'ssl_policy' -> 'cipher_suites') as cipher where cipher = ANY (ARRAY['TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA']) ) then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std -> 'ssl_policy') is null then ' SSL policy not defined' when (attributes_std -> 'ssl_policy' -> 'policy_type') is null then ' policy type not defined' when (attributes_std -> 'ssl_policy' ->> 'policy_type') = 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'policy_name') = 'AppGwSslPolicy20220101S' then ' uses secure SSL cipher' when (attributes_std -> 'ssl_policy' ->> 'policy_type') = 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'policy_name') <> 'AppGwSslPolicy20220101S' then ' not uses secure SSL cipher' when (attributes_std -> 'ssl_policy' ->> 'policy_type') <> 'Predefined' and (attributes_std -> 'ssl_policy' ->> 'min_protocol_version') IN ('TLSv1_2', 'TLSv1_3') and exists ( select 1 from jsonb_array_elements_text(attributes_std -> 'ssl_policy' -> 'cipher_suites') as cipher where cipher = ANY (ARRAY['TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', 'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA']) ) then ' not uses secure SSL cipher' else ' uses secure SSL cipher' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_application_gateway';Controls
The query is being used by the following controls: