Table: azure_app_service_web_app - Query Azure App Service Web Apps using SQL
Azure App Service is a fully managed platform for building, deploying, and scaling web applications. It supports a variety of programming languages, tools, and frameworks, including both Microsoft-specific and third-party software and systems. With Azure App Service, you can quickly build, deploy, and scale enterprise-grade web, mobile, and API apps running on any platform.
Table Usage Guide
The azure_app_service_web_app
table provides insights into web applications hosted on Azure App Service. As a developer or system administrator, you can use this table to examine the configuration, status, and metadata of these applications. It can be particularly useful for monitoring and managing your web applications, ensuring they are correctly configured, running smoothly, and adhering to your organization's operational and security policies.
Examples
Outbound IP addresses and possible outbound IP addresses info of each web app
Explore which web applications in your Azure App Service have specific outbound IP addresses. This is useful for understanding the network behavior of your applications, particularly for security monitoring or compliance purposes.
select name, outbound_ip_addresses, possible_outbound_ip_addressesfrom azure_app_service_web_app;
select name, outbound_ip_addresses, possible_outbound_ip_addressesfrom azure_app_service_web_app;
List web apps which accepts HTTP traffics (i.e HTTPS only is disabled)
Determine the areas in which web applications are accepting HTTP traffic, indicating that the more secure HTTPS-only mode is disabled. This can be useful for identifying potential security risks in your Azure App Service.
select name, https_only, kind, regionfrom azure_app_service_web_appwhere not https_only;
select name, https_only, kind, regionfrom azure_app_service_web_appwhere https_only = 0;
List of web app where client certificate mode is disabled
Determine the areas in which web applications are potentially vulnerable due to disabled client certificate mode. This is crucial for enhancing security measures and ensuring data protection.
select name, client_cert_enabled, kind, regionfrom azure_app_service_web_appwhere not client_cert_enabled;
select name, client_cert_enabled, kind, regionfrom azure_app_service_web_appwhere client_cert_enabled = 0;
Host names of each web app
Determine the areas in which your web applications are hosted. This aids in understanding their geographical distribution and aids in resource management.
select name, host_names, kind, region, resource_groupfrom azure_app_service_web_app;
select name, host_names, kind, region, resource_groupfrom azure_app_service_web_app;
List web apps with latest HTTP version
Determine the areas in which web applications are running on the latest HTTP version across different regions. This can be useful for ensuring applications are up-to-date and taking advantage of the latest protocol features for performance and security.
select name, enabled, regionfrom azure_app_service_web_appwhere (configuration -> 'properties' ->> 'http20Enabled') :: boolean;
select name, enabled, regionfrom azure_app_service_web_appwhere json_extract(configuration, '$.properties.http20Enabled') = 'true';
List web apps that have FTP deployments set to disabled
Determine the areas in which web applications have FTP deployments disabled, allowing for a better understanding of security measures in place and potential areas of vulnerability.
select name, configuration -> 'properties' ->> 'ftpsState' as ftps_statefrom azure_app_service_web_appwhere configuration -> 'properties' ->> 'ftpsState' <> 'AllAllowed';
select name, json_extract( json_extract(configuration, '$.properties'), '$.ftpsState' ) as ftps_statefrom azure_app_service_web_appwhere json_extract( json_extract(configuration, '$.properties'), '$.ftpsState' ) <> 'AllAllowed';
List web apps that have managed service identity disabled
Determine the areas in which web apps are operating without a managed service identity, which is a key security feature. This could be used to identify potential vulnerabilities and improve overall system security.
select name, enabled, region, identityfrom azure_app_service_web_appwhere identity = '{}';
select name, enabled, region, identityfrom azure_app_service_web_appwhere identity = '{}';
Get the storage information associated to a particular app
Explore the storage details linked to a specific application in Azure's App Service. This can help you understand the configuration and enablement status of your storage in a particular region, which can be crucial for optimizing resource allocation and management.
select name, enabled, region, identity storage_info_valuefrom azure_app_service_web_appwhere resource_group = 'demo' and name = 'web-app-test-storage-info';
select name, enabled, region, identity, storage_info_valuefrom azure_app_service_web_appwhere resource_group = 'demo' and name = 'web-app-test-storage-info';
Query examples
- app_service_web_app_by_ftp_state
- app_service_web_app_by_http_logging
- app_service_web_app_by_kind
- app_service_web_app_by_network_traffic_protocol
- app_service_web_app_by_region
- app_service_web_app_by_state
- app_service_web_app_by_subscription
- app_service_web_app_configuration
- app_service_web_app_count
- app_service_web_app_diagnostic_logs_configuration
- app_service_web_app_ftps_state
- app_service_web_app_http_logging
- app_service_web_app_http_logging_count
- app_service_web_app_https
- app_service_web_app_https_disabled_count
- app_service_web_app_ip_security_restrictions
- app_service_web_app_kind
- app_service_web_app_offline_count
- app_service_web_app_state
- app_service_web_app_tags
- app_service_web_app_tls_version
- app_service_web_apps_for_network_subnet
- network_application_gateways_for_app_service_web
- network_subnets_for_app_service_web
- network_virtual_networks_for_app_service_web
Control examples
- All Controls > App Service > Ensure App Service authentication is set up for apps in Azure App Service
- All Controls > App Service > Ensure FTP deployments are Disabled
- All Controls > App Service > Ensure that 'Java version' is the latest, if used as a part of the Web app
- All Controls > App Service > Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- All Controls > App Service > Ensure that 'Python version' is the latest, if used as a part of the Web app
- All Controls > App Service > Ensure that Register with Azure Active Directory is enabled on App Service
- All Controls > App Service > Latest TLS version should be used in your Web App
- All Controls > App Service > Managed identity should be used in your API App
- All Controls > App Service > Remote debugging should be turned off for Web Applications
- All Controls > App Service > Web app failed request tracing should be enabled
- All Controls > App Service > Web app HTTP logs should be enabled
- All Controls > App Service > Web app should use the latest 'Net Framework' version
- All Controls > App Service > Web apps should be configured to always be on
- All Controls > App Service > Web apps should have health check enabled
- App Service API apps should only be accessible over HTTPS
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service apps should have Client Certificates (Incoming client certificates) enabled
- App Service apps should have remote debugging turned off
- App Service apps should have resource logs enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should use a virtual network service endpoint
- App Service apps should use managed identity
- App Service apps should use the latest TLS version
- CIS v1.3.0 > 9 AppService > 9.1 Ensure App Service Authentication is set on Azure App Service
- CIS v1.3.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.3.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.3.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.3.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.3.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.3.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v1.4.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v1.4.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.4.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.4.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.4.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.4.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.4.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v1.5.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v1.5.0 > 9 AppService > 9.10 Ensure FTP deployments are disabled
- CIS v1.5.0 > 9 AppService > 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- CIS v1.5.0 > 9 AppService > 9.3 Ensure web app is using the latest version of TLS encryption
- CIS v1.5.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v1.5.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v1.5.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- CIS v2.0.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v2.0.0 > 9 AppService > 9.10 Ensure FTP deployments are Disabled
- CIS v2.0.0 > 9 AppService > 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- CIS v2.0.0 > 9 AppService > 9.3 Ensure Web App is using the latest version of TLS encryption
- CIS v2.0.0 > 9 AppService > 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- CIS v2.0.0 > 9 AppService > 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- CIS v2.0.0 > 9 AppService > 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v2.1.0 > 9 AppService > 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- CIS v2.1.0 > 9 AppService > 9.3 Ensure Web App is using the latest version of TLS encryption
- CIS v2.1.0 > 9 AppService > 9.4 Ensure that Register with Entra ID is enabled on App Service
- CIS v2.1.0 > 9 AppService > 9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.7 Ensure that 'Java version' is the latest, if used to run the Web App
- CIS v2.1.0 > 9 AppService > 9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- CIS v2.1.0 > 9 AppService > 9.9 Ensure FTP deployments are Disabled
- CIS v3.0.0 > 9 AppService > 9.1 Ensure 'HTTPS Only' is set to `On`
- CIS v3.0.0 > 9 AppService > 9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)
- CIS v3.0.0 > 9 AppService > 9.12 Ensure that 'Remote debugging' is set to 'Off'
- CIS v3.0.0 > 9 AppService > 9.2 Ensure App Service Authentication is set up for apps in Azure App Service
- CIS v3.0.0 > 9 AppService > 9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'
- CIS v3.0.0 > 9 AppService > 9.4 Ensure Web App is using the latest version of TLS encryption
- CIS v3.0.0 > 9 AppService > 9.5 Ensure that Register with Entra ID is enabled on App Service
- CIS v3.0.0 > 9 AppService > 9.7 Ensure that 'PHP version' is currently supported (if in use)
- CIS v3.0.0 > 9 AppService > 9.8 Ensure that 'Python version' is currently supported (if in use)
- CIS v3.0.0 > 9 AppService > 9.9 Ensure that 'Java version' is currently supported (if in use)
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- FTPS only should be required in your API App
- FTPS should be required in your Web App
- Web Application should only be accessible over HTTPS
Schema for azure_app_service_web_app
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
auth_settings | jsonb | Describes the Authentication/Authorization settings of an app. | |
client_affinity_enabled | boolean | Specify whether client affinity is enabled. | |
client_cert_enabled | boolean | Specify whether client certificate authentication is enabled. | |
cloud_environment | text | The Azure Cloud Environment. | |
configuration | jsonb | Describes the configuration of an app. | |
default_site_hostname | text | Default hostname of the app. | |
diagnostic_logs_configuration | jsonb | Describes the logging configuration of an app. | |
enabled | boolean | Specify whether the app is enabled. | |
host_name_disabled | boolean | Specify whether the public hostnames of the app is disabled. | |
host_names | jsonb | A list of hostnames associated with the app. | |
https_only | boolean | Specify whether configuring a web site to accept only https requests. | |
id | text | Contains ID to identify an app service web app uniquely. | |
identity | jsonb | Managed service identity for the resource. | |
kind | text | Contains the kind of the resource. | |
name | text | = | The friendly name that identifies the app service web app. |
outbound_ip_addresses | text | List of IP addresses that the app uses for outbound connections (e.g. database access). | |
possible_outbound_ip_addresses | text | List of possible IP addresses that the app uses for outbound connections (e.g. database access). | |
region | text | The Azure region/location in which the resource is located. | |
reserved | boolean | Specify whether the app is reserved. | |
resource_group | text | = | The resource group which holds this resource. |
site_config | jsonb | A map of all configuration for the app. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
state | text | Current state of the app. | |
storage_info_value | jsonb | AzureStorageInfoValue azure Files or Blob Storage access information value for dictionary storage. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
type | text | The resource type of the app service web app. | |
vnet_connection | jsonb | Describes the virtual network connection for the app. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_app_service_web_app