Table: azure_compute_disk_encryption_set - Query Azure Compute Disk Encryption Sets using SQL
Azure Compute Disk Encryption Sets is a resource within Microsoft Azure that manages the encryption of Azure Disk Storage. It provides a centralized way to manage and enforce encryption policies for data at rest. Azure Compute Disk Encryption Sets help you meet organizational security and compliance commitments.
Table Usage Guide
The azure_compute_disk_encryption_set table provides insights into encryption sets within Azure Compute Disk. As a security analyst, explore encryption set-specific details through this table, including encryption settings, associated keys, and metadata. Utilize it to uncover information about encryption sets, such as those with outdated keys, the associations between encryption sets and disks, and the verification of encryption policies.
Examples
Key vault associated with each disk encryption set
Determine the areas in which a specific key vault is associated with each disk encryption set. This can be useful for understanding the security configuration of your Azure resources and identifying potential vulnerabilities.
select name, split_part(active_key_source_vault_id, '/', 9) as vault_name, split_part(active_key_url, '/', 5) as key_namefrom azure_compute_disk_encryption_set;Error: SQLite does not support split_part function.List of encryption sets which are not using customer managed key
Determine the areas in which disk encryption sets in Azure are not utilizing customer-managed keys. This is useful for identifying potential security vulnerabilities where data is not being encrypted using customer's keys.
select name, encryption_typefrom azure_compute_disk_encryption_setwhere ( encryption_type <> 'EncryptionAtRestWithPlatformAndCustomerKeys' and encryption_type <> 'EncryptionAtRestWithCustomerKey' );select name, encryption_typefrom azure_compute_disk_encryption_setwhere ( encryption_type != 'EncryptionAtRestWithPlatformAndCustomerKeys' and encryption_type != 'EncryptionAtRestWithCustomerKey' );Identity info of each disk encryption set
Assess the elements within each disk encryption set to gain insights into their identity information. This can help in managing and tracking the sets effectively across your network.
select name, identity_type, identity_principal_id, identity_tenant_idfrom azure_compute_disk_encryption_set;select name, identity_type, identity_principal_id, identity_tenant_idfrom azure_compute_disk_encryption_set;Query examples
- compute_disk_encryption_details
- compute_disk_encryption_set_details
- compute_disk_encryption_sets_for_compute_disk
- compute_disk_encryption_sets_for_compute_snapshot
- compute_disk_encryption_sets_for_key_vault_key
- compute_disk_encryption_sets_for_kubernetes_cluster
- key_vault_keys_for_compute_disk
- key_vault_keys_for_compute_snapshot
- key_vault_vaults_for_compute_disk
- key_vault_vaults_for_compute_snapshot
Schema for azure_compute_disk_encryption_set
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| active_key_source_vault_id | text | Resource id of the KeyVault containing the key or secret | |
| active_key_url | text | Url pointing to a key or secret in KeyVault | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| encryption_type | text | Contains the type of the encryption | |
| id | text | The unique id identifying the resource in subscription | |
| identity_principal_id | text | The object id of the Managed Identity Resource | |
| identity_tenant_id | text | The tenant id of the Managed Identity Resource | |
| identity_type | text | The type of Managed Identity used by the DiskEncryptionSet | |
| name | text | = | The friendly name that identifies the disk encryption set |
| previous_keys | jsonb | A list of key vault keys previously used by this disk encryption set while a key rotation is in progress | |
| provisioning_state | text | The disk encryption set provisioning state | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| subscription_id | text | The Azure Subscription ID in which the resource is located. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| type | text | The type of the resource in Azure |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_compute_disk_encryption_set