steampipe plugin install azure

Table: azure_compute_disk_encryption_set - Query Azure Compute Disk Encryption Sets using SQL

Azure Compute Disk Encryption Sets is a resource within Microsoft Azure that manages the encryption of Azure Disk Storage. It provides a centralized way to manage and enforce encryption policies for data at rest. Azure Compute Disk Encryption Sets help you meet organizational security and compliance commitments.

Table Usage Guide

The azure_compute_disk_encryption_set table provides insights into encryption sets within Azure Compute Disk. As a security analyst, explore encryption set-specific details through this table, including encryption settings, associated keys, and metadata. Utilize it to uncover information about encryption sets, such as those with outdated keys, the associations between encryption sets and disks, and the verification of encryption policies.

Examples

Key vault associated with each disk encryption set

Determine the areas in which a specific key vault is associated with each disk encryption set. This can be useful for understanding the security configuration of your Azure resources and identifying potential vulnerabilities.

select
name,
split_part(active_key_source_vault_id, '/', 9) as vault_name,
split_part(active_key_url, '/', 5) as key_name
from
azure_compute_disk_encryption_set;
Error: SQLite does not support split_part function.

List of encryption sets which are not using customer managed key

Determine the areas in which disk encryption sets in Azure are not utilizing customer-managed keys. This is useful for identifying potential security vulnerabilities where data is not being encrypted using customer's keys.

select
name,
encryption_type
from
azure_compute_disk_encryption_set
where
(
encryption_type <> 'EncryptionAtRestWithPlatformAndCustomerKeys'
and encryption_type <> 'EncryptionAtRestWithCustomerKey'
);
select
name,
encryption_type
from
azure_compute_disk_encryption_set
where
(
encryption_type != 'EncryptionAtRestWithPlatformAndCustomerKeys'
and encryption_type != 'EncryptionAtRestWithCustomerKey'
);

Identity info of each disk encryption set

Assess the elements within each disk encryption set to gain insights into their identity information. This can help in managing and tracking the sets effectively across your network.

select
name,
identity_type,
identity_principal_id,
identity_tenant_id
from
azure_compute_disk_encryption_set;
select
name,
identity_type,
identity_principal_id,
identity_tenant_id
from
azure_compute_disk_encryption_set;

Schema for azure_compute_disk_encryption_set

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
active_key_source_vault_idtextResource id of the KeyVault containing the key or secret
active_key_urltextUrl pointing to a key or secret in KeyVault
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
encryption_typetextContains the type of the encryption
idtextThe unique id identifying the resource in subscription
identity_principal_idtextThe object id of the Managed Identity Resource
identity_tenant_idtextThe tenant id of the Managed Identity Resource
identity_typetextThe type of Managed Identity used by the DiskEncryptionSet
nametext=The friendly name that identifies the disk encryption set
previous_keysjsonbA list of key vault keys previously used by this disk encryption set while a key rotation is in progress
provisioning_statetextThe disk encryption set provisioning state
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextThe type of the resource in Azure

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_compute_disk_encryption_set