Table: azure_storage_container - Query Azure Storage Containers using SQL
Azure Storage Containers are a part of Azure Blob Storage service. They are used to organize blobs in a similar way as a directory in a file system. Containers provide a grouping of a set of blobs, and all blobs must be in a container.
Table Usage Guide
The azure_storage_container
table provides insights into Azure Storage Containers within Azure Blob Storage service. As a data engineer, explore container-specific details through this table, including metadata, public access level, and more. Utilize it to uncover information about containers, such as those with public access, the metadata associated with containers, and the verification of access policies.
Examples
Basic info
Explore which Azure storage containers are linked to your account. This can help in managing resources and identifying potential areas for optimization or restructuring.
select name, id, type, account_namefrom azure_storage_container;
select name, id, type, account_namefrom azure_storage_container;
List containers which are publicly accessible
Explore which Azure storage containers are set to public access, allowing you to identify potential security risks and rectify them to prevent unauthorized access to sensitive data.
select name, id, type, account_name, public_accessfrom azure_storage_containerwhere public_access <> 'None';
select name, id, type, account_name, public_accessfrom azure_storage_containerwhere public_access <> 'None';
List containers with legal hold enabled
Discover the segments that have legal hold enabled in their Azure storage containers. This is beneficial for understanding which areas have additional data preservation measures in place for legal or compliance reasons.
select name, id, type, account_name, has_legal_holdfrom azure_storage_containerwhere has_legal_hold;
select name, id, type, account_name, has_legal_holdfrom azure_storage_containerwhere has_legal_hold = 1;
List containers which are either leased or have a broken lease state
Determine the areas in which Azure storage containers are either currently leased or have a broken lease state. This is useful for managing resources and identifying potential issues with container leases.
select name, id, type, account_name, lease_statefrom azure_storage_containerwhere lease_state = 'Leased' or lease_state = 'Broken';
select name, id, type, account_name, lease_statefrom azure_storage_containerwhere lease_state = 'Leased' or lease_state = 'Broken';
List containers with infinite lease duration
Discover the segments that have an unlimited lease duration in Azure Storage, helping you identify potential areas for cost optimization and better resource management.
select name, id, type, account_name, lease_durationfrom azure_storage_containerwhere lease_duration = 'Infinite';
select name, id, type, account_name, lease_durationfrom azure_storage_containerwhere lease_duration = 'Infinite';
List containers with a remaining retention period of 7 days
Determine the areas in which Azure storage containers are nearing the end of their retention period. This is useful for proactive management of storage resources, allowing you to take timely action before the containers expire.
select name, id, type, account_name, remaining_retention_daysfrom azure_storage_containerwhere remaining_retention_days = 7;
select name, id, type, account_name, remaining_retention_daysfrom azure_storage_containerwhere remaining_retention_days = 7;
List containers ImmutabilityPolicy details
Analyze the settings to understand the immutability policies of your Azure storage containers. This can help you manage data retention and protect your data from being modified or deleted.
select name, account_name, jsonb_pretty(immutability_policy) as immutability_policyfrom azure_storage_container;
select name, account_name, immutability_policyfrom azure_storage_container;
Control examples
- All Controls > Monitor > Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- All Controls > Monitor > Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- All Controls > Monitor > Ensure the storage container storing the operational logs is not publicly accessible
- All Controls > Storage > Ensure that 'Public access level' is set to Private for blob containers
- CIS v1.3.0 > 3 Storage Accounts > 3.5 Ensure that 'Public access level' is set to Private for blob containers
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- CIS v1.4.0 > 3 Storage Accounts > 3.5 Ensure that 'Public access level' is set to Private for blob containers
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- CIS v1.5.0 > 3 Storage Accounts > 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v2.0.0 > 3 Storage Accounts > 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v2.1.0 > 3 Storage Accounts > 3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- CIS v3.0.0 > 4 Storage Accounts > 4.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`
- CIS v3.0.0 > 6 Logging and Monitoring > 6.1 Configuring Diagnostic Settings > 6.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
Schema for azure_storage_container
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_name | text | = | The friendly name that identifies the storage account. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
default_encryption_scope | text | Default the container to use specified encryption scope for all writes. | |
deleted | boolean | Indicates whether the blob container was deleted. | |
deleted_time | timestamp with time zone | Specifies the time when the container was deleted. | |
deny_encryption_scope_override | boolean | Indicates whether block override of encryption scope from the container default, or not. | |
has_immutability_policy | boolean | The hasImmutabilityPolicy public property is set to true by SRP if ImmutabilityPolicy has been created for this container. The hasImmutabilityPolicy public property is set to false by SRP if ImmutabilityPolicy has not been created for this container. | |
has_legal_hold | boolean | The hasLegalHold public property is set to true by SRP if there are at least one existing tag. The hasLegalHold public property is set to false by SRP if all existing legal hold tags are cleared out. There can be a maximum of 1000 blob containers with hasLegalHold=true for a given account. | |
id | text | Contains ID to identify a container uniquely. | |
immutability_policy | jsonb | The ImmutabilityPolicy property of the container. | |
last_modified_time | timestamp with time zone | Specifies the date and time the container was last modified. | |
lease_duration | text | Specifies whether the lease on a container is of infinite or fixed duration, only when the container is leased. Possible values are: 'Infinite', 'Fixed'. | |
lease_state | text | Specifies the lease state of the container. | |
lease_status | text | Specifies the lease status of the container. | |
legal_hold | jsonb | The LegalHold property of the container. | |
metadata | jsonb | A name-value pair to associate with the container as metadata. | |
name | text | = | The friendly name that identifies the container. |
public_access | text | Specifies whether data in the container may be accessed publicly and the level of access. | |
remaining_retention_days | bigint | Remaining retention days for soft deleted blob container. | |
resource_group | text | = | The resource group which holds this resource. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
title | text | Title of the resource. | |
type | text | Specifies the type of the container. | |
version | text | The version of the deleted blob container. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_storage_container