Table: azure_subscription - Query Azure Subscriptions using SQL
Azure Subscriptions act as a logical container for resources deployed on Microsoft Azure. They provide a mechanism to organize access to Azure resources, manage costs, and track billing. Each Azure Subscription can have a different billing and payment setup, allowing flexibility in how users and organizations pay for the usage of Azure Services.
Table Usage Guide
The azure_subscription
table provides insights into Azure Subscriptions within Microsoft Azure. As a cloud architect or administrator, explore subscription-specific details through this table, including subscription IDs, names, states, and tenants. Utilize it to manage and organize access to Azure resources, track billing, and understand the cost management setup across different subscriptions.
Examples
Basic info
Explore the status and policies of your Azure subscriptions to understand their current state and source of authorization. This can help in managing and optimizing your cloud resources effectively.
select id, subscription_id, display_name, tenant_id, state, authorization_source, subscription_policiesfrom azure_subscription;
select id, subscription_id, display_name, tenant_id, state, authorization_source, subscription_policiesfrom azure_subscription;
Query examples
- app_service_web_app_by_subscription
- compute_disk_by_subscription
- compute_disk_storage_by_subscription
- compute_snapshot_by_subscription
- compute_virtual_machine_by_subscription
- compute_virtual_machine_scale_set_by_subscription
- cosmosdb_account_by_subscription
- key_vault_by_subscription
- key_vault_key_by_subscription
- kubernetes_cluster_by_subscription
- network_express_route_circuit_by_subscription
- network_security_group_by_subscription
- sql_database_by_subscription
- sql_server_by_subscription
- subscription_count
- subscription_table
- torage_account_by_subscription
- virtual_network_by_subscription
Control examples
- 1.20 Ensure that no custom subscription owner roles are created
- 1.21 Ensure that no custom subscription owner roles are created
- 1.22 Ensure That No Custom Subscription Administrator Roles Exist
- 1.23 Ensure That No Custom Subscription Administrator Roles Exist
- 1.23 Ensure That No Custom Subscription Owner Roles Are Created
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources
- 2.1 Ensure that Azure Defender is set to On for Servers
- 2.1 Ensure that Microsoft Defender for Servers is set to 'On'
- 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'
- 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'
- 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'
- 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'
- 2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- 2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'
- 2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- 2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'
- 2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'
- 2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- 2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- 2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.1.17 Ensure That 'All users with the following roles' is set to 'Owner'
- 2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.1.18 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- 2.1.18 Ensure That 'All users with the following roles' is set to 'Owner'
- 2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- 2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'
- 2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- 2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled
- 2.1.22 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- 2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'
- 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'
- 2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'
- 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- 2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'
- 2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- 2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- 2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- 2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- 2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'
- 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'
- 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'
- 2.1.9 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'
- 2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'
- 2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'
- 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected
- 2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected
- 2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'
- 2.11 Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- 2.12 Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'
- 2.12 Ensure any of the ASC Default policy setting is not set to "Disabled"
- 2.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- 2.13 Ensure 'Additional email addresses' is configured with a security contact email
- 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
- 2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'
- 2.15 Ensure that 'All users with the following roles' is set to 'Owner'
- 2.15 Ensure that 'All users with the following roles' is set to 'Owner'
- 2.2 Ensure that Azure Defender is set to On for App Service
- 2.2 Ensure that Microsoft Defender for App Service is set to 'On'
- 2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'
- 2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'
- 2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'
- 2.3 Ensure that Azure Defender is set to On for Azure SQL database servers
- 2.3 Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'
- 2.3.1 Ensure That 'All users with the following roles' is set to 'Owner'
- 2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email
- 2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High'
- 2.4 Ensure that Azure Defender is set to On for SQL servers on machines
- 2.4 Ensure that Microsoft Defender for SQL servers on machines is set to 'On'
- 2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected
- 2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected
- 2.5 Ensure that Azure Defender is set to On for Storage
- 2.5 Ensure that Microsoft Defender for Storage is set to 'On'
- 2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'
- 2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'
- 2.6 Ensure that Azure Defender is set to On for Kubernetes
- 2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On'
- 2.7 Ensure that Azure Defender is set to On for Container Registries
- 2.7 Ensure that Microsoft Defender for Container Registries is set to 'On'
- 2.8 Ensure that Azure Defender is set to On for Key Vault
- 2.8 Ensure that Microsoft Defender for Key Vault is set to 'On'
- 2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected
- 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.1 Ensure that 'Secure transfer required' is set to 'Enabled'
- 3.10 Ensure Private Endpoints are used to access Storage Accounts
- 3.10 Ensure Private Endpoints are used to access Storage Accounts
- 3.10 Ensure Private Endpoints are used to access Storage Accounts
- 3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests
- 3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- 3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage
- 3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests
- 3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests
- 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys
- 3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2'
- 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests
- 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests
- 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- 3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- 3.16 Ensure 'Cross Tenant Replication' is not enabled
- 3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`
- 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'
- 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled’
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.2 Ensure that storage account access keys are periodically regenerated
- 3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests
- 3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that shared access signature tokens expire within an hour
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.4 Ensure that Storage Account Access Keys are Periodically Regenerated
- 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' request
- 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests
- 3.5 Ensure that 'Public access level' is set to Private for blob containers
- 3.5 Ensure that 'Public access level' is set to Private for blob containers
- 3.6 Ensure default network access rule for Storage Accounts is set to deny
- 3.6 Ensure default network access rule for Storage Accounts is set to deny
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour
- 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- 3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access
- 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- 3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers
- 3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts
- 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- 3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny
- 3.8 Ensure soft delete is enabled for Azure Storage
- 3.8 Ensure soft delete is enabled for Azure Storage
- 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- 3.9 Ensure storage for critical data are encrypted with Customer Managed Key
- 3.9 Ensure storage for critical data are encrypted with Customer Managed Key
- 4.1.1 Ensure that 'Auditing' is set to 'On'
- 4.1.1 Ensure that 'Auditing' is set to 'On'
- 4.1.1 Ensure that 'Auditing' is set to 'On'
- 4.1.1 Ensure that 'Auditing' is set to 'On'
- 4.1.1 Ensure that 'Auditing' is set to 'On'
- 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
- 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database
- 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- 4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
- 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
- 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL server
- 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- 4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
- 4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- 4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- 4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- 4.4 Ensure that Azure Active Directory Admin is configured
- 4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server
- 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- 4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- 4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- 4.5 Ensure that Azure Active Directory Admin is configured
- 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- 4.5.2 Ensure That Private Endpoints Are Used Where Possible
- 4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- 4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible
- 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- 5.1.1 Ensure that a 'Diagnostic Setting' exists
- 5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.1 Ensure that a 'Diagnostics Setting' exists
- 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- 5.1.2 Ensure Diagnostic Setting captures appropriate categories
- 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- 5.1.3 Ensure the storage container storing the activity logs is not publicly accessible
- 5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled'
- 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)
- 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- 5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'
- 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics
- 5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled.
- 5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled
- 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment
- 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- 5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule
- 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- 5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment
- 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- 5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group
- 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- 5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group
- 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- 5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- 5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution
- 5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- 5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- 5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution
- 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- 5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution
- 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- 5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- 5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution
- 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- 5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- 5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- 5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- 5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.3 Ensure that Diagnostic Logs are enabled for all services which support it
- 5.3.1 Ensure Application Insights are Configured
- 5.3.1 Ensure Application Insights are Configured
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- 6.1 Ensure that RDP access from the Internet is evaluated and restricted
- 6.1 Ensure that RDP access from the Internet is evaluated and restricted
- 6.1 Ensure that RDP access is restricted from the internet
- 6.1 Ensure that RDP access is restricted from the internet
- 6.1 Ensure that RDP from the internet access is evaluated and restricted
- 6.2 Ensure that SSH access from the Internet is evaluated and restricted
- 6.2 Ensure that SSH access from the Internet is evaluated and restricted
- 6.2 Ensure that SSH access from the internet is evaluated and restricted
- 6.2 Ensure that SSH access is restricted from the internet
- 6.2 Ensure that SSH access is restricted from the internet
- 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- 6.3 Ensure that UDP access from the Internet is evaluated and restricted
- 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- 6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted
- 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- 6.5 Ensure that Network Watcher is 'Enabled'
- 6.5 Ensure that Network Watcher is 'Enabled'
- 6.6 Ensure that Network Watcher is 'Enabled'
- 6.6 Ensure that Network Watcher is 'Enabled'
- 6.6 Ensure that Network Watcher is 'Enabled'
- 6.6 Ensure that UDP Services are restricted from the Internet
- 6.6 Ensure that UDP Services are restricted from the Internet
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis
- 7.1 Ensure an Azure Bastion Host Exists
- 7.1 Ensure an Azure Bastion Host Exists
- 7.1 Ensure Virtual Machines are utilizing Managed Disks
- 7.1 Ensure Virtual Machines are utilizing Managed Disks
- 7.1 Ensure Virtual Machines are utilizing Managed Disks
- 7.2 Ensure that 'OS and Data' disks are encrypted with CMK
- 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- 7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- 7.2 Ensure Virtual Machines are utilizing Managed Disks
- 7.2 Ensure Virtual Machines are utilizing Managed Disks
- 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)
- 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- 7.3 Ensure that 'Unattached disks' are encrypted with CMK
- 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.4 Ensure that only approved extensions are installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that Only Approved Extensions Are Installed
- 7.5 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.5 Ensure that the latest OS Patches for all Virtual Machines are applied
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that the endpoint protection for all Virtual Machines is installed
- 7.6 Ensure that VHD's are encrypted
- 7.7 [Legacy] Ensure that VHDs are Encrypted
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHD's are encrypted
- 7.7 Ensure that VHDs are Encrypted
- 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine
- 7.9 Ensure Trusted Launch is enabled on Virtual Machines
- 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- 8.1 Ensure that the expiration date is set on all keys
- 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- 8.2 Ensure that the expiration date is set on all Secrets
- 8.3 Ensure that Resource Locks are set for mission critical Azure resources
- 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- 8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults
- 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- 8.4 Ensure the key vault is recoverable
- 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
- 8.5 Ensure that Resource Locks are set for mission critical Azure resources
- 8.5 Ensure the key vault is recoverable
- 8.5 Ensure the Key Vault is Recoverable
- 8.5 Ensure the Key Vault is Recoverable
- 8.6 Enable Role Based Access Control for Azure Key Vault
- 8.6 Enable Role Based Access Control for Azure Key Vault
- 8.6 Enable Role Based Access Control for Azure Key Vault
- 8.6 Ensure the key vault is recoverable
- 8.7 Enable role-based access control (RBAC) within Azure Kubernetes Services
- 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
- 9.1 Ensure App Service Authentication is set on Azure App Service
- 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- 9.1 Ensure App Service Authentication is set up for apps in Azure App Service
- 9.10 Ensure Azure Key Vaults are Used to Store Secrets
- 9.10 Ensure FTP deployments are disabled
- 9.10 Ensure FTP deployments are disabled
- 9.10 Ensure FTP deployments are disabled
- 9.10 Ensure FTP deployments are Disabled
- 9.11 Ensure Azure Key Vaults are Used to Store Secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.11 Ensure Azure Keyvaults are used to store secrets
- 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- 9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service
- 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- 9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
- 9.3 Ensure web app is using the latest version of TLS encryption
- 9.3 Ensure web app is using the latest version of TLS encryption
- 9.3 Ensure web app is using the latest version of TLS encryption
- 9.3 Ensure Web App is using the latest version of TLS encryption
- 9.3 Ensure Web App is using the latest version of TLS encryption
- 9.4 Ensure that Register with Entra ID is enabled on App Service
- 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- 9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- 9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- 9.5 Ensure that Register with Azure Active Directory is enabled on App Service
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure that 'PHP version' is the latest, if used to run the web app
- 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App
- 9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- 9.7 Ensure that 'Java version' is the latest, if used to run the Web App
- 9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app
- 9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.7 Ensure that 'Python version' is the latest, if used to run the web app
- 9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the web app
- 9.8 Ensure that 'Java version' is the latest, if used to run the Web App
- 9.9 Ensure FTP deployments are Disabled
- 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- 9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app
- 9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App
- A maximum of 3 owners should be designated for your subscription
- A vulnerability assessment solution should be enabled on your virtual machines
- Accounts with owner permissions on Azure resources should be MFA enabled
- Accounts with read permissions on Azure resources should be MFA enabled
- Accounts with write permissions on Azure resources should be MFA enabled
- Adaptive application controls for defining safe applications should be enabled on your machines
- Adaptive network hardening recommendations should be applied on internet facing virtual machines
- Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
- Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
- All Internet traffic should be routed via your deployed Azure Firewall
- All network ports should be restricted on network security groups associated to your virtual machine
- Allowlist rules in your adaptive application control policy should be updated
- An activity log alert should exist for specific Administrative operations
- An Azure Active Directory administrator should be provisioned for SQL servers
- API Management client certificate should be enabled
- API Management services should use a virtual network
- App Configuration encryption should be enabled
- App Configuration should use private link
- App Configuration should use standard SKU
- App Service API apps should only be accessible over HTTPS
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service apps should have 'Client Certificates (Incoming client certificates)' enabled
- App Service apps should have remote debugging turned off
- App Service apps should have resource logs enabled
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should not have CORS configured to allow every resource to access your apps
- App Service apps should use a virtual network service endpoint
- App Service apps should use managed identity
- App Service apps should use the latest TLS version
- App Service Environment should enable internal encryption
- App Service function apps public access should be restricted
- Appservice plan should not use free, shared or basic SKU
- Audit diagnostic setting for selected resource types
- Audit Linux machines that allow remote connections from accounts without passwords
- Audit Linux machines that do not have the passwd file permissions set to 0644
- Audit Linux machines that have accounts without passwords
- Audit usage of custom RBAC roles
- Audit virtual machines without disaster recovery configured
- Audit Windows machines missing any of specified members in the Administrators group
- Audit Windows machines on which the Log Analytics agent is not connected as expected
- Audit Windows machines that allow re-use of the previous 24 passwords
- Audit Windows machines that do not contain the specified certificates in Trusted Root
- Audit Windows machines that do not have a maximum password age of 70 days
- Audit Windows machines that do not have a minimum password age of 1 day
- Audit Windows machines that do not have the password complexity setting enabled
- Audit Windows machines that do not restrict the minimum password length to 14 characters
- Audit Windows machines that do not store passwords using reversible encryption
- Audit Windows machines that have extra accounts in the Administrators group
- Audit Windows machines that have the specified members in the Administrators group
- Auditing on SQL server should be enabled
- Authentication to Linux machines should require SSH keys
- Authorize access to security functions and information
- Authorized IP ranges should be defined on Kubernetes Services
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Automation account variables should be encrypted
- Azure API for FHIR should use a customer-managed key to encrypt data at rest
- Azure API for FHIR should use private link
- Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed
- Azure Automation accounts should use customer-managed keys to encrypt data at rest
- Azure Backup should be enabled for Virtual Machines
- Azure Batch account should use customer-managed keys to encrypt data
- Azure Cache for Redis should reside within a virtual network
- Azure Cache for Redis should use private link
- Azure Cache for Redis should use standard SKUs as a minimum
- Azure Cognitive Search service should use a SKU that supports private link
- Azure Cognitive Search services should disable public network access
- Azure Cognitive Search services should use private link
- Azure Cosmos DB accounts should have firewall rules
- Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Data Box jobs should enable double encryption for data at rest on the device
- Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password
- Azure Data Explorer encryption at rest should use a customer-managed key
- Azure data factories should be encrypted with a customer-managed key
- Azure Data Factory should use private link
- Azure DDoS Protection Standard should be enabled
- Azure Defender for App Service should be enabled
- Azure Defender for Azure SQL Database servers should be enabled
- Azure Defender for container registries should be enabled
- Azure Defender for DNS should be enabled
- Azure Defender for Key Vault should be enabled
- Azure Defender for Kubernetes should be enabled
- Azure Defender for Resource Manager should be enabled
- Azure Defender for servers should be enabled
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- Azure Defender for SQL should be enabled for unprotected SQL Managed Instances
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure File Sync should use private link
- Azure HDInsight clusters should use customer-managed keys to encrypt data at rest
- Azure HDInsight clusters should use encryption at host to encrypt data at rest
- Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes
- Azure Key Vault Managed HSM should have purge protection enabled
- Azure Key Vault should disable public network access
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- Azure Machine Learning workspaces should be encrypted with a customer-managed key
- Azure Machine Learning workspaces should use private link
- Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'
- Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)
- Azure Monitor Logs clusters should be encrypted with customer-managed key
- Azure Monitor should collect activity logs from all regions
- Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters
- Azure Recovery Services vaults should use customer-managed keys for encrypting backup data
- Azure Service Bus namespaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Azure Stack Edge devices should use double-encryption
- Azure Stream Analytics jobs should use customer-managed keys to encrypt data
- Azure Synapse workspaces should use customer-managed keys to encrypt data at rest
- Azure Synapse workspaces should use private link
- Azure Web PubSub Service should use private link
- Batch accounts identity provider should be enabled
- Bot Service should be encrypted with a customer-managed key
- Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys
- Certificates should have the specified maximum validity period
- Cognitive Search services should maintain SLA for index updates
- Cognitive Search services should use managed identity
- Cognitive Services accounts should disable public network access
- Cognitive Services accounts should enable data encryption with a customer-managed key
- Cognitive Services accounts should have local authentication methods disabled
- Cognitive Services accounts should restrict network access
- Cognitive Services should use private link
- Compute virtual machine scale sets should have automatic OS image patching enabled
- Compute virtual machine scale sets with linux OS should have SSH key authentication enabled
- Compute virtual machines should use managed disk for OS and data disk
- Container Instance container group should use customer-managed key for encryption
- Container instance container groups identity provider should be enabled
- Container instance container groups should be in virtual network
- Container instance container groups should use secured environment variable
- Container registries admin user should be disabled
- Container registries public network access should be disabled
- Container registries quarantine policy should be enabled
- Container registries retention policy should be enabled
- Container registries should be encrypted with a customer-managed key
- Container registries should be geo-replicated
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Container registries trust policy should be enabled
- Container registry images should have vulnerability findings resolved
- Container Registry should use a virtual network service endpoint
- Cosmos DB account 'Access Control' should be configured to use Azure Active Directory (AAD) and Role-Based Access Control (RBAC)
- Cosmos DB accounts should disable key based metadata write access
- Cosmos DB should use a virtual network service endpoint
- CosmosDB accounts should use private link
- Data factories should disable public network access
- Data factories should use GitHub repository
- Deploy default Microsoft IaaSAntimalware extension for Windows Server
- Deploy Diagnostic Settings for Network Security Groups
- Deploy network watcher when virtual networks are created
- Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
- Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
- Disk access resources should use private link
- Disk encryption should be enabled on Azure Data Explorer
- Double encryption should be enabled on Azure Data Explorer
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Enable Role Based Access Control for Azure Key Vault
- Endpoint protection solution should be installed on virtual machine scale sets
- Enforce SSL connection should be enabled for MySQL database servers
- Enforce SSL connection should be enabled for PostgreSQL database servers
- Ensure 'Additional email addresses' is configured with a security contact email
- Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access
- Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- Ensure an Azure Bastion Host exists
- Ensure any of the ASC Default policy setting is not set to "Disabled"
- Ensure App Service authentication is set up for apps in Azure App Service
- Ensure App Service authentication is set up for function apps in Azure App Service
- Ensure Diagnostic Setting captures appropriate categories
- Ensure FTP deployments are Disabled
- Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server
- Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server
- Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- Ensure soft delete is enabled for Azure Storage
- Ensure Storage logging is enabled for Blob service for read, write, and delete requests
- Ensure Storage logging is enabled for Queue service for read, write, and delete requests
- Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests
- Ensure that 'Auditing' Retention is 'greater than 90 days'
- Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Ensure that 'HTTP Version' is the latest, if used to run the Function app
- Ensure that 'HTTP Version' is the latest, if used to run the Web app
- Ensure that 'Java version' is the latest, if used as a part of the Function app
- Ensure that 'Java version' is the latest, if used as a part of the Web app
- Ensure that 'PHP version' is the latest, if used as a part of the WEB app
- Ensure that 'Public access level' is set to Private for blob containers
- Ensure that 'Python version' is the latest, if used as a part of the Function app
- Ensure that 'Python version' is the latest, if used as a part of the Web app
- Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)
- Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule
- Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule
- Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Ensure that Activity Log Alert exists for Create or Update Security Solution
- Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Ensure that Activity Log Alert exists for Create Policy Assignment
- Ensure that Activity Log Alert exists for Delete Network Security Group
- Ensure that Activity Log Alert exists for Delete Network Security Group Rule
- Ensure that Activity Log Alert exists for Delete Policy Assignment
- Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Ensure that Activity Log Alert exists for Delete Security Solution
- Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Ensure that Azure Active Directory Admin is configured
- Ensure that HTTP(S) access from the Internet is evaluated and restricted
- Ensure That Microsoft Defender for Azure Cosmos DB is set to 'On'
- Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected
- Ensure That Microsoft Defender for Databases is set to 'On'
- Ensure That Microsoft Defender for Open-Source Relational Databases is set to 'On'
- Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'
- Ensure that no Custom Subscription Administrator roles exist
- Ensure that Register with Azure Active Directory is enabled on App Service
- Ensure that SSH access is restricted from the internet
- Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Ensure that UDP Services are restricted from the Internet
- Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
- Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'
- Ensure the key vault is recoverable
- Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible
- Ensure the storage container storing the operational logs is not publicly accessible
- Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'
- Ensure Virtual Machines are utilizing Managed Disks
- Event Grid domains identity provider should be enabled
- Event Grid domains should restrict public network access
- Event Grid topics identity provider should be enabled
- Event Grid topics should have local authentication enabled
- Event Hub namespaces should use a customer-managed key for encryption
- Event Hub namespaces should use private link
- Event Hub should use a virtual network service endpoint
- FTPS only should be required in your API App
- FTPS only should be required in your Function App
- FTPS should be required in your Web App
- Function apps should have 'Client Certificates (Incoming client certificates)' enabled
- Function apps should have remote debugging turned off
- Function apps should not have CORS configured to allow every resource to access your apps
- Function apps should only be accessible over HTTPS
- Function apps should use managed identity
- Function apps should use the latest TLS version
- Gateway subnets should not be configured with a network security group
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- Geo-redundant storage should be enabled for Storage Accounts
- Guest Configuration extension should be installed on your machines
- HPC Cache accounts should use customer-managed key for encryption
- Infrastructure encryption should be enabled for Azure Database for MySQL servers
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- Internet-facing virtual machines should be protected with network security groups
- IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)
- IoT Hub device provisioning service instances should use private link
- IP Forwarding on your virtual machine should be disabled
- Key Vault keys should have an expiration date
- Key Vault secrets should have an expiration date
- Key Vault should use a virtual network service endpoint
- Key vaults should have deletion protection enabled
- Key vaults should have soft delete enabled
- Kubernetes cluster addon Azure policy should be enabled
- Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits
- Kubernetes cluster containers should not share host process ID or host IPC namespace
- Kubernetes cluster containers should only use allowed AppArmor profiles
- Kubernetes cluster containers should only use allowed capabilities
- Kubernetes cluster containers should only use allowed images
- Kubernetes cluster containers should run with a read only root file system
- Kubernetes cluster nodes should prohibit public access
- Kubernetes cluster pod hostPath volumes should only use allowed host paths
- Kubernetes cluster pods and containers should only run with approved user and group IDs
- Kubernetes cluster pods should only use approved host network and port range
- Kubernetes cluster services should listen only on allowed ports
- Kubernetes cluster should not allow privileged containers
- Kubernetes cluster should restrict public access
- Kubernetes clusters HTTP application routing should be disabled
- Kubernetes clusters key vault secret rotation should be enabled
- Kubernetes clusters should be accessible only over HTTPS
- Kubernetes clusters should have Azure network plugin
- Kubernetes clusters should have logging enabled
- Kubernetes clusters should have network policy enabled
- Kubernetes clusters should not allow container privilege escalation
- Kubernetes clusters should use a minimum number of 50 pods
- Kubernetes clusters should use standard SKU
- Kubernetes clusters upgrade channel should be configured
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Kusto clusters should use SKU with an SLA
- Latest TLS version should be used in your Web App
- Linux machines should meet requirements for the Azure compute security baseline
- Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring
- Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring
- Log Analytics extension should be installed on your Linux Azure Arc machines
- Log Analytics extension should be installed on your Windows Azure Arc machines
- Logic Apps Integration Service Environment should be encrypted with customer-managed keys
- Long-term geo-redundant backup should be enabled for Azure SQL Databases
- Managed disks should be double encrypted with both platform-managed and customer-managed keys
- Managed identity should be used in your API App
- Management ports of virtual machines should be protected with just-in-time network access control
- Management ports should be closed on your virtual machines
- MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'
- Microsoft Antimalware for Azure should be configured to automatically update protection signatures
- Microsoft Defender for Containers should be enabled
- Microsoft Defender for Storage (Classic) should be enabled
- Monitor log profiles should have retention set to 365 days or greater
- Monitor missing Endpoint Protection in Azure Security Center
- Monitor missing Endpoint Protection in Azure Security Center
- MySQL servers should use customer-managed keys to encrypt data at rest
- Network load balancers should use standard SKUs as a minimum
- Network public IPs should use standard SKUs as a minimum
- Network security groups should restrict inbound ICMP port access from internet
- Network security groups should restrict inbound TCP port 135 access from internet
- Network security groups should restrict inbound TCP port 1433 access from internet
- Network security groups should restrict inbound TCP port 20 access from internet
- Network security groups should restrict inbound TCP port 21 access from internet
- Network security groups should restrict inbound TCP port 23 access from internet
- Network security groups should restrict inbound TCP port 25 access from internet
- Network security groups should restrict inbound TCP port 3306 access from internet
- Network security groups should restrict inbound TCP port 4333 access from internet
- Network security groups should restrict inbound TCP port 445 access from internet
- Network security groups should restrict inbound TCP port 53 access from internet
- Network security groups should restrict inbound TCP port 5432 access from internet
- Network security groups should restrict inbound TCP port 5500 access from internet
- Network security groups should restrict inbound TCP port 5900 access from internet
- Network security groups should restrict inbound UDP port 137 access from internet
- Network security groups should restrict inbound UDP port 137 access from internet
- Network security groups should restrict inbound UDP port 1434 access from internet
- Network security groups should restrict inbound UDP port 445 access from internet
- Network security groups should restrict inbound UDP port 53 access from internet
- Network security groups should restrict outbound access from internet
- Network traffic data collection agent should be installed on Linux virtual machines
- Network traffic data collection agent should be installed on Windows virtual machines
- Network Watcher should be enabled
- Non-internet-facing virtual machines should be protected with network security groups
- Only secure connections to your Azure Cache for Redis should be enabled
- OS and data disks should be encrypted with a customer-managed key
- PostgreSQL servers should have the latest TLS version
- PostgreSQL servers should use customer-managed keys to encrypt data at rest
- Private endpoint connections on Azure SQL Database should be enabled
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
- Private endpoint should be enabled for PostgreSQL servers
- Public network access on Azure SQL Database should be disabled
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Recovery Services vaults should use managed identity
- Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'
- Remote debugging should be turned off for Web Applications
- Require encryption on Data Lake Store accounts
- Resource logs in Azure Data Lake Store should be enabled
- Resource logs in Azure Key Vault Managed HSM should be enabled
- Resource logs in Azure Stream Analytics should be enabled
- Resource logs in Batch accounts should be enabled
- Resource logs in Data Lake Analytics should be enabled
- Resource logs in Event Hub should be enabled
- Resource logs in IoT Hub should be enabled
- Resource logs in Key Vault should be enabled
- Resource logs in Logic Apps should be enabled
- Resource logs in Search services should be enabled
- Resource logs in Service Bus should be enabled
- Resource logs in Virtual Machine Scale Sets should be enabled
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption
- Secure transfer to storage accounts should be enabled
- Security Center container image scan should be enabled
- Security center pricing should be set to standard
- Service bus namespace should be configured with Azure Active Directory (Azure AD) authentication
- Service bus namespace should not be configured with overly permissive network access
- Service Bus Premium namespaces should use a customer-managed key for encryption
- Service Bus should use virtual service endpoint
- Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign
- Service Fabric clusters should only use Azure Active Directory for client authentication
- SignalR Service should not use free tier SKU
- SQL databases should have vulnerability findings resolved
- SQL databases transparent data encryption should be enabled
- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL Server should use a virtual network service endpoint
- SQL server threat detection should be enabled for all
- SQL servers on machines should have vulnerability findings resolved
- SQL servers should use customer-managed keys to encrypt data at rest
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- Storage account containing VHD OS disk not encrypted with CMK
- Storage account encryption scopes should use customer-managed keys to encrypt data at rest
- Storage account logging (Classic Diagnostic Setting) for blobs should be enabled
- Storage account logging (Classic Diagnostic Setting) for queues should be enabled
- Storage account logging (Classic Diagnostic Setting) for tables should be enabled
- Storage account public access should be disallowed
- Storage accounts should be migrated to new Azure Resource Manager resources
- Storage accounts should have infrastructure encryption
- Storage accounts should restrict network access
- Storage accounts should restrict network access using virtual network rules
- Storage Accounts should use a virtual network service endpoint
- Storage accounts should use customer-managed key for encryption
- Storage accounts should use private link
- Subnets should be associated with a Network Security Group
- Subscriptions should have a contact email address for security issues
- Subscriptions with custom roles should not be overly permissive
- Synapse workspaces should have data exfiltration protection enabled
- System updates on virtual machine scale sets should be installed
- System updates should be installed on your machines
- Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host
- There should be more than one owner assigned to your subscription
- Transparent Data Encryption on SQL databases should be enabled
- Unattached Compute disks should be encrypted with ADE/CMK
- Virtual Machine scale sets boot diagnostics should be enabled
- Virtual machine scale sets should use managed disks
- Virtual machines and virtual machine scale sets should have encryption at host enabled
- Virtual machines should be connected to an approved virtual network
- Virtual machines should be migrated to new Azure Resource Manager resources
- Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources
- Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
- Virtual network gateways should use standard SKUs as a minimum
- Virtual network network peering should be in connected state
- VM Image Builder templates should use private link
- Vulnerabilities in container security configurations should be remediated
- Vulnerabilities in security configuration on your machines should be remediated
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Vulnerability assessment should be enabled on SQL Managed Instance
- Vulnerability assessment should be enabled on your SQL servers
- Vulnerability assessment should be enabled on your Synapse workspaces
- Web app failed request tracing should be enabled
- Web app HTTP logs should be enabled
- Web app should have more than one worker
- Web app should use the latest 'Net Framework' version
- Web app slot should only be accessible over HTTPS
- Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
- Web Application should only be accessible over HTTPS
- Web apps should be configured to always be on
- Web apps should have health check enabled
- Windows Defender Exploit Guard should be enabled on your machines
- Windows machines should meet requirements for 'Security Options - Accounts'
- Windows machines should meet requirements for 'Security Options - Audit'
- Windows machines should meet requirements for 'Security Options - Network Access'
- Windows machines should meet requirements for 'Security Options - Recovery console'
- Windows machines should meet requirements for 'Security Options - User Account Control'
- Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'
- Windows machines should meet requirements for 'User Rights Assignment'
- Windows machines should meet requirements for 'Windows Firewall Properties'
- Windows machines should meet requirements of the Azure compute security baseline
- Windows web servers should be configured to use secure communication protocols
Schema for azure_subscription
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
authorization_source | text | The authorization source of the request. Valid values are one or more combinations of Legacy, RoleBased, Bypassed, Direct and Management. For example, 'Legacy, RoleBased'. | |
cloud_environment | text | The Azure Cloud Environment. | |
display_name | text | A friendly name that identifies a subscription. | |
id | text | The fully qualified ID for the subscription. For example, /subscriptions/00000000-0000-0000-0000-000000000000. | |
managed_by_tenants | jsonb | An array containing the tenants managing the subscription. | |
state | text | The subscription state. Possible values are Enabled, Warned, PastDue, Disabled, and Deleted. Possible values include: 'StateEnabled', 'StateWarned', 'StatePastDue', 'StateDisabled', 'StateDeleted' | |
subscription_id | text | The subscription ID. | |
subscription_policies | jsonb | The subscription policies. | |
tenant_id | text | The subscription tenant ID. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_subscription