e:["$","$L15",null,{"pluginData":{"readme":"$16","sourceInfo":"$17","engines":["steampipe","sqlite","postgres","export"],"organization":"Turbot","category":["software development"],"iconUrl":"/images/plugins/turbot/terraform.svg","brandColor":"#844FBA","displayName":"Terraform","shortName":"terraform","description":"Steampipe plugin to query data from Terraform files.","ogDescription":"Query Terraform files with SQL! Open source CLI. No DB required.","ogImage":"/images/plugins/turbot/terraform-social-graphic.png","org":"turbot","name":"terraform","version":"1.1.1","latestImageId":"sha256:34789d33b1c31f05cdef57c77ece27bdfca8555c8947bc1a66c886fec5bd1f39","latestVersion":"1.1.1","mods":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance","org":"turbot","name":"steampipe-mod-terraform-aws-compliance","title":"Terraform AWS Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-aws-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform AWS resources deviating from security best practices prior to deployment in your AWS accounts using Powerpipe and Steampipe.."},{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance","org":"turbot","name":"steampipe-mod-terraform-azure-compliance","title":"Terraform Azure Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-azure-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform Azure resources deviating from security best practices prior to deployment in your Azure subscriptions using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance","org":"turbot","name":"steampipe-mod-terraform-gcp-compliance","title":"Terraform GCP Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-gcp-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform GCP resources deviating from security best practices prior to deployment in your GCP projects using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance","org":"turbot","name":"steampipe-mod-terraform-oci-compliance","title":"Terraform OCI Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-oci-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform OCI resources deviating from security best practices prior to deployment in your OCI accounts using Powerpipe and Steampipe."}],"tables":[{"name":"terraform_data_source","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"arguments","type":"jsonb","description":"Data source arguments.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden data source or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"name","type":"text","description":"Data source name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a data source, overriding Terraform's default behavior of selecting one based on the data source type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"Data source type.","operators":[]}],"description":"Terraform data source information.","queriesCount":1,"examplesCount":2,"readme":"$19"},{"name":"terraform_local","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Local name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"value","type":"jsonb","description":"Local value.","operators":[]}],"description":"Terraform local information.","queriesCount":0,"examplesCount":1,"readme":"$1a"},{"name":"terraform_module","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"arguments","type":"jsonb","description":"Input arguments passed to this module.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden data source or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"module_source","type":"text","description":"Module source","operators":[]},{"name":"name","type":"text","description":"Module name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a data source, overriding Terraform's default behavior of selecting one based on the data source type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"version","type":"text","description":"Module version","operators":[]}],"description":"Terraform module information.","queriesCount":0,"examplesCount":1,"readme":"$1b"},{"name":"terraform_output","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden output or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"description","type":"text","description":"Because the output values of a module are part of its user interface, you can briefly describe the purpose of each value using the optional description argument.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Output name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"sensitive","type":"boolean","description":"An output can be marked as containing sensitive material using the optional sensitive argument.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"value","type":"jsonb","description":"The value argument takes an expression whose result is to be returned to the user.","operators":[]}],"description":"Terraform output information.","queriesCount":0,"examplesCount":2,"readme":"$1c"},{"name":"terraform_provider","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"alias","type":"text","description":"The alias meta-argument to provide an extra name segment.","operators":[]},{"name":"arguments","type":"jsonb","description":"Provider arguments.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Provider name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"version","type":"text","description":"The version meta-argument specifies a version constraint for a provider, and works the same way as the version argument in a required_providers block.","operators":[]}],"description":"Terraform provider information.","queriesCount":0,"examplesCount":2,"readme":"$1d"},{"name":"terraform_resource","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"address","type":"text","description":"The absolute resource address.","operators":[]},{"name":"arguments","type":"jsonb","description":"Resource arguments.","operators":[]},{"name":"attributes","type":"jsonb","description":"Resource attributes. The value will populate only for the resources that come from a state file.","operators":[]},{"name":"attributes_std","type":"jsonb","description":"Resource attributes. Contains the value from either the arguments or the attributes property.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden resource or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"lifecycle","type":"jsonb","description":"The lifecycle meta-argument is a nested block that can appear within a resource block.","operators":[]},{"name":"mode","type":"text","description":"The type of resource Terraform creates, either a resource (managed) or data source (data).","operators":[]},{"name":"name","type":"text","description":"Resource name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a resource, overriding Terraform's default behavior of selecting one based on the resource type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"Resource type.","operators":[]}],"description":"Terraform resource information.","queriesCount":807,"examplesCount":9,"readme":"$1e"},{"name":"terraform_variable","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"default_value","type":"jsonb","description":"The default value for the variable.","operators":[]},{"name":"description","type":"text","description":"Because the variable values of a module are part of its user interface, you can briefly describe the purpose of each value using the optional description argument.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"The variable name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"sensitive","type":"boolean","description":"An variable can be marked as containing sensitive material using the optional sensitive argument.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"The variable type.","operators":[]},{"name":"validation","type":"text","description":"The validation applied on the variable.","operators":[]}],"description":"Terraform variable information.","queriesCount":0,"examplesCount":2,"readme":"$1f"}],"queries":{"cloud_watch":{"cloudwatch_destination_policy_wildcards":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_destination_policy_wildcards","org":"turbot","name":"cloudwatch_destination_policy_wildcards","sql":"with access_policy as (\n select\n name\n from\n terraform_data_source\n where\n type = 'aws_iam_policy_document'\n and (arguments -> 'statement' ->> 'actions') like '%*%'\n), cloudwatch_log_destination_policy as (\n select\n name,\n type,\n address,\n path,\n start_line,\n _ctx,\n split_part((attributes_std ->> 'access_policy')::text, '.', 3) as ap\n from\n terraform_resource\n where\n type = 'aws_cloudwatch_log_destination_policy'\n)\nselect\n a.address as resource,\n case\n when e.name is null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when e.name is null then ' policy is ok'\n else ' policy is not ok'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n cloudwatch_log_destination_policy as a\n left join access_policy as e on a.ap = e.name;\n","tags":{},"tables":["terraform.terraform_data_source","terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":29,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_destination_policy_wildcards","org":"turbot","name":"cloudwatch_destination_policy_wildcards","mod":"Terraform AWS Compliance","title":"Ensure CloudWatch Logs destination policy has no wildcards","description":"Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}}],"controlTitle":"Ensure CloudWatch Logs destination policy has no wildcards","controlDescription":"Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}},"log_group_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/log_group_encryption_at_rest_enabled","org":"turbot","name":"log_group_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is not null then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.log_group_encryption_at_rest_enabled","org":"turbot","name":"log_group_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Log group encryption at rest should be enabled","description":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"Log group encryption at rest should be enabled","controlDescription":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}},"cloudwatch_log_group_retention_period_365":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_log_group_retention_period_365","org":"turbot","name":"cloudwatch_log_group_retention_period_365","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_in_days') is null or (attributes_std -> 'retention_in_days')::int < 365 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_in_days') is null then ' retention period not set'\n when (attributes_std -> 'retention_in_days')::int < 365 then ' retention period less than 365 days'\n else ' retention period 365 days or above'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":70,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_log_group_retention_period_365","org":"turbot","name":"cloudwatch_log_group_retention_period_365","mod":"Terraform AWS Compliance","title":"Log group retention period should be at least 365 days","description":"Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"Log group retention period should be at least 365 days","controlDescription":"Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}},"cloudwatch_alarm_action_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_alarm_action_enabled","org":"turbot","name":"cloudwatch_alarm_action_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alarm_actions') is null\n and (attributes_std -> 'insufficient_data_actions') is null\n and (attributes_std -> 'ok_actions') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alarm_actions') is null\n and (attributes_std -> 'insufficient_data_actions') is null\n and (attributes_std -> 'ok_actions') is null then ' no action enabled'\n when (attributes_std -> 'alarm_actions') is not null then ' alarm action enabled'\n when (attributes_std -> 'insufficient_data_actions') is not null then ' insufficient data action enabled.'\n when (attributes_std -> 'ok_actions') is not null then ' ok action enabled.'\n else ' action enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_metric_alarm';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":1,"endLineNumber":27,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_alarm_action_enabled","org":"turbot","name":"cloudwatch_alarm_action_enabled","mod":"Terraform AWS Compliance","title":"CloudWatch alarm action should be enabled","description":"Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"CloudWatch alarm action should be enabled","controlDescription":"Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CloudWatch","soc_2":"true"}},"cloudwatch_log_group_retention":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_log_group_retention","org":"turbot","name":"cloudwatch_log_group_retention","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_in_days') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_in_days') is null then ' retention period not set'\n else ' retention period set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":113,"endLineNumber":132,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_log_group_retention","org":"turbot","name":"cloudwatch_log_group_retention","mod":"Terraform AWS Compliance","title":"Log group retention period should be set","description":"Ensure that CloudWatch Log Group specifies retention days.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}}],"controlTitle":"Log group retention period should be set","controlDescription":"Ensure that CloudWatch Log Group specifies retention days.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}}},"vpc":{"vpc_security_group_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vpc_security_group_restrict_ingress_ssh_all","sql":"$20","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":581,"endLineNumber":631,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-ibm-compliance/benchmarks/control.cis_v100_6_2_4","org":"turbot","name":"cis_v100_6_2_4","mod":"IBM Cloud Compliance","title":"6.2.4 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22","description":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Servers. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}}],"controlTitle":"6.2.4 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22","controlDescription":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Servers. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}},"vpc_security_group_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vpc_security_group_restrict_ingress_rdp_all","sql":"$21","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":633,"endLineNumber":683,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-ibm-compliance/benchmarks/control.cis_v100_6_2_3","org":"turbot","name":"cis_v100_6_2_3","mod":"IBM Cloud Compliance","title":"6.2.3 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389","description":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Server Instances. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}}],"controlTitle":"6.2.3 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Server Instances. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}},"vpc_transfer_server_not_publicly_accesible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_transfer_server_not_publicly_accesible","org":"turbot","name":"vpc_transfer_server_not_publicly_accesible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'endpoint_type') is null then 'alarm'\n when (attributes_std ->> 'endpoint_type') in ('VPC', 'VPC_ENDPOINT') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'endpoint_type') is null then ' publicly accessible'\n when (attributes_std ->> 'endpoint_type') in ('VPC', 'VPC_ENDPOINT') then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_transfer_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":232,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_transfer_server_not_publicly_accesible","org":"turbot","name":"vpc_transfer_server_not_publicly_accesible","mod":"Terraform AWS Compliance","title":"VPC transfer server should not be publicly accessible","description":"This control checks whether the VPC transfer server is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC transfer server should not be publicly accessible","controlDescription":"This control checks whether the VPC transfer server is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_security_group_rule_description_for_rules":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_rule_description_for_rules","org":"turbot","name":"vpc_security_group_rule_description_for_rules","sql":"select\n address as resource,\n case\n when (attributes_std -> 'description') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'description') is null then ' no description defined'\n else ' description defined'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":166,"endLineNumber":184,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_rule_description_for_rules","org":"turbot","name":"vpc_security_group_rule_description_for_rules","mod":"Terraform AWS Compliance","title":"VPC security group rule should have description for rules","description":"One of the best practices when creating security group rules in AWS is to add a description to the group and each of its rules for better clarity.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security group rule should have description for rules","controlDescription":"One of the best practices when creating security group rules in AWS is to add a description to the group and each of its rules for better clarity.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_subnet_auto_assign_public_ip_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_subnet_auto_assign_public_ip_disabled","org":"turbot","name":"vpc_subnet_auto_assign_public_ip_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'map_public_ip_on_launch') is null then 'ok'\n when (attributes_std ->> 'map_public_ip_on_launch')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'map_public_ip_on_launch') is null then ' ''map_public_ip_on_launch'' disabled'\n when (attributes_std ->> 'map_public_ip_on_launch')::boolean then ' ''map_public_ip_on_launch'' enabled'\n else ' ''map_public_ip_on_launch'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_subnet';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":186,"endLineNumber":207,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_subnet_auto_assign_public_ip_disabled","org":"turbot","name":"vpc_subnet_auto_assign_public_ip_disabled","mod":"Terraform AWS Compliance","title":"VPC subnet auto-assign public IP should be disabled","description":"Ensure that Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC subnet auto-assign public IP should be disabled","controlDescription":"Ensure that Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}},"vpc_security_group_associated_to_eni":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_associated_to_eni","org":"turbot","name":"vpc_security_group_associated_to_eni","sql":"select\n address as resource,\n case\n when name in (select split_part((jsonb_array_elements(attributes_std -> 'security_groups')::text), '.', 2) from terraform_resource where type = 'aws_network_interface') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((jsonb_array_elements(attributes_std -> 'security_groups')::text), '.', 2) from terraform_resource where type = 'aws_network_interface') then ' has attached ENI(s)'\n else ' has no attached ENI(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":124,"endLineNumber":143,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_associated_to_eni","org":"turbot","name":"vpc_security_group_associated_to_eni","mod":"Terraform AWS Compliance","title":"VPC security groups should be associated with at least one ENI","description":"This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitor unused security groups in the inventory and the management of your environment.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security groups should be associated with at least one ENI","controlDescription":"This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitor unused security groups in the inventory and the management of your environment.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/VPC"}},"vpc_transfer_server_allows_only_secure_protocols":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_transfer_server_allows_only_secure_protocols","org":"turbot","name":"vpc_transfer_server_allows_only_secure_protocols","sql":"select\n address as resource,\n case\n when (attributes_std -> 'protocols') @> '[\"FTP\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'protocols') @> '[\"FTP\"]' then ' allows unsecure protocols'\n else ' allows only secure protocols'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_transfer_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":560,"endLineNumber":579,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_transfer_server_allows_only_secure_protocols","org":"turbot","name":"vpc_transfer_server_allows_only_secure_protocols","mod":"Terraform AWS Compliance","title":"VPC transfer server should allow only secure protocols","description":"This control checks whether the VPC transfer server allows only secure protocols.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC transfer server should allow only secure protocols","controlDescription":"This control checks whether the VPC transfer server allows only secure protocols.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_security_group_description_for_rules":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_description_for_rules","org":"turbot","name":"vpc_security_group_description_for_rules","sql":"select\n address as resource,\n case\n when (attributes_std -> 'description') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'description') is null then ' no description defined'\n else ' description defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":145,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_description_for_rules","org":"turbot","name":"vpc_security_group_description_for_rules","mod":"Terraform AWS Compliance","title":"VPC security group should have description for rules","description":"One of the best practices when creating security groups in AWS is to add a description to the group for better clarity.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security group should have description for rules","controlDescription":"One of the best practices when creating security groups in AWS is to add a description to the group for better clarity.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_rule_group_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_rule_group_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_rule_group_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_rule_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":277,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_rule_group_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_rule_group_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall rule group should be encrypted with KMS CMK","description":"This control checks whether the Network Firewall Rule Group is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall rule group should be encrypted with KMS CMK","controlDescription":"This control checks whether the Network Firewall Rule Group is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_policy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_policy_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_policy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":298,"endLineNumber":317,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_policy_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_policy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall policy should define a encryption configuration that uses KMS CMK","description":"This control checks whether the Network Firewall Policy is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall policy should define a encryption configuration that uses KMS CMK","controlDescription":"This control checks whether the Network Firewall Policy is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_deletion_protection_enabled","org":"turbot","name":"vpc_network_firewall_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'delete_protection')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'delete_protection')::boolean is null then ' deletion protection not set'\n when (attributes_std ->> 'delete_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":319,"endLineNumber":339,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_deletion_protection_enabled","org":"turbot","name":"vpc_network_firewall_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"VPC network firewall should have deletion protection enabled","description":"This control checks whether the Network Firewall has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall should have deletion protection enabled","controlDescription":"This control checks whether the Network Firewall has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_rule_restrict_ingress_ports_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_rule_restrict_ingress_ports_all","org":"turbot","name":"vpc_network_acl_rule_restrict_ingress_ports_all","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'egress') = 'true' then 'skip'\n when (attributes_std ->> 'rule_action') = 'allow' and (attributes_std -> 'from_port') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'egress') = 'true' then ' is egress rule'\n when (attributes_std ->> 'rule_action') = 'allow' and (attributes_std -> 'from_port') is null then ' allows access to all ports'\n else ' restricts access to all ports'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_network_acl_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":538,"endLineNumber":558,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_rule_restrict_ingress_ports_all","org":"turbot","name":"vpc_network_acl_rule_restrict_ingress_ports_all","mod":"Terraform AWS Compliance","title":"Network ACL ingress rule should not allow access to all ports","description":"This control checks whether the Network ACL ingress rule does not allow access to all ports.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL ingress rule should not allow access to all ports","controlDescription":"This control checks whether the Network ACL ingress rule does not allow access to all ports.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":256,"endLineNumber":275,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall should be encrypted with KMS CMK","description":"This control checks whether the Network Firewall is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall should be encrypted with KMS CMK","controlDescription":"This control checks whether the Network Firewall is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_unused":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_unused","org":"turbot","name":"vpc_network_acl_unused","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_ids') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_ids') is null then ' not associated with subnets'\n else ' associated with ' || (jsonb_array_length(attributes_std -> 'subnet_ids')) || ' subnet(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_network_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":103,"endLineNumber":122,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_unused","org":"turbot","name":"vpc_network_acl_unused","mod":"Terraform AWS Compliance","title":"Unused network access control lists should be removed","description":"This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Unused network access control lists should be removed","controlDescription":"This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_allow_ftp_port_20_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ftp_port_20_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_20_ingress","sql":"$22","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":362,"endLineNumber":404,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ftp_port_20_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_20_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted FTP port 20 access","description":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 20.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted FTP port 20 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 20.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_flow_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_flow_logs_enabled","org":"turbot","name":"vpc_flow_logs_enabled","sql":"with flow_logs as (\n select\n attributes_std ->> 'vpc_id' as flow_log_vpc_id\n from\n terraform_resource\n where\n type = 'aws_flow_log'\n), all_vpc as (\n select\n '\\$\\{aws_vpc.' || name || '.id}' as vpc_id,\n *\n from\n terraform_resource\n where\n type = 'aws_vpc'\n)\nselect\n a.address as resource,\n case\n when b.flow_log_vpc_id is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when b.flow_log_vpc_id is not null then ' flow logging enabled'\n else ' flow logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_vpc as a\n left join flow_logs as b on a.vpc_id = b.flow_log_vpc_id;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":46,"endLineNumber":80,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_flow_logs_enabled","org":"turbot","name":"vpc_flow_logs_enabled","mod":"Terraform AWS Compliance","title":"VPC flow logs should be enabled","description":"The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC","soc_2":"true"}}],"controlTitle":"VPC flow logs should be enabled","controlDescription":"The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC","soc_2":"true"}},"vpc_network_acl_allow_rdp_port_3389_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_rdp_port_3389_ingress","org":"turbot","name":"vpc_network_acl_allow_rdp_port_3389_ingress","sql":"$23","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":494,"endLineNumber":536,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_rdp_port_3389_ingress","org":"turbot","name":"vpc_network_acl_allow_rdp_port_3389_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted RDP port 3389 access","description":"This control checks whether the Network ACL allows unrestricted ingress on RDP port 3389.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted RDP port 3389 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on RDP port 3389.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_allow_ssh_port_22_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ssh_port_22_ingress","org":"turbot","name":"vpc_network_acl_allow_ssh_port_22_ingress","sql":"$24","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":450,"endLineNumber":492,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ssh_port_22_ingress","org":"turbot","name":"vpc_network_acl_allow_ssh_port_22_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted SSH port 22 access","description":"This control checks whether the Network ACL allows unrestricted ingress on SSH port 22.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted SSH port 22 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on SSH port 22.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_allow_ftp_port_21_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ftp_port_21_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_21_ingress","sql":"$25","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":406,"endLineNumber":448,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ftp_port_21_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_21_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted FTP port 21 access","description":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 21.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted FTP port 21 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 21.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","org":"turbot","name":"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_accept_shared_attachments') = 'enable' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_accept_shared_attachments') = 'enable' then ' automatically accept VPC attachment requests'\n else ' do not automatically accept VPC attachment requests'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ec2_transit_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":341,"endLineNumber":360,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","org":"turbot","name":"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","mod":"Terraform AWS Compliance","title":"VPC EC2 transit gateway should not automatically accept VPC attachment requests","description":"This control checks whether the EC2 Transit Gateway has auto-accept attachment requests disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC EC2 transit gateway should not automatically accept VPC attachment requests","controlDescription":"This control checks whether the EC2 Transit Gateway has auto-accept attachment requests disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_eip_associated":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_eip_associated","org":"turbot","name":"vpc_eip_associated","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc') is null then 'skip'\n when (attributes_std -> 'instance') is not null or (attributes_std -> 'network_interface') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc') is null then ' not associated with VPC'\n when (attributes_std -> 'instance') is not null or (attributes_std -> 'network_interface') is not null then ' associated with an instance or network interface'\n else ' not associated with an instance or network interface'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eip';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":24,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_eip_associated","org":"turbot","name":"vpc_eip_associated","mod":"Terraform AWS Compliance","title":"VPC EIPs should be associated with an EC2 instance or ENI","description":"This rule ensures Elastic IPs allocated to an Amazon Virtual Private Cloud (Amazon VPC) are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or in-use Elastic Network Interfaces.","tags":{"category":"Compliance","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC EIPs should be associated with an EC2 instance or ENI","controlDescription":"This rule ensures Elastic IPs allocated to an Amazon Virtual Private Cloud (Amazon VPC) are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or in-use Elastic Network Interfaces.","controlTags":{"category":"Compliance","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/VPC"}},"vpc_igw_attached_to_authorized_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_igw_attached_to_authorized_vpc","org":"turbot","name":"vpc_igw_attached_to_authorized_vpc","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'vpc_id')::text, '.', 2) from terraform_resource where type = 'aws_internet_gateway') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'vpc_id')::text, '.', 2) from terraform_resource where type = 'aws_internet_gateway') then ' has internet gateway attachment(s)'\n else ' has no internet gateway attachment(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_vpc';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":82,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_igw_attached_to_authorized_vpc","org":"turbot","name":"vpc_igw_attached_to_authorized_vpc","mod":"Terraform AWS Compliance","title":"VPC internet gateways should be attached to authorized VPC","description":"Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC internet gateways should be attached to authorized VPC","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}},"vpc_endpoint_service_acceptance_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_endpoint_service_acceptance_enabled","org":"turbot","name":"vpc_endpoint_service_acceptance_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'acceptance_required') is null then 'alarm'\n when (attributes_std ->> 'acceptance_required')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'acceptance_required') is null then ' ''acceptance_required'' not defined'\n when (attributes_std ->> 'acceptance_required')::boolean then ' ''acceptance_required'' enabled'\n else ' ''acceptance_required'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_vpc_endpoint_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":209,"endLineNumber":230,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_endpoint_service_acceptance_enabled","org":"turbot","name":"vpc_endpoint_service_acceptance_enabled","mod":"Terraform AWS Compliance","title":"VPC endpoint service acceptance should be enabled","description":"This control checks whether the VPC endpoint service acceptance is enabled for manual acceptance.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC endpoint service acceptance should be enabled","controlDescription":"This control checks whether the VPC endpoint service acceptance is enabled for manual acceptance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_default_security_group_restricts_all_traffic":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_default_security_group_restricts_all_traffic","org":"turbot","name":"vpc_default_security_group_restricts_all_traffic","sql":"select\n address as resource,\n case\n when (attributes_std -> 'egress') is null and (attributes_std -> 'ingress') is null then 'ok'\n else 'alarm'\n end as status,\n case\n when (attributes_std -> 'ingress') is not null and (attributes_std -> 'egress') is not null then 'Default security group ' || split_part(address, '.', 2) || ' has inbound and outbound rules'\n when (attributes_std -> 'ingress') is not null and (attributes_std -> 'egress') is null then 'Default security group ' || split_part(address, '.', 2) || ' has inbound rules'\n when (attributes_std -> 'ingress') is null and (attributes_std -> 'egress') is not null then 'Default security group ' || split_part(address, '.', 2) || ' has outbound rules'\n else 'Default security group ' || split_part(address, '.', 2) || ' has no inbound or outbound rules'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_default_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_default_security_group_restricts_all_traffic","org":"turbot","name":"vpc_default_security_group_restricts_all_traffic","mod":"Terraform AWS Compliance","title":"VPC default security group should not allow inbound and outbound traffic","description":"Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC default security group should not allow inbound and outbound traffic","controlDescription":"Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}},"object_storage":{"objectstorage_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_versioning_enabled","org":"turbot","name":"objectstorage_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'versioning') = 'Enabled'\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'versioning') = 'Enabled'\n then ' has versioning enabled'\n else ' has versioning disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":45,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_4_1_3","org":"turbot","name":"cis_v120_4_1_3","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1.3 Ensure Versioning is Enabled for Object Storage Buckets","description":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.3","cis_level":"1","cis_section_id":"4.1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_5_1_3","org":"turbot","name":"cis_v200_5_1_3","mod":"Oracle Cloud Infrastructure Compliance","title":"5.1.3 Ensure Versioning is Enabled for Object Storage Buckets","description":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}}],"controlTitle":"4.1.3 Ensure Versioning is Enabled for Object Storage Buckets","controlDescription":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}},"objectstorage_bucket_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_public_access_blocked","org":"turbot","name":"objectstorage_bucket_public_access_blocked","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'access_type') in ('ObjectRead', 'ObjectReadWithoutList')\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'access_type') in ('ObjectRead', 'ObjectReadWithoutList')\n then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_4_1","org":"turbot","name":"cis_v110_4_1","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_4_1_1","org":"turbot","name":"cis_v120_4_1_1","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.1","cis_level":"1","cis_section_id":"4.1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_5_1_1","org":"turbot","name":"cis_v200_5_1_1","mod":"Oracle Cloud Infrastructure Compliance","title":"5.1.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. By Default a newly created bucket is private. It is recommended that no bucket be publicly accessible..","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.1","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}}],"controlTitle":"4.1 Ensure no Object Storage buckets are publicly visible","controlDescription":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.1","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}},"objectstorage_bucket_object_events_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_object_events_enabled","org":"turbot","name":"objectstorage_bucket_object_events_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'object_events_enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'object_events_enabled')::bool then ' object events enabled'\n else ' object events disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":68,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.objectstorage_bucket_object_events_enabled","org":"turbot","name":"objectstorage_bucket_object_events_enabled","mod":"Terraform OCI Compliance","title":"Object Storage bucket object events should be enabled","description":"This control checks whether the Object Storage bucket object events are enabled. Object events are used to track object state changes.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}],"controlTitle":"Object Storage bucket object events should be enabled","controlDescription":"This control checks whether the Object Storage bucket object events are enabled. Object events are used to track object state changes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}},"objectstorage_bucket_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_encryption_enabled","org":"turbot","name":"objectstorage_bucket_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.objectstorage_bucket_encryption_enabled","org":"turbot","name":"objectstorage_bucket_encryption_enabled","mod":"Terraform OCI Compliance","title":"Object Storage bucket encryption should be enabled","description":"Ensure that the Object storage buckets are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}],"controlTitle":"Object Storage bucket encryption should be enabled","controlDescription":"Ensure that the Object storage buckets are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}},"identity":{"identity_authentication_password_policy_strong_min_length_14":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_strong_min_length_14","org":"turbot","name":"identity_authentication_password_policy_strong_min_length_14","sql":"$26","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":1,"endLineNumber":28,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_1_4","org":"turbot","name":"cis_v200_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/Identity"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_1_4","org":"turbot","name":"cis_v120_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/Identity"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_1_4","org":"turbot","name":"cis_v110_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/Identity"}}],"controlTitle":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","controlDescription":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_special_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_special_characters","org":"turbot","name":"identity_authentication_password_policy_contains_special_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_special_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_special_characters_required')::boolean then ' contains special characters'\n else ' does not contain special characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":90,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_special_characters","org":"turbot","name":"identity_authentication_password_policy_contains_special_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one special character","description":"This control checks whether the IAM password policy contains at least one special character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one special character","controlDescription":"This control checks whether the IAM password policy contains at least one special character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_lowercase_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_lowercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_lowercase_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_lowercase_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_lowercase_characters_required')::boolean then ' contains lowercase characters'\n else ' does not contain lowercase characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":30,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_lowercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_lowercase_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one lowercase character","description":"This control checks whether the IAM password policy contains at least one lowercase character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one lowercase character","controlDescription":"This control checks whether the IAM password policy contains at least one lowercase character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_uppercase_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_uppercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_uppercase_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_uppercase_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_uppercase_characters_required')::boolean then ' contains uppercase characters'\n else ' does not contain uppercase characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":50,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_uppercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_uppercase_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one uppercase character","description":"This control checks whether the IAM password policy contains at least one uppercase character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one uppercase character","controlDescription":"This control checks whether the IAM password policy contains at least one uppercase character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_numeric_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_numeric_characters","org":"turbot","name":"identity_authentication_password_policy_contains_numeric_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_numeric_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_numeric_characters_required')::boolean then ' contains numeric characters'\n else ' does not contain numeric characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":70,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_numeric_characters","org":"turbot","name":"identity_authentication_password_policy_contains_numeric_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one numeric character","description":"This control checks whether the IAM password policy contains at least one numeric character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one numeric character","controlDescription":"This control checks whether the IAM password policy contains at least one numeric character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}},"cloud_guard":{"cloudguard_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/cloudguard_enabled","org":"turbot","name":"cloudguard_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'status') = 'ENABLED' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'status'), '') = '' then ' ''status'' is not defined'\n when (attributes_std ->> 'status') = 'ENABLED' then ' CloudGuard enabled'\n else ' CloudGuard disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_cloud_guard_cloud_guard_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudguard.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_3_15","org":"turbot","name":"cis_v120_3_15","mod":"Oracle Cloud Infrastructure Compliance","title":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/CloudGuard"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_3_15","org":"turbot","name":"cis_v110_3_15","mod":"Oracle Cloud Infrastructure Compliance","title":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/CloudGuard"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_4_14","org":"turbot","name":"cis_v200_4_14","mod":"Oracle Cloud Infrastructure Compliance","title":"4.14 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.14","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/CloudGuard"}}],"controlTitle":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","controlDescription":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.14","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/CloudGuard"}}},"work_spaces":{"workspace_user_volume_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/workspace_user_volume_encryption_at_rest_enabled","org":"turbot","name":"workspace_user_volume_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'root_volume_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'root_volume_encryption_enabled')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_workspaces_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/workspace.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.workspace_user_volume_encryption_at_rest_enabled","org":"turbot","name":"workspace_user_volume_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"AWS workspaces user volume should be encrypted at rest","description":"Ensure Workspaces being created are set to encrypt user volume at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WorkSpaces"}}],"controlTitle":"AWS workspaces user volume should be encrypted at rest","controlDescription":"Ensure Workspaces being created are set to encrypt user volume at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WorkSpaces"}},"workspace_root_volume_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/workspace_root_volume_encryption_at_rest_enabled","org":"turbot","name":"workspace_root_volume_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'user_volume_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'user_volume_encryption_enabled')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_workspaces_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/workspace.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.workspace_root_volume_encryption_at_rest_enabled","org":"turbot","name":"workspace_root_volume_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"AWS workspaces root volume should be encrypted at rest","description":"Ensure Workspaces being created are set to encrypt root volume at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WorkSpaces"}}],"controlTitle":"AWS workspaces root volume should be encrypted at rest","controlDescription":"Ensure Workspaces being created are set to encrypt root volume at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WorkSpaces"}}},"rds":{"memorydb_snapshot_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_snapshot_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":717,"endLineNumber":736,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_snapshot_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MemoryDB snapshots should be encrypted with KMS CMK","description":"This control checks whether MemoryDB snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB snapshots should be encrypted with KMS CMK","controlDescription":"This control checks whether MemoryDB snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"memorydb_cluster_transit_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_cluster_transit_encryption_enabled","org":"turbot","name":"memorydb_cluster_transit_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tls_enabled') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tls_enabled') = 'false' then ' encryption at transit disabled'\n else ' encryption at transit enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":759,"endLineNumber":778,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_cluster_transit_encryption_enabled","org":"turbot","name":"memorydb_cluster_transit_encryption_enabled","mod":"Terraform AWS Compliance","title":"MemoryDB clusters should have encryption in transit enabled","description":"This control checks whether MemoryDB clusters have encryption in transit enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB clusters should have encryption in transit enabled","controlDescription":"This control checks whether MemoryDB clusters have encryption in transit enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_aurora_backtracking_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_aurora_backtracking_enabled","org":"turbot","name":"rds_db_cluster_aurora_backtracking_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'engine') not like any (array ['%aurora%', '%aurora-mysql%']) then 'skip'\n when (attributes_std -> 'backtrack_window') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'engine') not like any (array ['%aurora%', '%aurora-mysql%']) then ' not Aurora MySQL-compatible edition'\n when (attributes_std -> 'backtrack_window') is not null then ' backtracking enabled'\n else ' backtracking disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_aurora_backtracking_enabled","org":"turbot","name":"rds_db_cluster_aurora_backtracking_enabled","mod":"Terraform AWS Compliance","title":"Amazon Aurora clusters should have backtracking enabled","description":"This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"Amazon Aurora clusters should have backtracking enabled","controlDescription":"This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"memorydb_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_cluster_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":738,"endLineNumber":757,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_cluster_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MemoryDB clusters should be encrypted with KMS CMK","description":"This control checks whether MemoryDB clusters are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB clusters should be encrypted with KMS CMK","controlDescription":"This control checks whether MemoryDB clusters are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_global_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_global_cluster_encryption_enabled","org":"turbot","name":"rds_global_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n when (attributes_std ->> 'source_db_cluster_identifier') is null then 'info'\n when (attributes_std ->> 'storage_encrypted')::boolean and (attributes_std ->> 'source_db_cluster_identifier') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' enccryption enabled'\n when (attributes_std ->> 'source_db_cluster_identifier') is null then ' DB cluster identifier is not provided of the primary global cluster creation'\n when (attributes_std ->> 'storage_encrypted')::boolean and (attributes_std ->> 'source_db_cluster_identifier') is not null then ' enccryption enabled'\n else ' enccryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_global_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":887,"endLineNumber":910,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_global_cluster_encryption_enabled","org":"turbot","name":"rds_global_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled","description":"This control checks whether RDS Global Cluster (MySQl & PostgreSQL) encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled","controlDescription":"This control checks whether RDS Global Cluster (MySQl & PostgreSQL) encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_parameter_group_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_parameter_group_events_subscription","org":"turbot","name":"rds_db_parameter_group_events_subscription","sql":"$27","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":641,"endLineNumber":662,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_parameter_group_events_subscription","org":"turbot","name":"rds_db_parameter_group_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database parameter group events","description":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database parameter group events","controlDescription":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_mysql_db_cluster_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_mysql_db_cluster_audit_logging_enabled","org":"turbot","name":"rds_mysql_db_cluster_audit_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'engine')::text not like '%mysql' then 'skip'\n when (attributes_std ->> 'engine')::text like '%mysql' and (attributes_std -> 'enabled_cloudwatch_logs_exports') @> '[\"audit\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'engine')::text not like '%mysql' then ' not a MySQL cluster'\n when (attributes_std ->> 'engine')::text like '%mysql' and (attributes_std -> 'enabled_cloudwatch_logs_exports') @> '[\"audit\"]' then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":864,"endLineNumber":885,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_mysql_db_cluster_audit_logging_enabled","org":"turbot","name":"rds_mysql_db_cluster_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"RDS MySQL DB clusters should have audit logging enabled","description":"This control checks whether Relational Database Service MySQL DB clusters have audit logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS MySQL DB clusters should have audit logging enabled","controlDescription":"This control checks whether Relational Database Service MySQL DB clusters have audit logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_performance_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_performance_insights_enabled","org":"turbot","name":"rds_db_instance_performance_insights_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'performance_insights_enabled') is null then 'alarm'\n when (attributes_std ->> 'performance_insights_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'performance_insights_enabled') is null then ' performance insights disabled'\n when (attributes_std ->> 'performance_insights_enabled')::boolean then ' performance insights enabled'\n else ' performance insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":204,"endLineNumber":225,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_performance_insights_enabled","org":"turbot","name":"rds_db_instance_performance_insights_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have performance insights enabled","description":"This control checks whether Relational Database Service (RDS) instances have performance insights enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should have performance insights enabled","controlDescription":"This control checks whether Relational Database Service (RDS) instances have performance insights enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_security_group_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_security_group_events_subscription","org":"turbot","name":"rds_db_security_group_events_subscription","sql":"$28","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":664,"endLineNumber":692,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_security_group_events_subscription","org":"turbot","name":"rds_db_security_group_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database security group events","description":"This control checks whether RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database security group events","controlDescription":"This control checks whether RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_logging_enabled","org":"turbot","name":"rds_db_instance_logging_enabled","sql":"$29","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":528,"endLineNumber":593,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_logging_enabled","org":"turbot","name":"rds_db_instance_logging_enabled","mod":"Terraform AWS Compliance","title":"Database logging should be enabled","description":"To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"Database logging should be enabled","controlDescription":"To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_snapshot_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_snapshot_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_snapshot_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":801,"endLineNumber":820,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_snapshot_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB snapshots should be encrypted with KMS CMK","description":"This control checks whether Relational Database Service snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB snapshots should be encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database Service snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_prohibit_public_access","org":"turbot","name":"rds_db_instance_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'publicly_accessible') is null then 'ok'\n when (attributes_std -> 'publicly_accessible')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'publicly_accessible') is null then ' not publicly accessible'\n when (attributes_std -> 'publicly_accessible')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":618,"endLineNumber":639,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_prohibit_public_access","org":"turbot","name":"rds_db_instance_prohibit_public_access","mod":"Terraform AWS Compliance","title":"RDS DB instances should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring that Relational Database Service (RDS) instances are not public.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Relational Database Service (RDS) instances are not public.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_and_cluster_enhanced_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_and_cluster_enhanced_monitoring_enabled","org":"turbot","name":"rds_db_instance_and_cluster_enhanced_monitoring_enabled","sql":"$2a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":227,"endLineNumber":267,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_and_cluster_enhanced_monitoring_enabled","org":"turbot","name":"rds_db_instance_and_cluster_enhanced_monitoring_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance and cluster enhanced monitoring should be enabled","description":"Enable Amazon Relational Database Service (Amazon RDS) to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance and cluster enhanced monitoring should be enabled","controlDescription":"Enable Amazon Relational Database Service (Amazon RDS) to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_backup_enabled","org":"turbot","name":"rds_db_instance_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'backup_retention_period') is null then 'alarm'\n when (attributes_std -> 'backup_retention_period')::integer < 1 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'backup_retention_period') is null then ' backup disabled'\n when (attributes_std -> 'backup_retention_period')::integer < 1 then ' backup disabled'\n else ' backup enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":390,"endLineNumber":411,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_backup_enabled","org":"turbot","name":"rds_db_instance_backup_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance backup should be enabled","description":"The backup feature of Amazon RDS creates backups of your databases and transaction logs.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instance backup should be enabled","controlDescription":"The backup feature of Amazon RDS creates backups of your databases and transaction logs.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_cluster_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_iam_authentication_enabled","org":"turbot","name":"rds_db_cluster_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' ''iam_database_authentication_enabled'' disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' ''iam_database_authentication_enabled'' enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_iam_authentication_enabled","org":"turbot","name":"rds_db_cluster_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"IAM authentication should be configured for RDS clusters","description":"This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"IAM authentication should be configured for RDS clusters","controlDescription":"This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_encryption_enabled","org":"turbot","name":"rds_db_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted') = 'true' or (attributes_std ->> 'engine_mode') = 'serverless' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted') = 'true' or (attributes_std ->> 'engine_mode') = 'serverless' then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":843,"endLineNumber":862,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_encryption_enabled","org":"turbot","name":"rds_db_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should have encryption at rest enabled","description":"This control checks whether Relational Database Service clusters have encryption at rest enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should have encryption at rest enabled","controlDescription":"This control checks whether Relational Database Service clusters have encryption at rest enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_multiple_az_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_multiple_az_enabled","org":"turbot","name":"rds_db_instance_multiple_az_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'multi_az') is null then 'alarm'\n when (attributes_std -> 'multi_az')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'multi_az') is null then ' ''multi_az'' disabled'\n when (attributes_std -> 'multi_az')::boolean then ' ''multi_az'' enabled'\n else ' ''multi_az'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":595,"endLineNumber":616,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_multiple_az_enabled","org":"turbot","name":"rds_db_instance_multiple_az_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance multiple az should be enabled","description":"Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance multiple az should be enabled","controlDescription":"Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}},"rds_cluster_activity_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_cluster_activity_stream_encrypted_with_kms_cmk","org":"turbot","name":"rds_cluster_activity_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_activity_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":269,"endLineNumber":288,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_cluster_activity_stream_encrypted_with_kms_cmk","org":"turbot","name":"rds_cluster_activity_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB cluster activity stream should be encrypted with KMS CMK","description":"This control checks whether Relational Database Service cluster activity stream is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster activity stream should be encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database Service cluster activity stream is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_events_subscription","org":"turbot","name":"rds_db_instance_events_subscription","sql":"$2b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":482,"endLineNumber":503,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_events_subscription","org":"turbot","name":"rds_db_instance_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database instance events","description":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database instance events","controlDescription":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_multiple_az_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_multiple_az_enabled","org":"turbot","name":"rds_db_cluster_multiple_az_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'multi_az') is null then 'alarm'\n when (attributes_std -> 'multi_az')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'multi_az') is null then ' ''multi_az'' disabled'\n when (attributes_std -> 'multi_az')::boolean then ' ''multi_az'' enabled'\n else ' ''multi_az'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":116,"endLineNumber":137,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_multiple_az_enabled","org":"turbot","name":"rds_db_cluster_multiple_az_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be configured for multiple Availability Zones","description":"This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be configured for multiple Availability Zones","controlDescription":"This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_cluster_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' disabled'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_cluster_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be configured to copy tags to snapshots","description":"This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be configured to copy tags to snapshots","controlDescription":"This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_iam_authentication_enabled","org":"turbot","name":"rds_db_instance_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' ''iam_database_authentication_enabled'' disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' ''iam_database_authentication_enabled'' enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":505,"endLineNumber":526,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_iam_authentication_enabled","org":"turbot","name":"rds_db_instance_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have iam authentication enabled","description":"Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should have iam authentication enabled","controlDescription":"Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_and_cluster_no_default_port":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_and_cluster_no_default_port","org":"turbot","name":"rds_db_instance_and_cluster_no_default_port","sql":"$2c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":290,"endLineNumber":344,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_and_cluster_no_default_port","org":"turbot","name":"rds_db_instance_and_cluster_no_default_port","mod":"Terraform AWS Compliance","title":"RDS databases and clusters should not use a database engine default port","description":"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS databases and clusters should not use a database engine default port","controlDescription":"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_instance_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' disabled'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":413,"endLineNumber":434,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_instance_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should be configured to copy tags to snapshots","description":"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should be configured to copy tags to snapshots","controlDescription":"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade') = 'false' then ' auto minor version upgrade disabled'\n else ' auto minor version upgrade enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":822,"endLineNumber":841,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have auto minor version upgrade enabled","description":"This control checks whether Relational Database Service cluster instances have auto minor version upgrade is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have auto minor version upgrade enabled","controlDescription":"This control checks whether Relational Database Service cluster instances have auto minor version upgrade is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_events_subscription","org":"turbot","name":"rds_db_cluster_events_subscription","sql":"$2d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":70,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_events_subscription","org":"turbot","name":"rds_db_cluster_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical cluster events","description":"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical cluster events","controlDescription":"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_performance_insights_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_instance_performance_insights_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'performance_insights_kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'performance_insights_kms_key_id') is null then ' performance insights not encrypted with kms key'\n else ' performance insights encrypted with kms key'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":183,"endLineNumber":202,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_instance_performance_insights_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB instances should have performance insights encrypted with KMS CMK","description":"This control checks whether Relational Database instances have performance insights encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should have performance insights encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database instances have performance insights encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'performance_insights_kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'performance_insights_kms_key_id') is null then ' performance insights not encrypted with KMS CMK'\n else ' performance insights encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":162,"endLineNumber":181,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have performance insights encrypted with KMS CMK","description":"This control checks whether Relational Database cluster instances have performance insights encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have performance insights encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database cluster instances have performance insights encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_deletion_protection_enabled","org":"turbot","name":"rds_db_instance_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' disabled'\n when (attributes_std -> 'deletion_protection')::bool then ' ''deletion_protection'' enabled'\n else ' ''deletion_protection'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":436,"endLineNumber":457,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_deletion_protection_enabled","org":"turbot","name":"rds_db_instance_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have deletion protection enabled","description":"Ensure Relational Database Service (RDS) instances have deletion protection enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should have deletion protection enabled","controlDescription":"Ensure Relational Database Service (RDS) instances have deletion protection enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}},"rds_db_cluster_instance_performance_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_performance_insights_enabled","org":"turbot","name":"rds_db_cluster_instance_performance_insights_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'performance_insights_enabled') is null then 'alarm'\n when (attributes_std -> 'performance_insights_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'performance_insights_enabled') is null then ' performance insights disabled'\n when (attributes_std -> 'performance_insights_enabled')::boolean then ' performance insights enabled'\n else ' performance insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":139,"endLineNumber":160,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_performance_insights_enabled","org":"turbot","name":"rds_db_cluster_instance_performance_insights_enabled","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have performance insights enabled","description":"This control checks whether Relational Database cluster instances have performance insights enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have performance insights enabled","controlDescription":"This control checks whether Relational Database cluster instances have performance insights enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_encryption_at_rest_enabled","org":"turbot","name":"rds_db_instance_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_encrypted') is null then 'alarm'\n when (attributes_std -> 'storage_encrypted')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_encrypted') is null then ' not encrypted'\n when (attributes_std -> 'storage_encrypted')::bool then ' encrypted'\n else ' not encrypted'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":459,"endLineNumber":480,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_encryption_at_rest_enabled","org":"turbot","name":"rds_db_instance_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance encryption at rest should be enabled","description":"To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance encryption at rest should be enabled","controlDescription":"To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}},"rds_db_instance_automatic_minor_version_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_instance_automatic_minor_version_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auto_minor_version_upgrade') is null then 'ok'\n when (attributes_std -> 'auto_minor_version_upgrade')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auto_minor_version_upgrade') is null then ' ''auto_minor_version_upgrade'' enabled'\n when (attributes_std -> 'deletion_protection')::boolean then ' ''auto_minor_version_upgrade'' enabled'\n else ' ''auto_minor_version_upgrade'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":367,"endLineNumber":388,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_instance_automatic_minor_version_upgrade_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance automatic minor version upgrade should be enabled","description":"Ensure if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance automatic minor version upgrade should be enabled","controlDescription":"Ensure if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}},"rds_db_snapshot_not_publicly_accesible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_snapshot_not_publicly_accesible","org":"turbot","name":"rds_db_snapshot_not_publicly_accesible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'shared_accounts') @> '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'shared_accounts') @> '[\"all\"]' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":780,"endLineNumber":799,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_snapshot_not_publicly_accesible","org":"turbot","name":"rds_db_snapshot_not_publicly_accesible","mod":"Terraform AWS Compliance","title":"RDS DB snapshots should not be publicly accessible","description":"This control checks whether Relational Database Service snapshots are not publicly accessible.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB snapshots should not be publicly accessible","controlDescription":"This control checks whether Relational Database Service snapshots are not publicly accessible.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_uses_recent_ca_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_uses_recent_ca_certificate","org":"turbot","name":"rds_db_instance_uses_recent_ca_certificate","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ca_cert_identifier') in ('rds-ca-rsa2048-g1', 'rds-ca-rsa4096-g1', 'rds-ca-ecc384-g1') then 'ok'\n when (attributes_std ->> 'ca_cert_identifier') is null then 'skip'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ca_cert_identifier') in ('rds-ca-rsa2048-g1', 'rds-ca-rsa4096-g1', 'rds-ca-ecc384-g1') then ' uses recent CA certificate'\n when (attributes_std ->> 'ca_cert_identifier') is null then ' CA certificate not defined'\n else ' uses an old CA certificate'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":694,"endLineNumber":715,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_uses_recent_ca_certificate","org":"turbot","name":"rds_db_instance_uses_recent_ca_certificate","mod":"Terraform AWS Compliance","title":"RDS DB instances should use recent CA certificates","description":"This control checks whether Relational Database Service (RDS) instances use recent CA certificate(s).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should use recent CA certificates","controlDescription":"This control checks whether Relational Database Service (RDS) instances use recent CA certificate(s).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_deletion_protection_enabled","org":"turbot","name":"rds_db_cluster_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' disabled'\n when (attributes_std -> 'deletion_protection')::boolean then ' ''deletion_protection'' enabled'\n else ' ''deletion_protection'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":47,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_deletion_protection_enabled","org":"turbot","name":"rds_db_cluster_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"RDS clusters should have deletion protection enabled","description":"This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS clusters should have deletion protection enabled","controlDescription":"This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":346,"endLineNumber":365,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be encrypted using KMS CMK","description":"This control checks whether RDS DB clusters are encrypted using KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be encrypted using KMS CMK","controlDescription":"This control checks whether RDS DB clusters are encrypted using KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}},"mq":{"mq_broker_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_publicly_accessible","org":"turbot","name":"mq_broker_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'publicly_accessible')::bool then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'publicly_accessible')::bool then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_publicly_accessible","org":"turbot","name":"mq_broker_publicly_accessible","mod":"Terraform AWS Compliance","title":"MQ Broker should not be publicly accessible","description":"This control checks whether the MQ Broker is publicly accessible. This control is non-compliant if the MQ Broker is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should not be publicly accessible","controlDescription":"This control checks whether the MQ Broker is publicly accessible. This control is non-compliant if the MQ Broker is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_encrypted_with_kms_cmk","org":"turbot","name":"mq_broker_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'encryption_option' ->> 'use_aws_owned_key')::bool and (attributes_std -> 'encryption_option' ->> 'kms_key_id') is null) then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'encryption_option' ->> 'use_aws_owned_key')::bool and (attributes_std -> 'encryption_option' ->> 'kms_key_id') is null) then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_encrypted_with_kms_cmk","org":"turbot","name":"mq_broker_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MQ Broker should be encrypted with KMS CMK","description":"This control checks whether the MQ Broker is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should be encrypted with KMS CMK","controlDescription":"This control checks whether the MQ Broker is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_audit_logging_enabled","org":"turbot","name":"mq_broker_audit_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'engine_type') = 'RabbitMQ') and (attributes_std -> 'logs' ->> 'audit')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'engine_type') = 'RabbitMQ') and (attributes_std -> 'logs' ->> 'audit')::bool is null then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_audit_logging_enabled","org":"turbot","name":"mq_broker_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have audit logging enabled","description":"This control checks whether audit logging is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have audit logging enabled","controlDescription":"This control checks whether audit logging is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_currect_broker_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_currect_broker_version","org":"turbot","name":"mq_broker_currect_broker_version","sql":"$2e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":106,"endLineNumber":127,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_currect_broker_version","org":"turbot","name":"mq_broker_currect_broker_version","mod":"Terraform AWS Compliance","title":"MQ Broker should use correct engine version for their engine type","description":"This control checks whether the MQ Broker uses the correct engine version for their engine type.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should use correct engine version for their engine type","controlDescription":"This control checks whether the MQ Broker uses the correct engine version for their engine type.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_general_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_general_logging_enabled","org":"turbot","name":"mq_broker_general_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs' ->> 'general')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs' ->> 'general')::bool is null then ' general logging enabled'\n else ' general logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_general_logging_enabled","org":"turbot","name":"mq_broker_general_logging_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have general logging enabled","description":"This control checks whether general logging is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have general logging enabled","controlDescription":"This control checks whether general logging is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_automatic_minor_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_automatic_minor_upgrade_enabled","org":"turbot","name":"mq_broker_automatic_minor_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade')::bool then ' automatic minor version upgrade enabled'\n else ' automatic minor version upgrade disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_automatic_minor_upgrade_enabled","org":"turbot","name":"mq_broker_automatic_minor_upgrade_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have automatic minor version upgrade enabled","description":"This control checks whether automatic minor version upgrade is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have automatic minor version upgrade enabled","controlDescription":"This control checks whether automatic minor version upgrade is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}},"mwaa":{"mwaa_environment_webserver_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_webserver_logs_enabled","org":"turbot","name":"mwaa_environment_webserver_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'webserver_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'webserver_logs' ->> 'enabled')::boolean then ' webserver logs enabled'\n else ' webserver logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_webserver_logs_enabled","org":"turbot","name":"mwaa_environment_webserver_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have webserver logs enabled","description":"This control checks whether MWAA environment has webserver logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have webserver logs enabled","controlDescription":"This control checks whether MWAA environment has webserver logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}},"mwaa_environment_worker_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_worker_logs_enabled","org":"turbot","name":"mwaa_environment_worker_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'worker_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'worker_logs' ->> 'enabled')::boolean then ' worker logs enabled'\n else ' worker logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_worker_logs_enabled","org":"turbot","name":"mwaa_environment_worker_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have worker logs enabled","description":"This control checks whether MWAA environment has worker logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have worker logs enabled","controlDescription":"This control checks whether MWAA environment has worker logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}},"mwaa_environment_scheduler_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_scheduler_logs_enabled","org":"turbot","name":"mwaa_environment_scheduler_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'scheduler_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'scheduler_logs' ->> 'enabled')::boolean then ' scheduler logs enabled'\n else ' scheduler logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_scheduler_logs_enabled","org":"turbot","name":"mwaa_environment_scheduler_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have scheduler logs enabled","description":"This control checks whether MWAA environment has scheduler logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have scheduler logs enabled","controlDescription":"This control checks whether MWAA environment has scheduler logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}},"msk":{"msk_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_logging_enabled","org":"turbot","name":"msk_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logging_info' -> 'broker_logs' -> 'cloudwatch_logs' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 'firehose' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 's3' ->> 'enabled')::bool) then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logging_info' -> 'broker_logs' -> 'cloudwatch_logs' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 'firehose' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 's3' ->> 'enabled')::bool) then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_logging_enabled","org":"turbot","name":"msk_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have logging enabled","description":"This control checks whether logging is enabled for the MSK Cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have logging enabled","controlDescription":"This control checks whether logging is enabled for the MSK Cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_nodes_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_nodes_publicly_accessible","org":"turbot","name":"msk_cluster_nodes_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'broker_node_group_info' -> 'connectivity_info' -> 'public_access' ->> 'type') = 'SERVICE_PROVIDED_EIPS' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'broker_node_group_info' -> 'connectivity_info' -> 'public_access' ->> 'type') = 'SERVICE_PROVIDED_EIPS' then ' cluster nodes are public'\n else ' cluster nodes are private'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_nodes_publicly_accessible","org":"turbot","name":"msk_cluster_nodes_publicly_accessible","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should not be publicly accessible","description":"This control checks whether MSK Cluster Nodes are private. This control fails if MSK Cluster Nodes are publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should not be publicly accessible","controlDescription":"This control checks whether MSK Cluster Nodes are private. This control fails if MSK Cluster Nodes are publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_encryption_in_transit_enabled","org":"turbot","name":"msk_cluster_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_info') is null then 'alarm'\n when ((attributes_std -> 'encryption_info' ->> 'client_broker') = 'TLS' and (attributes_std -> 'encryption_info' ->> 'in_cluster')::bool) then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_info') is null then ' not encrypted'\n when ((attributes_std -> 'encryption_info' ->> 'client_broker') = 'TLS' and (attributes_std -> 'encryption_info' ->> 'in_cluster')::bool) then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_encryption_in_transit_enabled","org":"turbot","name":"msk_cluster_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have encryption in transt enabled","description":"This control checks whether the MSK Cluster has encryption in transit enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have encryption in transt enabled","controlDescription":"This control checks whether the MSK Cluster has encryption in transit enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_encrypted_with_kms_cmk","org":"turbot","name":"msk_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_at_rest_kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_at_rest_kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_encrypted_with_kms_cmk","org":"turbot","name":"msk_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have be encrypted with KMS CMK","description":"This control checks whether the MSK Cluster is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have be encrypted with KMS CMK","controlDescription":"This control checks whether the MSK Cluster is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}},"lambda":{"lambda_function_variables_no_sensitive_data":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_variables_no_sensitive_data","org":"turbot","name":"lambda_function_variables_no_sensitive_data","sql":"$2f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":154,"endLineNumber":189,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_variables_no_sensitive_data","org":"turbot","name":"lambda_function_variables_no_sensitive_data","mod":"Terraform AWS Compliance","title":"Lambda functions variable should not have any sensitive data","description":"Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions variable should not have any sensitive data","controlDescription":"Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_in_vpc","org":"turbot","name":"lambda_function_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_config') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_config') is null then ' is not in VPC'\n else ' is in VPC'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_in_vpc","org":"turbot","name":"lambda_function_in_vpc","mod":"Terraform AWS Compliance","title":"Lambda functions should be in a VPC","description":"Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should be in a VPC","controlDescription":"Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Lambda"}},"lambda_function_dead_letter_queue_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_dead_letter_queue_configured","org":"turbot","name":"lambda_function_dead_letter_queue_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'dead_letter_config') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'dead_letter_config') is null then ' not configured with dead-letter queue'\n else ' configured with dead-letter queue'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_dead_letter_queue_configured","org":"turbot","name":"lambda_function_dead_letter_queue_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should be configured with a dead-letter queue","description":"Enable this rule to help notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}}],"controlTitle":"Lambda functions should be configured with a dead-letter queue","controlDescription":"Enable this rule to help notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}},"lambda_permission_restricted_service_permission":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_permission_restricted_service_permission","org":"turbot","name":"lambda_permission_restricted_service_permission","sql":"$30","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":216,"endLineNumber":243,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_permission_restricted_service_permission","org":"turbot","name":"lambda_permission_restricted_service_permission","mod":"Terraform AWS Compliance","title":"Lambda permissions should restrict service permission by source account or source arn","description":"Ensure that Lambda permissions restricts service permission by source account or source arn.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda permissions should restrict service permission by source account or source arn","controlDescription":"Ensure that Lambda permissions restricts service permission by source account or source arn.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_code_signing_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_code_signing_configured","org":"turbot","name":"lambda_function_code_signing_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'code_signing_config_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'code_signing_config_arn') is null then ' code signing not configured'\n else ' code signing is configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":133,"endLineNumber":152,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_code_signing_configured","org":"turbot","name":"lambda_function_code_signing_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should have code signing configured","description":"This control checks whether code signing is configured for lambda function.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should have code signing configured","controlDescription":"This control checks whether code signing is configured for lambda function.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_xray_tracing_enabled","org":"turbot","name":"lambda_function_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'tracing_config') is null then 'alarm'\n when (attributes_std -> 'tracing_config' ->> 'mode') = 'Active' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'tracing_config') is null then ' has X-Ray tracing disabled'\n when (attributes_std -> 'tracing_config' ->> 'mode') = 'Active' then ' has X-Ray tracing enabled'\n else ' has X-Ray tracing disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":89,"endLineNumber":110,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_xray_tracing_enabled","org":"turbot","name":"lambda_function_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"Lambda functions xray tracing should be enabled","description":"X-Ray tracing in lambda functions allows you to visualize and troubleshoot errors and performance bottlenecks, and investigate requests that resulted in an error.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions xray tracing should be enabled","controlDescription":"X-Ray tracing in lambda functions allows you to visualize and troubleshoot errors and performance bottlenecks, and investigate requests that resulted in an error.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_concurrent_execution_limit_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_concurrent_execution_limit_configured","org":"turbot","name":"lambda_function_concurrent_execution_limit_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'reserved_concurrent_executions') is null then 'alarm'\n when (attributes_std -> 'reserved_concurrent_executions')::integer = -1 then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'reserved_concurrent_executions') is null then ' function-level concurrent execution limit not configured'\n when (attributes_std -> 'reserved_concurrent_executions')::integer = -1 then ' function-level concurrent execution limit not configured'\n else ' function-level concurrent execution limit configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_concurrent_execution_limit_configured","org":"turbot","name":"lambda_function_concurrent_execution_limit_configured","mod":"Terraform AWS Compliance","title":"Lambda functions concurrent execution limit configured","description":"Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non complaint if the Lambda function is not configured with function-level concurrent execution limit.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}}],"controlTitle":"Lambda functions concurrent execution limit configured","controlDescription":"Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non complaint if the Lambda function is not configured with function-level concurrent execution limit.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}},"lambda_function_environment_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_environment_encryption_enabled","org":"turbot","name":"lambda_function_environment_encryption_enabled","sql":"$31","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":191,"endLineNumber":214,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_environment_encryption_enabled","org":"turbot","name":"lambda_function_environment_encryption_enabled","mod":"Terraform AWS Compliance","title":"Lambda functions variable encryption should be enabled","description":"Ensure that functions environment variables encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions variable encryption should be enabled","controlDescription":"Ensure that functions environment variables encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_use_latest_runtime":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_use_latest_runtime","org":"turbot","name":"lambda_function_use_latest_runtime","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'runtime') is null then 'skip'\n when (attributes_std ->> 'runtime') in ('nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'runtime') is null then ' runtime not set'\n when (attributes_std ->> 'runtime') in ('nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1') then ' uses latest runtime - ' || (attributes_std ->> 'runtime') || '.'\n else ' uses ' || (attributes_std ->> 'runtime')|| ' which is not the latest version.'\n end as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\ntype = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":66,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_use_latest_runtime","org":"turbot","name":"lambda_function_use_latest_runtime","mod":"Terraform AWS Compliance","title":"Lambda functions should use latest runtimes","description":"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5,java11, java8, go1.x, dotnetcore3.1, dotnetcore2.1.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should use latest runtimes","controlDescription":"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5,java11, java8, go1.x, dotnetcore3.1, dotnetcore2.1.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_url_auth_type_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_url_auth_type_configured","org":"turbot","name":"lambda_function_url_auth_type_configured","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'authorization_type') = 'NONE' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'authorization_type') = 'NONE' then ' URLs AuthType is not configured'\n else ' URLs AuthType is configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function_url';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":112,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_url_auth_type_configured","org":"turbot","name":"lambda_function_url_auth_type_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should not have URLs AuthType as 'None'","description":"This control checks whether lambda function have URL AuthType set to 'None'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should not have URLs AuthType as 'None'","controlDescription":"This control checks whether lambda function have URL AuthType set to 'None'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}},"iam":{"iam_account_password_policy_strong_min_length_8":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_strong_min_length_8","org":"turbot","name":"iam_account_password_policy_strong_min_length_8","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'minimum_password_length')::integer >= 8\n and (attributes_std -> 'require_lowercase_characters')::bool\n and (attributes_std -> 'require_uppercase_characters')::bool\n and (attributes_std -> 'require_numbers')::bool\n and (attributes_std -> 'require_symbols')::bool\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'minimum_password_length')::integer >= 8\n and (attributes_std -> 'require_lowercase_characters')::bool\n and (attributes_std -> 'require_uppercase_characters')::bool\n and (attributes_std -> 'require_numbers')::bool\n and (attributes_std -> 'require_symbols')::bool\n then ' Strong password policies configured'\n else ' Strong password policies not configured'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":133,"endLineNumber":163,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_strong_min_length_8","org":"turbot","name":"iam_account_password_policy_strong_min_length_8","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires a minimum length of 8 or greater","description":"This control checks whether the account password policy for IAM users uses the recommended configurations.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires a minimum length of 8 or greater","controlDescription":"This control checks whether the account password policy for IAM users uses the recommended configurations.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_reuse_24":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_reuse_24","org":"turbot","name":"iam_account_password_policy_reuse_24","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_reuse_prevention') is null then 'alarm'\n when (attributes_std -> 'password_reuse_prevention')::integer >= 24 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_reuse_prevention') is null then ' password reuse prevention not set'\n when (attributes_std -> 'password_reuse_prevention')::integer >= 24 then ' password reuse prevention set to ' || (attributes_std ->> 'password_reuse_prevention') || ' days'\n else ' password reuse prevention set to ' || (attributes_std ->> 'password_reuse_prevention') || ' days'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":111,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_reuse_24","org":"turbot","name":"iam_account_password_policy_reuse_24","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy prevents password reuse","description":"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy prevents password reuse","controlDescription":"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_password_policy_expire_90":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_password_policy_expire_90","org":"turbot","name":"iam_password_policy_expire_90","sql":"select\n address as resource,\n case\n when (attributes_std -> 'max_password_age') is null then 'alarm'\n when (attributes_std -> 'max_password_age')::integer <= 90 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'max_password_age') is null then ' password expiration not set'\n when (attributes_std -> 'max_password_age')::integer <= 90 then ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'\n else ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":199,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_password_policy_expire_90","org":"turbot","name":"iam_password_policy_expire_90","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy expires passwords within 90 days or less","description":"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy expires passwords within 90 days or less","controlDescription":"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_one_lowercase_letter":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_lowercase_letter","org":"turbot","name":"iam_account_password_policy_one_lowercase_letter","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_lowercase_characters') is null then 'alarm'\n when (attributes_std -> 'require_lowercase_characters')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_lowercase_characters') is null then ' lowercase character not set to required'\n when (attributes_std -> 'require_lowercase_characters')::boolean then ' lowercase character set to required'\n else ' lowercase character not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":23,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_lowercase_letter","org":"turbot","name":"iam_account_password_policy_one_lowercase_letter","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one lowercase letter","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one lowercase letter","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_one_symbol":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_symbol","org":"turbot","name":"iam_account_password_policy_one_symbol","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_symbols') is null then 'alarm'\n when (attributes_std -> 'require_symbols')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_symbols') is null then ' symbol not set to required'\n when (attributes_std -> 'require_symbols')::boolean then ' symbol set to required'\n else ' symbol not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_symbol","org":"turbot","name":"iam_account_password_policy_one_symbol","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one symbol","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one symbol","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_min_length_14":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_min_length_14","org":"turbot","name":"iam_account_password_policy_min_length_14","sql":"select\n address as resource,\n case\n when (attributes_std -> 'minimum_password_length') is null then 'alarm'\n when (attributes_std -> 'minimum_password_length')::integer >= 14 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'minimum_password_length') is null then ' ''minimum_password_length'' is not defined'\n when (attributes_std -> 'minimum_password_length')::integer >= 14 then ' ''minimum_password_length'' is set and greater than 14'\n else ' ''minimum_password_length'' is set and less than 14'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_min_length_14","org":"turbot","name":"iam_account_password_policy_min_length_14","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires minimum length of 14 or greate","description":"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires minimum length of 14 or greate","controlDescription":"Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_one_number":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_number","org":"turbot","name":"iam_account_password_policy_one_number","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_numbers') is null then 'alarm'\n when (attributes_std -> 'require_numbers')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_numbers') is null then ' number not set to required'\n when (attributes_std -> 'require_numbers')::bool then ' number set to required'\n else ' number not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":45,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_number","org":"turbot","name":"iam_account_password_policy_one_number","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one number","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one number","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_strong":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_strong","org":"turbot","name":"iam_account_password_policy_strong","sql":"$32","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":165,"endLineNumber":197,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_strong","org":"turbot","name":"iam_account_password_policy_strong","mod":"Terraform AWS Compliance","title":"Password policies for IAM users should have strong configurations","description":"This control checks whether the account password policy for IAM users have strong configurations.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/IAM"}}],"controlTitle":"Password policies for IAM users should have strong configurations","controlDescription":"This control checks whether the account password policy for IAM users have strong configurations.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/IAM"}},"iam_account_password_policy_one_uppercase_letter":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_uppercase_letter","org":"turbot","name":"iam_account_password_policy_one_uppercase_letter","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_uppercase_characters') is null then 'alarm'\n when (attributes_std -> 'require_uppercase_characters')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_uppercase_characters') is null then ' ''require_uppercase_characters'' not defined'\n when (attributes_std -> 'require_uppercase_characters')::boolean then ' uppercase characters set to required'\n else ' uppercase characters not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":89,"endLineNumber":109,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_uppercase_letter","org":"turbot","name":"iam_account_password_policy_one_uppercase_letter","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one uppercase letter","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one uppercase letter","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_no_custom_subscription_owner_roles_created":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iam_no_custom_subscription_owner_roles_created","org":"turbot","name":"iam_no_custom_subscription_owner_roles_created","sql":"select\n address as resource,\n case\n when (attributes_std -> 'permissions' -> 'actions') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'permissions' -> 'actions') @> '[\"*\"]' then 'has custom owner roles'\n else ' does not have custom owner roles'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_role_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.iam_no_custom_subscription_owner_roles_created","org":"turbot","name":"iam_no_custom_subscription_owner_roles_created","mod":"Terraform Azure Compliance","title":"Custom subscription administrator roles should not exist","description":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/IAM"}}],"controlTitle":"Custom subscription administrator roles should not exist","controlDescription":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/IAM"}},"iam_project_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_use_basic_role","org":"turbot","name":"iam_project_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_use_basic_role","org":"turbot","name":"iam_project_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at project level","description":"This control checks that basic roles are not used at the project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at project level","controlDescription":"This control checks that basic roles are not used at the project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_use_basic_role","org":"turbot","name":"iam_folder_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_folder_iam_member', 'google_folder_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":181,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_use_basic_role","org":"turbot","name":"iam_folder_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at folder level","description":"This control checks that basic roles are not used at folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at folder level","controlDescription":"This control checks that basic roles are not used at folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_use_default_service_role","org":"turbot","name":"iam_organization_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_organization_iam_member', 'google_organization_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":161,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_use_default_service_role","org":"turbot","name":"iam_organization_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a organization level","description":"This control checks that Default Service account is not used at an organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a organization level","controlDescription":"This control checks that Default Service account is not used at an organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_workload_identity_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_workload_identity_restricted","org":"turbot","name":"iam_workload_identity_restricted","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'attribute_condition') is null or (attributes_std ->> 'attribute_condition') = '' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'attribute_condition') is null or (attributes_std ->> 'attribute_condition') = '' then ' attribute condition does not exist'\n else ' attribute condition exists'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_iam_workload_identity_pool_provider';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":241,"endLineNumber":260,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_workload_identity_restricted","org":"turbot","name":"iam_workload_identity_restricted","mod":"Terraform GCP Compliance","title":"IAM workload identity pool provider should be restricted","description":"This control checks whether the IAM workload identity pool provider is restricted.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"IAM workload identity pool provider should be restricted","controlDescription":"This control checks whether the IAM workload identity pool provider is restricted.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_use_default_service_role","org":"turbot","name":"iam_project_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":141,"endLineNumber":159,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_use_default_service_role","org":"turbot","name":"iam_project_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a project level","description":"This control checks that the Default Service account is not used at a project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a project level","controlDescription":"This control checks that the Default Service account is not used at a project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_no_service_account_token_creator_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_no_service_account_token_creator_role","org":"turbot","name":"iam_project_no_service_account_token_creator_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator']) then ' service account roles assigned'\n else ' no service account roles assigned'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":121,"endLineNumber":139,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_no_service_account_token_creator_role","org":"turbot","name":"iam_project_no_service_account_token_creator_role","mod":"Terraform GCP Compliance","title":"Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level","description":"This control checks that users are not assigned the Service Account User or Service Account Token Creator roles at the project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level","controlDescription":"This control checks that users are not assigned the Service Account User or Service Account Token Creator roles at the project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_use_basic_role","org":"turbot","name":"iam_organization_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_organization_iam_member', 'google_organization_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":41,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_use_basic_role","org":"turbot","name":"iam_organization_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at organization level","description":"This control checks that basic roles are not used at the organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at organization level","controlDescription":"This control checks that basic roles are not used at the organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_impersonation_role","org":"turbot","name":"iam_project_impersonation_role","sql":"$33","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":81,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_impersonation_role","org":"turbot","name":"iam_project_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at project level","description":"This control checks roles do not impersonate or manage Service Accounts used at project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at project level","controlDescription":"This control checks roles do not impersonate or manage Service Accounts used at project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_use_default_service_role","org":"turbot","name":"iam_folder_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_folder_iam_member', 'google_folder_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":221,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_use_default_service_role","org":"turbot","name":"iam_folder_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a folder level","description":"This control checks that the Default Service account is not used at a folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a folder level","controlDescription":"This control checks that the Default Service account is not used at a folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_impersonation_role","org":"turbot","name":"iam_organization_impersonation_role","sql":"$34","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":101,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_impersonation_role","org":"turbot","name":"iam_organization_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at organization level","description":"This control checks that roles do not impersonate or manage Service Accounts used at organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at organization level","controlDescription":"This control checks that roles do not impersonate or manage Service Accounts used at organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_service_account_gcp_managed_key":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_service_account_gcp_managed_key","org":"turbot","name":"iam_service_account_gcp_managed_key","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'service_account_id'), '.', 2) from terraform_resource where type = 'google_service_account_key') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'service_account_id'), '.', 2) from terraform_resource where type = 'google_service_account_key') then ' has user-managed keys'\n else ' does not have user-managed keys'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_service_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_service_account_gcp_managed_key","org":"turbot","name":"iam_service_account_gcp_managed_key","mod":"Terraform GCP Compliance","title":"Ensure that there are only GCP-managed service account keys for each service account","description":"User-managed service accounts should not have user-managed keys. It is recommended that only GCP-managed service account keys are used for each service account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure that there are only GCP-managed service account keys for each service account","controlDescription":"User-managed service accounts should not have user-managed keys. It is recommended that only GCP-managed service account keys are used for each service account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_impersonation_role","org":"turbot","name":"iam_folder_impersonation_role","sql":"$35","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":201,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_impersonation_role","org":"turbot","name":"iam_folder_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at folder level","description":"This control checks that roles do not impersonate or manage Service Accounts used at folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at folder level","controlDescription":"This control checks that roles do not impersonate or manage Service Accounts used at folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_service_account_no_admin_priviledge":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_service_account_no_admin_priviledge","org":"turbot","name":"iam_service_account_no_admin_priviledge","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') like '%.iam.gserviceaccount.com$' and (attributes_std ->> 'role') like any (array ['roles/Admin', 'roles/admin', 'roles/owner', 'roles/editor']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') like '%.iam.gserviceaccount.com$' and (attributes_std ->> 'role') like any (array ['roles/Admin', 'roles/admin', 'roles/owner', 'roles/editor']) then ' has admin privileges'\n else ' does not have admin privileges'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_project_iam_member';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":61,"endLineNumber":79,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_service_account_no_admin_priviledge","org":"turbot","name":"iam_service_account_no_admin_priviledge","mod":"Terraform GCP Compliance","title":"Ensure that Service Account has no admin privileges","description":"This control checks that Service Account has no admin privileges.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure that Service Account has no admin privileges","controlDescription":"This control checks that Service Account has no admin privileges.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}},"kinesis":{"kinesis_stream_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_stream_encryption_at_rest_enabled","org":"turbot","name":"kinesis_stream_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encryption_type') = 'KMS' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encryption_type') = 'KMS' then ' encrypted aty rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_stream_encryption_at_rest_enabled","org":"turbot","name":"kinesis_stream_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Kinesis stream encryption at rest should be enabled","description":"Ensure Kinesis streams are set to be encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis stream encryption at rest should be enabled","controlDescription":"Ensure Kinesis streams are set to be encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption' ->> 'key_type') = 'CUSTOMER_MANAGED_CMK' and (attributes_std -> 'server_side_encryption' ->> 'key_arn') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption' ->> 'key_type') = 'CUSTOMER_MANAGED_CMK' and (attributes_std -> 'server_side_encryption' ->> 'key_arn') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_firehose_delivery_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis firehose delivery streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Firehose Delivery Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis firehose delivery streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Firehose Delivery Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_firehose_delivery_stream_server_side_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_firehose_delivery_stream_server_side_encryption_enabled","org":"turbot","name":"kinesis_firehose_delivery_stream_server_side_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption' ->> 'enabled') = 'true' then ' server side encryption enabled'\n else ' server side encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_firehose_delivery_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_firehose_delivery_stream_server_side_encryption_enabled","org":"turbot","name":"kinesis_firehose_delivery_stream_server_side_encryption_enabled","mod":"Terraform AWS Compliance","title":"Kinesis firehose delivery streams should have server side encryption enabled","description":"Enable server-side-encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis firehose delivery streams should have server side encryption enabled","controlDescription":"Enable server-side-encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_video_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_video_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_video_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_video_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_video_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_video_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis vidoe streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Video Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis vidoe streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Video Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}},"glue":{"glue_security_configuration_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_security_configuration_encryption_enabled","org":"turbot","name":"glue_security_configuration_encryption_enabled","sql":"$36","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":90,"endLineNumber":118,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_security_configuration_encryption_enabled","org":"turbot","name":"glue_security_configuration_encryption_enabled","mod":"Terraform AWS Compliance","title":"Glue security configuration encryption should be enabled","description":"This control checks whether Glue security configuration encryption is enabled. This control is non-complaint if Glue security configuration encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue security configuration encryption should be enabled","controlDescription":"This control checks whether Glue security configuration encryption is enabled. This control is non-complaint if Glue security configuration encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_job_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_job_security_configuration_enabled","org":"turbot","name":"glue_job_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_job_security_configuration_enabled","org":"turbot","name":"glue_job_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue job security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue job.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue job security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue job.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_data_catalog_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_data_catalog_encryption_enabled","org":"turbot","name":"glue_data_catalog_encryption_enabled","sql":"$37","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":64,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_data_catalog_encryption_enabled","org":"turbot","name":"glue_data_catalog_encryption_enabled","mod":"Terraform AWS Compliance","title":"Glue data catalog encryption should be enabled","description":"This control checks whether Glue data catalog encryption is enabled. This control is non-complaint if data catalog encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue data catalog encryption should be enabled","controlDescription":"This control checks whether Glue data catalog encryption is enabled. This control is non-complaint if data catalog encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_dev_endpoint_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_dev_endpoint_security_configuration_enabled","org":"turbot","name":"glue_dev_endpoint_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_dev_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_dev_endpoint_security_configuration_enabled","org":"turbot","name":"glue_dev_endpoint_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue dev endpoint security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue dev endpoint.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue dev endpoint security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue dev endpoint.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_crawler_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_crawler_security_configuration_enabled","org":"turbot","name":"glue_crawler_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_crawler';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_crawler_security_configuration_enabled","org":"turbot","name":"glue_crawler_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue crawler security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue crawler.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue crawler security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue crawler.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}},"f_sx":{"fsx_windows_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_windows_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_windows_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_windows_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_windows_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_windows_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx Windows File System should be encrypted with KMS CMK","description":"This control checks whether FSx windows file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx Windows File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx windows file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_lustre_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_lustre_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_lustre_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_lustre_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_lustre_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_lustre_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx Lustre File System should be encrypted with KMS CMK","description":"This control checks whether FSx lustre file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx Lustre File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx lustre file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_ontap_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_ontap_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_ontap_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_ontap_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_ontap_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_ontap_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx ONTAP File System should be encrypted with KMS CMK","description":"This control checks whether FSx ontap file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx ONTAP File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx ontap file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_openzfs_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_openzfs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_openzfs_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_openzfs_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_openzfs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_openzfs_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx OpenZFS File System should be encrypted with KMS CMK","description":"This control checks whether FSx openzfs file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx OpenZFS File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx openzfs file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}},"open_search":{"opensearch_domain_use_default_security_group":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/opensearch_domain_use_default_security_group","org":"turbot","name":"opensearch_domain_use_default_security_group","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then ' default security group not set'\n else ' default security group set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_opensearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/opensearch.pp","startLineNumber":2,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.opensearch_domain_use_default_security_group","org":"turbot","name":"opensearch_domain_use_default_security_group","mod":"Terraform AWS Compliance","title":"OpenSearch domain should not use the default security group","description":"This control checks whether OpenSearch domains are configured to use the default security group. This control fails if the OpenSearch domain uses the default security group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/OpenSearch"}}],"controlTitle":"OpenSearch domain should not use the default security group","controlDescription":"This control checks whether OpenSearch domains are configured to use the default security group. This control fails if the OpenSearch domain uses the default security group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/OpenSearch"}}},"neptune":{"neptune_cluster_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_iam_authentication_enabled","org":"turbot","name":"neptune_cluster_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' IAM database authentication disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' IAM database authentication enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":172,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_iam_authentication_enabled","org":"turbot","name":"neptune_cluster_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"Neptune clusters should have IAM authentication enabled","description":"Checks if an Neptune cluster has AWS Identity and Access Management (IAM) authentication enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune clusters should have IAM authentication enabled","controlDescription":"Checks if an Neptune cluster has AWS Identity and Access Management (IAM) authentication enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_snapshot_storage_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_snapshot_storage_encryption_enabled","org":"turbot","name":"neptune_snapshot_storage_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_snapshot_storage_encryption_enabled","org":"turbot","name":"neptune_snapshot_storage_encryption_enabled","mod":"Terraform AWS Compliance","title":"Neptune snapshot storage encryption should be enabled","description":"This control checks whether Neptune snapshot storage encryption is enabled. These snapshots contain sensitive data and should be encrypted at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune snapshot storage encryption should be enabled","controlDescription":"This control checks whether Neptune snapshot storage encryption is enabled. These snapshots contain sensitive data and should be encrypted at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"neptune_cluster_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' not set'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":149,"endLineNumber":170,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"neptune_cluster_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"Neptune clusters should be configured to copy tags to snapshots","description":"This control checks whether Neptune clusters are configured to copy all tags to snapshots when the snapshots are created.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune clusters should be configured to copy tags to snapshots","controlDescription":"This control checks whether Neptune clusters are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_backup_retention_period_7":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_backup_retention_period_7","org":"turbot","name":"neptune_cluster_backup_retention_period_7","sql":"select\n address as resource,\n case\n when (attributes_std -> 'backup_retention_period') is null then 'alarm'\n when ((attributes_std ->> 'backup_retention_period'))::int >= 7 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'backup_retention_period') is null then ' backup retention not set'\n else ' backup retention set to ' || (attributes_std ->> 'backup_retention_period')\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":127,"endLineNumber":147,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_backup_retention_period_7","org":"turbot","name":"neptune_cluster_backup_retention_period_7","mod":"Terraform AWS Compliance","title":"Neptune cluster backup retention period should be at least 7 days","description":"This control checks whether Neptune cluster backup retention is set to 7 or greater than 7.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster backup retention period should be at least 7 days","controlDescription":"This control checks whether Neptune cluster backup retention is set to 7 or greater than 7.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_encryption_at_rest_enabled","org":"turbot","name":"neptune_cluster_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_encryption_at_rest_enabled","org":"turbot","name":"neptune_cluster_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Neptune cluster encryption at rest should be enabled","description":"Ensure Neptune clusters being created are set to be encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster encryption at rest should be enabled","controlDescription":"Ensure Neptune clusters being created are set to be encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_logging_enabled","org":"turbot","name":"neptune_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_cloudwatch_logs_exports') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_cloudwatch_logs_exports') is null then ' logging not enabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_logging_enabled","org":"turbot","name":"neptune_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"Neptune logging should be enabled","description":"Ensure Neptune logging is enabled. These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune logging should be enabled","controlDescription":"Ensure Neptune logging is enabled. These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_instance_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_instance_publicly_accessible","org":"turbot","name":"neptune_cluster_instance_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'publicly_accessible')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'publicly_accessible')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_instance_publicly_accessible","org":"turbot","name":"neptune_cluster_instance_publicly_accessible","mod":"Terraform AWS Compliance","title":"Neptune cluster instance should not be publicly accessible","description":"This control checks whether Neptune cluster instances are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster instance should not be publicly accessible","controlDescription":"This control checks whether Neptune cluster instances are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_encrypted_with_kms_cmk","org":"turbot","name":"neptune_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_encrypted_with_kms_cmk","org":"turbot","name":"neptune_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Neptune cluster should be encrypted with KMS CMK","description":"This control checks whether Neptune clusters are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster should be encrypted with KMS CMK","controlDescription":"This control checks whether Neptune clusters are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_snapshot_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"neptune_snapshot_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"neptune_snapshot_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Neptune snapshot should be encrypted with KMS CMK","description":"This control checks whether Neptune snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune snapshot should be encrypted with KMS CMK","controlDescription":"This control checks whether Neptune snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}},"elasticsearch":{"es_domain_logs_to_cloudwatch":"$38","es_domain_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encryption_at_rest_enabled","org":"turbot","name":"es_domain_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' ->> 'enabled')::boolean then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encryption_at_rest_enabled","org":"turbot","name":"es_domain_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"ES domain encryption at rest should be enabled","description":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"ES domain encryption at rest should be enabled","controlDescription":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_encrypted_using_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encrypted_using_tls_1_2","org":"turbot","name":"es_domain_encrypted_using_tls_1_2","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then ' encrypted using TLS 1.2'\n else ' not encrypted using TLS 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":71,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encrypted_using_tls_1_2","org":"turbot","name":"es_domain_encrypted_using_tls_1_2","mod":"Terraform AWS Compliance","title":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","description":"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","controlDescription":"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_node_to_node_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_node_to_node_encryption_enabled","org":"turbot","name":"es_domain_node_to_node_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_to_node_encryption' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_to_node_encryption' ->> 'enabled')::boolean then ' node-to-node encryption enabled'\n else ' node-to-node encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":184,"endLineNumber":203,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_node_to_node_encryption_enabled","org":"turbot","name":"es_domain_node_to_node_encryption_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domain node-to-node encryption should be enabled","description":"Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain node-to-node encryption should be enabled","controlDescription":"Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_error_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_error_logging_enabled","org":"turbot","name":"es_domain_error_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'ES_APPLICATION_LOGS') or\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'ES_APPLICATION_LOGS') or (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then ' error logging enabled'\n else ' error logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":113,"endLineNumber":135,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_error_logging_enabled","org":"turbot","name":"es_domain_error_logging_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","description":"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","controlDescription":"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_in_vpc","org":"turbot","name":"es_domain_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_options' -> 'subnet_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_options' -> 'subnet_ids') is not null then ' in VPC'\n else ' not in VPC'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":137,"endLineNumber":156,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_in_vpc","org":"turbot","name":"es_domain_in_vpc","mod":"Terraform AWS Compliance","title":"Amazon Elasticsearch Service domains should be in a VPC","description":"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon Elasticsearch domains are not attached to public subnets.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"Amazon Elasticsearch Service domains should be in a VPC","controlDescription":"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon Elasticsearch domains are not attached to public subnets.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_enforce_https":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_enforce_https","org":"turbot","name":"es_domain_enforce_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean or (attributes_std -> 'domain_endpoint_options') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean or (attributes_std -> 'domain_endpoint_options') is null then ' enforces HTTPS'\n else ' does not enforces HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":226,"endLineNumber":245,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_enforce_https","org":"turbot","name":"es_domain_enforce_https","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should enforces HTTPS","description":"This control checks whether Elasticsearch domains are configured to enforces HTTPS. This control fails if the Elasticsearch domain does not enforces HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should enforces HTTPS","controlDescription":"This control checks whether Elasticsearch domains are configured to enforces HTTPS. This control fails if the Elasticsearch domain does not enforces HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_use_default_security_group":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_use_default_security_group","org":"turbot","name":"es_domain_use_default_security_group","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then ' default security group not set'\n else ' default security group set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":205,"endLineNumber":224,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_use_default_security_group","org":"turbot","name":"es_domain_use_default_security_group","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should not use the default security group","description":"This control checks whether Elasticsearch domains are configured to use the default security group. This control fails if the Elasticsearch domain uses the default security group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should not use the default security group","controlDescription":"This control checks whether Elasticsearch domains are configured to use the default security group. This control fails if the Elasticsearch domain uses the default security group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encrypted_with_kms_cmk","org":"turbot","name":"es_domain_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' -> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":247,"endLineNumber":266,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encrypted_with_kms_cmk","org":"turbot","name":"es_domain_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should be encrypted with KMS CMK","description":"This control checks whether Elasticsearch domains are configured to use KMS CMK for encryption at rest. This control fails if the Elasticsearch domain does not use KMS CMK for encryption at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should be encrypted with KMS CMK","controlDescription":"This control checks whether Elasticsearch domains are configured to use KMS CMK for encryption at rest. This control fails if the Elasticsearch domain does not use KMS CMK for encryption at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_dedicated_master_nodes_min_3":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_dedicated_master_nodes_min_3","org":"turbot","name":"es_domain_dedicated_master_nodes_min_3","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool = false then 'alarm'\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool and (attributes_std -> 'cluster_config' ->> 'instance_count')::int >= 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool = false then ' dedicated master nodes disabled'\n else ' has ' || (attributes_std -> 'cluster_config' ->> 'instance_count') || ' data node(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":49,"endLineNumber":69,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_dedicated_master_nodes_min_3","org":"turbot","name":"es_domain_dedicated_master_nodes_min_3","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should be configured with at least three dedicated master nodes","description":"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should be configured with at least three dedicated master nodes","controlDescription":"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_audit_logging_enabled","org":"turbot","name":"es_domain_audit_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'AUDIT_LOGS')\n or\n ((attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"AUDIT_LOGS\"}]') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'AUDIT_LOGS')\n or\n ((attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"AUDIT_LOGS\"}]') then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":1,"endLineNumber":25,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_audit_logging_enabled","org":"turbot","name":"es_domain_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should have audit logging enabled","description":"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should have audit logging enabled","controlDescription":"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_data_nodes_min_3":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_data_nodes_min_3","org":"turbot","name":"es_domain_data_nodes_min_3","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool = false then 'alarm'\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool and (attributes_std -> 'cluster_config' ->> 'instance_count')::int >= 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool = false then ' zone awareness disabled'\n else ' has ' || (attributes_std -> 'cluster_config' ->> 'instance_count') || ' data node(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":27,"endLineNumber":47,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_data_nodes_min_3","org":"turbot","name":"es_domain_data_nodes_min_3","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should have at least three data nodes","description":"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is set to true.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should have at least three data nodes","controlDescription":"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is set to true.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"opensearch_domain_enforce_https":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/opensearch_domain_enforce_https","org":"turbot","name":"opensearch_domain_enforce_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean then ' enforces HTTPS'\n else ' does not enforce HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_opensearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/opensearch.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.opensearch_domain_enforce_https","org":"turbot","name":"opensearch_domain_enforce_https","mod":"Terraform AWS Compliance","title":"OpenSearch domain should enforces HTTPS","description":"This control checks whether OpenSearch domains are configured to enforces HTTPS. This control fails if the OpenSearch domain does not enforces HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"OpenSearch domain should enforces HTTPS","controlDescription":"This control checks whether OpenSearch domains are configured to enforces HTTPS. This control fails if the OpenSearch domain does not enforces HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"opensearch_domain_encrpted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/opensearch_domain_encrpted_with_kms_cmk","org":"turbot","name":"opensearch_domain_encrpted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_opensearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/opensearch.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.opensearch_domain_encrpted_with_kms_cmk","org":"turbot","name":"opensearch_domain_encrpted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"OpenSearch domain should be encrypted with KMS CMK","description":"This control checks whether OpenSearch domains are configured to use KMS CMK for encryption at rest. This control fails if the OpenSearch domain does not use KMS CMK for encryption at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"OpenSearch domain should be encrypted with KMS CMK","controlDescription":"This control checks whether OpenSearch domains are configured to use KMS CMK for encryption at rest. This control fails if the OpenSearch domain does not use KMS CMK for encryption at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}},"qldb":{"qldb_ledger_permission_mode_set_to_standard":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/qldb_ledger_permission_mode_set_to_standard","org":"turbot","name":"qldb_ledger_permission_mode_set_to_standard","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'permissions_mode') = 'STANDARD' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'permissions_mode') = 'STANDARD' then ' permission mode set to \"STANDARD\"'\n else ' permission mode set to \"ALLOW_ALL\"'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_qldb_ledger';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/qldb.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.qldb_ledger_permission_mode_set_to_standard","org":"turbot","name":"qldb_ledger_permission_mode_set_to_standard","mod":"Terraform AWS Compliance","title":"QLDB ledger permission mode should be set to 'STANDARD'","description":"This control checks whether permission mode is set to 'STANDARD' for QLDB ledger.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/QLDB"}}],"controlTitle":"QLDB ledger permission mode should be set to 'STANDARD'","controlDescription":"This control checks whether permission mode is set to 'STANDARD' for QLDB ledger.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/QLDB"}},"qldb_ledger_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/qldb_ledger_deletion_protection_enabled","org":"turbot","name":"qldb_ledger_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'deletion_protection') is null or (attributes_std ->> 'deletion_protection')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'deletion_protection') is null or (attributes_std ->> 'deletion_protection')::bool then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_qldb_ledger';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/qldb.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.qldb_ledger_deletion_protection_enabled","org":"turbot","name":"qldb_ledger_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"QLDB ledger should have deletion protection enabled","description":"This control checks whether deletion protection is enabled for QLDB ledger.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/QLDB"}}],"controlTitle":"QLDB ledger should have deletion protection enabled","controlDescription":"This control checks whether deletion protection is enabled for QLDB ledger.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/QLDB"}}},"keyspaces":{"keyspaces_table_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/keyspaces_table_encrypted_with_kms_cmk","org":"turbot","name":"keyspaces_table_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_specification' -> 'kms_key_identifier') is not null and (attributes_std -> 'encryption_specification' ->> 'type') = 'CUSTOMER_MANAGED_KMS_KEY' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_specification' -> 'kms_key_id') is not null and (attributes_std -> 'encryption_specification' ->> 'type') = 'CUSTOMER_MANAGED_KMS_KEY' then ' uses KMS CMK'\n else ' does not use KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_keyspaces_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyspace.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.keyspaces_table_encrypted_with_kms_cmk","org":"turbot","name":"keyspaces_table_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Keyspaces tables should be encrypted with KMS CMK","description":"This control checks whether Keyspaces tables are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Keyspaces"}}],"controlTitle":"Keyspaces tables should be encrypted with KMS CMK","controlDescription":"This control checks whether Keyspaces tables are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Keyspaces"}}},"kms":{"kms_cmk_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kms_cmk_rotation_enabled","org":"turbot","name":"kms_cmk_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_key_rotation') is null then 'alarm'\n when (attributes_std -> 'enable_key_rotation')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_key_rotation') is null then ' key rotation disabled'\n when (attributes_std -> 'enable_key_rotation')::boolean then ' key rotation enabled'\n else ' key rotation disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kms_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kms_cmk_rotation_enabled","org":"turbot","name":"kms_cmk_rotation_enabled","mod":"Terraform AWS Compliance","title":"KMS CMK rotation should be enabled","description":"Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/KMS"}}],"controlTitle":"KMS CMK rotation should be enabled","controlDescription":"Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/KMS"}},"kms_key_rotated_within_90_day":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_rotated_within_90_day","org":"turbot","name":"kms_key_rotated_within_90_day","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then 'alarm'\n when split_part(coalesce((attributes_std ->> 'rotation_period'), ''), 's', 1) :: int <= 7776000 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then ' requires manual rotation'\n else ' rotation period set for ' || (split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int)/86400 || ' day(s)'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kms_key_rotated_within_90_day","org":"turbot","name":"kms_key_rotated_within_90_day","mod":"Terraform GCP Compliance","title":"Ensure KMS encryption keys are rotated within a period of 90 days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.10","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/KMS"}}],"controlTitle":"Ensure KMS encryption keys are rotated within a period of 90 days","controlDescription":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"1.10","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/KMS"}},"kms_key_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_not_publicly_accessible","org":"turbot","name":"kms_key_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_kms_crypto_key_iam_policy', 'google_kms_crypto_key_iam_binding', 'google_kms_crypto_key_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":63,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kms_key_not_publicly_accessible","org":"turbot","name":"kms_key_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"KMS keys should not be publicly accessible","description":"This control checks whether the KMS keys are publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}}],"controlTitle":"KMS keys should not be publicly accessible","controlDescription":"This control checks whether the KMS keys are publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}},"kms_key_rotated_within_100_day":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_rotated_within_100_day","org":"turbot","name":"kms_key_rotated_within_100_day","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then 'alarm'\n when split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int <= 8640000 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then ' requires manual rotation'\n else ' rotation period set for ' || (split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int)/86400 || ' day(s)'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kms_key_rotated_within_100_day","org":"turbot","name":"kms_key_rotated_within_100_day","mod":"Terraform GCP Compliance","title":"Check that CMEK rotation policy is in place and is sufficiently short","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used.","tags":{"category":"Compliance","forseti_security_v226":"true","plugin":"terraform","service":"GCP/KMS"}}],"controlTitle":"Check that CMEK rotation policy is in place and is sufficiently short","controlDescription":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used.","controlTags":{"category":"Compliance","forseti_security_v226":"true","plugin":"terraform","service":"GCP/KMS"}},"kms_key_prevent_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_prevent_destroy_enabled","org":"turbot","name":"kms_key_prevent_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'prevent_destroy')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'prevent_destroy')::bool then ' prevent destroy enabled'\n else ' prevent destroy disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":43,"endLineNumber":61,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kms_key_prevent_destroy_enabled","org":"turbot","name":"kms_key_prevent_destroy_enabled","mod":"Terraform GCP Compliance","title":"KMS Crypto keys should have prevent destroy enabled","description":"CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}}],"controlTitle":"KMS Crypto keys should have prevent destroy enabled","controlDescription":"CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}}},"kendra":{"kendra_index_server_side_encryption_uses_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kendra_index_server_side_encryption_uses_kms_cmk","org":"turbot","name":"kendra_index_server_side_encryption_uses_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption_configuration' ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption_configuration' ->> 'kms_key_id') is not null then ' uses KMS CMK'\n else ' does not use KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kendra_index';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kendra.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kendra_index_server_side_encryption_uses_kms_cmk","org":"turbot","name":"kendra_index_server_side_encryption_uses_kms_cmk","mod":"Terraform AWS Compliance","title":"Kendra indexes should use KMS CMKs for server-side encryption","description":"This control checks whether Kendra indexes are using KMS CMKs for server-side encryption.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kendra"}}],"controlTitle":"Kendra indexes should use KMS CMKs for server-side encryption","controlDescription":"This control checks whether Kendra indexes are using KMS CMKs for server-side encryption.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kendra"}}},"guard_duty":{"guardduty_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/guardduty_enabled","org":"turbot","name":"guardduty_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable') is null then 'ok'\n when (attributes_std -> 'enable')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable') is null then ' guardduty enabled'\n when (attributes_std -> 'enable')::bool then ' guardduty enabled'\n else ' guardduty disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_guardduty_detector';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/guardduty.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.guardduty_enabled","org":"turbot","name":"guardduty_enabled","mod":"Terraform AWS Compliance","title":"GuardDuty should be enabled","description":"Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/GuardDuty","soc_2":"true"}}],"controlTitle":"GuardDuty should be enabled","controlDescription":"Amazon GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/GuardDuty","soc_2":"true"}}},"global_accelerator":{"globalaccelerator_flow_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/globalaccelerator_flow_logs_enabled","org":"turbot","name":"globalaccelerator_flow_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'attributes') is null then 'alarm'\n when (attributes_std -> 'attributes' -> 'flow_logs_enabled') is null then 'alram'\n when (attributes_std -> 'attributes' -> 'flow_logs_enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'attributes') is null then ' flow log disabled'\n when (attributes_std -> 'attributes' -> 'flow_logs_enabled') is null then ' flow log disabled'\n when (attributes_std -> 'attributes' -> 'flow_logs_enabled')::bool then ' flow log enabled'\n else ' flow log disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_globalaccelerator_accelerator';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/globalaccelerator.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.globalaccelerator_flow_logs_enabled","org":"turbot","name":"globalaccelerator_flow_logs_enabled","mod":"Terraform AWS Compliance","title":"Global Accelerator flow logs should be enabled","description":"Ensure Global Accelerator accelerator has flow logs enabled","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/GlobalAccelerator"}}],"controlTitle":"Global Accelerator flow logs should be enabled","controlDescription":"Ensure Global Accelerator accelerator has flow logs enabled","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/GlobalAccelerator"}}},"event_bridge":{"eventbridge_scheduler_schedule_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eventbridge_scheduler_schedule_encrypted_with_kms_cmk","org":"turbot","name":"eventbridge_scheduler_schedule_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_arn') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_scheduler_schedule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventbridge.pp","startLineNumber":2,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eventbridge_scheduler_schedule_encrypted_with_kms_cmk","org":"turbot","name":"eventbridge_scheduler_schedule_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EventBridge Scheduler Schedule should be encrypted with KMS CMK","description":"This control checks whether EventBridge Scheduler Schedule is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EventBridge"}}],"controlTitle":"EventBridge Scheduler Schedule should be encrypted with KMS CMK","controlDescription":"This control checks whether EventBridge Scheduler Schedule is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EventBridge"}}},"glacier":{"glacier_vault_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glacier_vault_restrict_public_access","org":"turbot","name":"glacier_vault_restrict_public_access","sql":"$41","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glacier.pp","startLineNumber":1,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glacier_vault_restrict_public_access","org":"turbot","name":"glacier_vault_restrict_public_access","mod":"Terraform AWS Compliance","title":"Glacier vault should restrict public access","description":"Manage access to resources in the AWS Cloud by ensuring Glacier vault cannot be publicly accessed.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glacier"}}],"controlTitle":"Glacier vault should restrict public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring Glacier vault cannot be publicly accessed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glacier"}}},"emr":{"emr_cluster_security_configuration_encryption_uses_sse_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_encryption_uses_sse_kms","org":"turbot","name":"emr_cluster_security_configuration_encryption_uses_sse_kms","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' then ' encryption uses SSE-KMS'\n else ' encryption does not use SSE-KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_encryption_uses_sse_kms","org":"turbot","name":"emr_cluster_security_configuration_encryption_uses_sse_kms","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should use SSE-KMS","description":"This control checks whether EMR cluster security configurations use SSE-KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should use SSE-KMS","controlDescription":"This control checks whether EMR cluster security configurations use SSE-KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_encryption_in_transit_enabled","org":"turbot","name":"emr_cluster_security_configuration_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableInTransitEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableInTransitEncryption')::bool then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_encryption_in_transit_enabled","org":"turbot","name":"emr_cluster_security_configuration_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have encryption in transit enabled","description":"This control checks whether EMR cluster security configurations are encrypted in transit.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have encryption in transit enabled","controlDescription":"This control checks whether EMR cluster security configurations are encrypted in transit.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_local_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_local_disk_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_local_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' ->> 'LocalDiskEncryptionConfiguration') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' ->> 'LocalDiskEncryptionConfiguration') is not null then ' local disk encryption enabled'\n else ' local disk encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_local_disk_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_local_disk_encryption_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have local disk encryption enabled","description":"This control checks whether EMR cluster security configurations have local disk encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have local disk encryption enabled","controlDescription":"This control checks whether EMR cluster security configurations have local disk encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_ebs_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_ebs_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_ebs_encryption_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EnableEbsEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EnableEbsEncryption')::bool then ' EBS encryption enabled'\n else ' EBS encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_ebs_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_ebs_encryption_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have EBS encryption enabled","description":"This control checks whether EMR cluster security configurations have EBS encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have EBS encryption enabled","controlDescription":"This control checks whether EMR cluster security configurations have EBS encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_kerberos_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_kerberos_enabled","org":"turbot","name":"emr_cluster_kerberos_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kerberos_attributes') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kerberos_attributes') is null then ' kerberos disabled'\n else ' kerberos enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_kerberos_enabled","org":"turbot","name":"emr_cluster_kerberos_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster Kerberos should be enabled","description":"The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster Kerberos should be enabled","controlDescription":"The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EMR"}}},"elb":{"elb_classic_lb_use_desync_mitigation_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_classic_lb_use_desync_mitigation_mode","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then ' configured with ' || (attributes_std ->> 'desync_mitigation_mode') || ' mitigation mode'\n else ' not configured with defensive or strictest desync mitigation mode'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":210,"endLineNumber":229,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_classic_lb_use_desync_mitigation_mode","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should have defensive or strictest desync mitigation mode configured","description":"Ensure that your classic load balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should have defensive or strictest desync mitigation mode configured","controlDescription":"Ensure that your classic load balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_lb_use_secure_protocol_listener":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_lb_use_secure_protocol_listener","org":"turbot","name":"elb_lb_use_secure_protocol_listener","sql":"$42","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":259,"endLineNumber":280,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_lb_use_secure_protocol_listener","org":"turbot","name":"elb_lb_use_secure_protocol_listener","mod":"Terraform AWS Compliance","title":"ELB load balancer listeners should use a secure protocol","description":"Ensure that your load balancer listeners are configured with a secure protocol including redirections.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB load balancer listeners should use a secure protocol","controlDescription":"Ensure that your load balancer listeners are configured with a secure protocol including redirections.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_classic_lb_use_ssl_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_ssl_certificate","org":"turbot","name":"elb_classic_lb_use_ssl_certificate","sql":"$43","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":143,"endLineNumber":166,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_ssl_certificate","org":"turbot","name":"elb_classic_lb_use_ssl_certificate","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should use SSL certificates","description":"Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should use SSL certificates","controlDescription":"Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_classic_lb_use_tls_https_listeners":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_tls_https_listeners","org":"turbot","name":"elb_classic_lb_use_tls_https_listeners","sql":"select\n address as resource,\n case\n when (attributes_std -> 'listener' ->> 'lb_protocol') like any (array ['HTTPS', 'TLS']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'listener' ->> 'lb_protocol') like any (array ['HTTPS', 'TLS']) then ' configured with ' || (attributes_std -> 'listener' ->> 'lb_protocol') || ' protocol'\n else ' not configured with HTTPS or TLS protocol'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":168,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_tls_https_listeners","org":"turbot","name":"elb_classic_lb_use_tls_https_listeners","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should only use SSL or HTTPS listeners","description":"Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should only use SSL or HTTPS listeners","controlDescription":"Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_network_gateway_lb_use_desync_mitigation_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_network_gateway_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_application_network_gateway_lb_use_desync_mitigation_mode","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then ' configured with ' || (attributes_std ->> 'desync_mitigation_mode') || ' mitigation mode'\n else ' not configured with defensive or strictest desync mitigation mode'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb', 'aws_alb');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":189,"endLineNumber":208,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_network_gateway_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_application_network_gateway_lb_use_desync_mitigation_mode","mod":"Terraform AWS Compliance","title":"ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured","description":"Ensure that your Elastic Load Balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured","controlDescription":"Ensure that your Elastic Load Balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","sql":"$44","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":282,"endLineNumber":303,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","mod":"Terraform AWS Compliance","title":"ELB application, network and gateway load balancer should have cross-zone load balancing enabled","description":"Ensure that your application, network and gateway load balancer are configured with cross-zone load balancing.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application, network and gateway load balancer should have cross-zone load balancing enabled","controlDescription":"Ensure that your application, network and gateway load balancer are configured with cross-zone load balancing.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_lb_target_group_use_health_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_lb_target_group_use_health_check","org":"turbot","name":"elb_lb_target_group_use_health_check","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'protocol') like any (array ['HTTPS', 'HTTP']) and (attributes_std ->> 'health_check') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'protocol') like any (array ['HTTPS', 'HTTP']) and (attributes_std ->> 'health_check') is not null then ' target group configured with health check'\n else ' target group not configured with health check'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb_target_group', 'aws_alb_target_group');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":305,"endLineNumber":324,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_lb_target_group_use_health_check","org":"turbot","name":"elb_lb_target_group_use_health_check","mod":"Terraform AWS Compliance","title":"ELB HTTP HTTPS target group should be configured with Healthcheck","description":"Ensure HTTP HTTPS target group is defined with Healthcheck.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB HTTP HTTPS target group should be configured with Healthcheck","controlDescription":"Ensure HTTP HTTPS target group is defined with Healthcheck.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_classic_lb_cross_zone_load_balancing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_classic_lb_cross_zone_load_balancing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cross_zone_load_balancing') is null then 'ok'\n when (attributes_std -> 'cross_zone_load_balancing')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cross_zone_load_balancing') is null then ' cross-zone load balancing enabled'\n when (attributes_std -> 'cross_zone_load_balancing')::boolean then ' cross-zone load balancing enabled'\n else ' cross-zone load balancing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb'\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":120,"endLineNumber":141,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_classic_lb_cross_zone_load_balancing_enabled","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should have cross-zone load balancing enabled","description":"Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent number of instances in each enabled availability zone.","tags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should have cross-zone load balancing enabled","controlDescription":"Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent number of instances in each enabled availability zone.","controlTags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}},"elb_application_lb_drop_invalid_header_fields":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_drop_invalid_header_fields","org":"turbot","name":"elb_application_lb_drop_invalid_header_fields","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then 'skip'\n when (attributes_std ->> 'drop_invalid_header_fields')::boolean and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')\n then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then ' load balancer is of ' || (attributes_std ->> 'load_balancer_type') || ' type'\n when (attributes_std ->> 'drop_invalid_header_fields')::boolean\n and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')\n then ' configured to drop invalid http header field(s)'\n else ' not configured to drop invalid http header field(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb', 'aws_alb');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":233,"endLineNumber":257,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_drop_invalid_header_fields","org":"turbot","name":"elb_application_lb_drop_invalid_header_fields","mod":"Terraform AWS Compliance","title":"ELB application load balancers should have drop invalid header fields configured","description":"Ensure that your application load balancers are configured to drop invalid header fields.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should have drop invalid header fields configured","controlDescription":"Ensure that your application load balancers are configured to drop invalid header fields.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_application_lb_drop_http_headers":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_drop_http_headers","org":"turbot","name":"elb_application_lb_drop_http_headers","sql":"select\n address as resource,\n case\n when (attributes_std -> 'drop_invalid_header_fields') is null then 'alarm'\n when (attributes_std -> 'drop_invalid_header_fields')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'drop_invalid_header_fields') is null then ' ''drop_invalid_header_fields'' disabled'\n when (attributes_std -> 'drop_invalid_header_fields')::boolean then ' ''drop_invalid_header_fields'' enabled'\n else ' ''drop_invalid_header_fields'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":74,"endLineNumber":95,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_drop_http_headers","org":"turbot","name":"elb_application_lb_drop_http_headers","mod":"Terraform AWS Compliance","title":"ELB application load balancers should be drop HTTP headers","description":"Ensure that your Elastic Load Balancers are configured to drop HTTP headers.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should be drop HTTP headers","controlDescription":"Ensure that your Elastic Load Balancers are configured to drop HTTP headers.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_lb_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_waf_enabled","org":"turbot","name":"elb_application_lb_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_waf_fail_open') is null then 'alarm'\n when (attributes_std -> 'enable_waf_fail_open')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_waf_fail_open') is null then ' WAF disabled'\n when (attributes_std -> 'enable_waf_fail_open')::boolean then ' WAF enabled'\n else ' WAF disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":97,"endLineNumber":118,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_waf_enabled","org":"turbot","name":"elb_application_lb_waf_enabled","mod":"Terraform AWS Compliance","title":"ELB application load balancers should have Web Application Firewall (WAF) enabled","description":"Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications.","tags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should have Web Application Firewall (WAF) enabled","controlDescription":"Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications.","controlTags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_lb_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_deletion_protection_enabled","org":"turbot","name":"elb_application_lb_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_deletion_protection') is null then 'alarm'\n when (attributes_std -> 'enable_deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_deletion_protection') is null then ' ''enable_deletion_protection'' not defined'\n when (attributes_std -> 'enable_deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":51,"endLineNumber":72,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_deletion_protection_enabled","org":"turbot","name":"elb_application_lb_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"ELB application load balancer deletion protection should be enabled","description":"This rule ensures that Elastic Load Balancing has deletion protection enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancer deletion protection should be enabled","controlDescription":"This rule ensures that Elastic Load Balancing has deletion protection enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}},"elb_application_classic_network_lb_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_classic_network_lb_logging_enabled","org":"turbot","name":"elb_application_classic_network_lb_logging_enabled","sql":"$45","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":1,"endLineNumber":49,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_classic_network_lb_logging_enabled","org":"turbot","name":"elb_application_classic_network_lb_logging_enabled","mod":"Terraform AWS Compliance","title":"ELB application and classic load balancer logging should be enabled","description":"Elastic Load Balancing activity is a central point of communication within an environment. Ensure that logging is enabled to track the activities of the load balancer.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB","soc_2":"true"}}],"controlTitle":"ELB application and classic load balancer logging should be enabled","controlDescription":"Elastic Load Balancing activity is a central point of communication within an environment. Ensure that logging is enabled to track the activities of the load balancer.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB","soc_2":"true"}},"ec2_classic_lb_connection_draining_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_classic_lb_connection_draining_enabled","org":"turbot","name":"ec2_classic_lb_connection_draining_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'connection_draining') is null then 'alarm'\n when (attributes_std -> 'connection_draining')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'connection_draining') is null then ' ''connection_draining'' disabled'\n when (attributes_std -> 'connection_draining')::bool then ' ''connection_draining'' enabled'\n else ' ''connection_draining'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_classic_lb_connection_draining_enabled","org":"turbot","name":"ec2_classic_lb_connection_draining_enabled","mod":"Terraform AWS Compliance","title":"Classic Load Balancers should have connection draining enabled","description":"This control checks whether Classic Load Balancers have connection draining enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"Classic Load Balancers should have connection draining enabled","controlDescription":"This control checks whether Classic Load Balancers have connection draining enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}},"elastic_beanstalk":{"elasticbeanstalk_environment_use_managed_updates":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticbeanstalk_environment_use_managed_updates","org":"turbot","name":"elasticbeanstalk_environment_use_managed_updates","sql":"$46","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticbeanstalk.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticbeanstalk_environment_use_managed_updates","org":"turbot","name":"elasticbeanstalk_environment_use_managed_updates","mod":"Terraform AWS Compliance","title":"Elastic Beanstalk managed platform updates should be enabled","description":"This control checks whether Elastic Beanstalk environments have managed platform updates enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElasticBeanstalk"}}],"controlTitle":"Elastic Beanstalk managed platform updates should be enabled","controlDescription":"This control checks whether Elastic Beanstalk environments have managed platform updates enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElasticBeanstalk"}},"elasticbeanstalk_environment_use_enhanced_health_checks":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticbeanstalk_environment_use_enhanced_health_checks","org":"turbot","name":"elasticbeanstalk_environment_use_enhanced_health_checks","sql":"$47","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticbeanstalk.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticbeanstalk_environment_use_enhanced_health_checks","org":"turbot","name":"elasticbeanstalk_environment_use_enhanced_health_checks","mod":"Terraform AWS Compliance","title":"Elastic Beanstalk enhanced health reporting should be enabled","description":"This control checks whether Elastic Beanstalk environments have enhanced health reporting enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElasticBeanstalk"}}],"controlTitle":"Elastic Beanstalk enhanced health reporting should be enabled","controlDescription":"This control checks whether Elastic Beanstalk environments have enhanced health reporting enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElasticBeanstalk"}}},"elasti_cache":{"elasticache_replication_group_encryption_in_transit_enabled_auth_token":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_in_transit_enabled_auth_token","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled_auth_token","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is not null then ' encrypted in transit and auth token set'\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is null then ' encrypted in transit but auth token not set'\n when (attributes_std ->> 'auth_token') is not null then 'not encrypted in transit but auth token set'\n else ' not encrypted in transit and auth token not set'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_in_transit_enabled_auth_token","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled_auth_token","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at transit","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at transit.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at transit","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at transit.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encrypted_with_kms_cmk","org":"turbot","name":"elasticache_replication_group_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with kms cmk'\n else ' not encrypted with kms cmk'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":88,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encrypted_with_kms_cmk","org":"turbot","name":"elasticache_replication_group_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted with KMS CMK","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted with KMS CMK","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_at_rest_enabled","org":"turbot","name":"elasticache_replication_group_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":67,"endLineNumber":86,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_at_rest_enabled","org":"turbot","name":"elasticache_replication_group_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at rest","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at rest","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_cluster_has_subnet_group":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_cluster_has_subnet_group","org":"turbot","name":"elasticache_cluster_has_subnet_group","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'subnet_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'subnet_group_name') is not null then ' subnet group name set'\n else ' subnet group name not set'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":130,"endLineNumber":149,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_cluster_has_subnet_group","org":"turbot","name":"elasticache_cluster_has_subnet_group","mod":"Terraform AWS Compliance","title":"ElastiCache cluster should have subnet group","description":"This control checks whether the ElastiCache cluster has subnet group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache cluster should have subnet group","controlDescription":"This control checks whether the ElastiCache cluster has subnet group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_in_transit_enabled","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then ' encrypted in transit'\n else ' not encrypted in transit'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_in_transit_enabled","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at transit","description":"Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at transit","controlDescription":"Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_redis_cluster_automatic_backup_retention_15_days":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_redis_cluster_automatic_backup_retention_15_days","org":"turbot","name":"elasticache_redis_cluster_automatic_backup_retention_15_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'snapshot_retention_limit')::int < 15 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'snapshot_retention_limit')::int is null then ' automatic backups disabled'\n when (attributes_std -> 'snapshot_retention_limit')::int < 15 then ' automatic backup retention period is less than 15 days'\n else ' automatic backup retention period is more than 15 days'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_redis_cluster_automatic_backup_retention_15_days","org":"turbot","name":"elasticache_redis_cluster_automatic_backup_retention_15_days","mod":"Terraform AWS Compliance","title":"ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater","description":"When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ElastiCache","soc_2":"true"}}],"controlTitle":"ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater","controlDescription":"When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ElastiCache","soc_2":"true"}},"elasticache_redis_cluster_auto_minor_version_upgrade":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_redis_cluster_auto_minor_version_upgrade","org":"turbot","name":"elasticache_redis_cluster_auto_minor_version_upgrade","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade')::boolean then ' auto minor version upgrade enabled'\n else ' auto minor version upgrade disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":109,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_redis_cluster_auto_minor_version_upgrade","org":"turbot","name":"elasticache_redis_cluster_auto_minor_version_upgrade","mod":"Terraform AWS Compliance","title":"ElastiCache Redis cluster should have auto minor version upgrade enabled","description":"This control checks whether the ElastiCache Redis cluster has auto minor version upgrade enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache Redis cluster should have auto minor version upgrade enabled","controlDescription":"This control checks whether the ElastiCache Redis cluster has auto minor version upgrade enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}},"eks":{"eks_cluster_secrets_encrypted":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_secrets_encrypted","org":"turbot","name":"eks_cluster_secrets_encrypted","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_config') is null then 'alarm'\n when (attributes_std -> 'encryption_config' -> 'resources') @> '[\"secrets\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_config') is null then ' encryption disabled'\n when (attributes_std -> 'encryption_config' -> 'resources') @> '[\"secrets\"]' then ' encrypted with EKS secrets'\n else ' not encrypted with EKS secrets'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":50,"endLineNumber":71,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_secrets_encrypted","org":"turbot","name":"eks_cluster_secrets_encrypted","mod":"Terraform AWS Compliance","title":"EKS clusters should be configured to have kubernetes secrets encrypted using KMS","description":"Ensure if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.","tags":{"category":"Compliance","hipaa":"true","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS clusters should be configured to have kubernetes secrets encrypted using KMS","controlDescription":"Ensure if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.","controlTags":{"category":"Compliance","hipaa":"true","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_run_on_supported_kubernetes_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_run_on_supported_kubernetes_version","org":"turbot","name":"eks_cluster_run_on_supported_kubernetes_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'version') is null then 'skip'\n when (attributes_std ->> 'version') like any (array ['1.22', '1.23', '1.24', '1.25', '1.26']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'version') is null then ' Kubernetes version not set'\n when (attributes_std ->> 'version') like any (array ['1.22', '1.23', '1.24', '1.25', '1.26']) then ' run on supported Kubernetes version'\n else ' do not run on supported Kubernetes version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":73,"endLineNumber":94,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_run_on_supported_kubernetes_version","org":"turbot","name":"eks_cluster_run_on_supported_kubernetes_version","mod":"Terraform AWS Compliance","title":"EKS cluster should run on supported Kubernetes version","description":"Ensure Amazon EKS cluster is running on supported Kubernetes version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster should run on supported Kubernetes version","controlDescription":"Ensure Amazon EKS cluster is running on supported Kubernetes version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_endpoint_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_endpoint_restrict_public_access","org":"turbot","name":"eks_cluster_endpoint_restrict_public_access","sql":"$48","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":1,"endLineNumber":27,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_endpoint_restrict_public_access","org":"turbot","name":"eks_cluster_endpoint_restrict_public_access","mod":"Terraform AWS Compliance","title":"EKS clusters endpoint should restrict public access","description":"Ensure whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is complaint if the endpoint is publicly accessible.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS clusters endpoint should restrict public access","controlDescription":"Ensure whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is complaint if the endpoint is publicly accessible.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_node_group_ssh_access_from_internet":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_node_group_ssh_access_from_internet","org":"turbot","name":"eks_cluster_node_group_ssh_access_from_internet","sql":"$49","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":119,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_node_group_ssh_access_from_internet","org":"turbot","name":"eks_cluster_node_group_ssh_access_from_internet","mod":"Terraform AWS Compliance","title":"EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0","description":"EKS cluster node group SSH access should be restricted from internet. If you specify ec2_ssh_key, but do not specify source_security_group_ids configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0","controlDescription":"EKS cluster node group SSH access should be restricted from internet. If you specify ec2_ssh_key, but do not specify source_security_group_ids configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_control_plane_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_control_plane_logging_enabled","org":"turbot","name":"eks_cluster_control_plane_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled_cluster_log_types') is null then 'alarm'\n when (attributes_std ->> 'enabled_cluster_log_types') like '%[\"api\", \"authenticator\", \"audit\", \"scheduler\", \"controllerManager\"]%' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled_cluster_log_types') is null then ' control plane logging not set'\n when (attributes_std ->> 'enabled_cluster_log_types') like '%[\"api\", \"authenticator\", \"audit\", \"scheduler\", \"controllerManager\"]%' then ' control plane logging enabled'\n else ' control plane logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":96,"endLineNumber":117,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_control_plane_logging_enabled","org":"turbot","name":"eks_cluster_control_plane_logging_enabled","mod":"Terraform AWS Compliance","title":"EKS cluster control plane logging should be enabled for all log types","description":"Ensure control plane logging is enabled for all log types in Amazon EKS cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster control plane logging should be enabled for all log types","controlDescription":"Ensure control plane logging is enabled for all log types in Amazon EKS cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_log_types_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_log_types_enabled","org":"turbot","name":"eks_cluster_log_types_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled_cluster_log_types') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled_cluster_log_types') is null then ' logging disabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":29,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_log_types_enabled","org":"turbot","name":"eks_cluster_log_types_enabled","mod":"Terraform AWS Compliance","title":"EKS cluster log types should be enabled","description":"Ensure Amazon EKS cluster logging is enabled for all log types","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster log types should be enabled","controlDescription":"Ensure Amazon EKS cluster logging is enabled for all log types","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}},"efs":{"efs_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/efs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"efs_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_efs_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/efs.pp","startLineNumber":90,"endLineNumber":109,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.efs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"efs_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EFS file system should be encrypted with KMS CMK","description":"This control checks whether the Elastic File System file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}}],"controlTitle":"EFS file system should be encrypted with KMS CMK","controlDescription":"This control checks whether the Elastic File System file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}},"efs_file_system_encrypt_data_at_rest":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/efs_file_system_encrypt_data_at_rest","org":"turbot","name":"efs_file_system_encrypt_data_at_rest","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is null then 'alarm'\n when (attributes_std ->> 'encrypted')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is null then ' ''encrypted'' is not defined'\n when (attributes_std ->> 'encrypted')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_efs_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/efs.pp","startLineNumber":21,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.efs_file_system_encrypt_data_at_rest","org":"turbot","name":"efs_file_system_encrypt_data_at_rest","mod":"Terraform AWS Compliance","title":"EFS file system encryption at rest should be enabled","description":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EFS"}}],"controlTitle":"EFS file system encryption at rest should be enabled","controlDescription":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic File System (EFS).","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EFS"}},"efs_file_system_automatic_backups_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/efs_file_system_automatic_backups_enabled","org":"turbot","name":"efs_file_system_automatic_backups_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'file_system_id')::text, '.', 2) from terraform_resource where type = 'aws_efs_backup_policy' and (attributes_std -> 'backup_policy' ->> 'status')::text = 'ENABLED') then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'file_system_id')::text, '.', 2) from terraform_resource where type = 'aws_efs_backup_policy' and (attributes_std -> 'backup_policy' ->> 'status')::text = 'ENABLED') then ' backup policy enabled'\n else ' backup policy disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_efs_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/efs.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.efs_file_system_automatic_backups_enabled","org":"turbot","name":"efs_file_system_automatic_backups_enabled","mod":"Terraform AWS Compliance","title":"EFS file systems should be in a backup plan","description":"To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EFS","soc_2":"true"}}],"controlTitle":"EFS file systems should be in a backup plan","controlDescription":"To help with data back-up processes, ensure your Amazon Elastic File System (Amazon EFS) file systems are a part of an AWS Backup plan.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EFS","soc_2":"true"}},"efs_access_point_has_root_directory":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/efs_access_point_has_root_directory","org":"turbot","name":"efs_access_point_has_root_directory","sql":"select\n address as resource,\n case\n when (attributes_std -> 'root_directory') is null then 'alarm'\n when (attributes_std -> 'root_directory' -> 'path') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'root_directory') is null then ' ''root_directory'' is not defined'\n when (attributes_std -> 'root_directory' -> 'path') is not null then ' has root directory'\n else ' does not have root directory'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_efs_access_point';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/efs.pp","startLineNumber":67,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.efs_access_point_has_root_directory","org":"turbot","name":"efs_access_point_has_root_directory","mod":"Terraform AWS Compliance","title":"EFS access point should have a root directory","description":"This control checks whether the Elastic File System access point has a root directory associated with it.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}}],"controlTitle":"EFS access point should have a root directory","controlDescription":"This control checks whether the Elastic File System access point has a root directory associated with it.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}},"efs_access_point_has_user_identity":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/efs_access_point_has_user_identity","org":"turbot","name":"efs_access_point_has_user_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'posix_user') is null then 'alarm'\n when (attributes_std -> 'posix_user' -> 'gid') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'posix_user') is null then ' ''posix_user'' is not defined'\n when (attributes_std -> 'posix_user' -> 'gid') is not null then ' has user identity'\n else ' does not have user identity'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_efs_access_point';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/efs.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.efs_access_point_has_user_identity","org":"turbot","name":"efs_access_point_has_user_identity","mod":"Terraform AWS Compliance","title":"EFS access point should have a user identity","description":"This control checks whether the Elastic File System access point has a user identity associated with it.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}}],"controlTitle":"EFS access point should have a user identity","controlDescription":"This control checks whether the Elastic File System access point has a user identity associated with it.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EFS"}}},"ecs":{"ecs_task_definition_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_encryption_in_transit_enabled","org":"turbot","name":"ecs_task_definition_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'volume' -> 'efs_volume_configuration' ->> 'transit_encryption')::text = 'ENABLED' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'volume' -> 'efs_volume_configuration' ->> 'transit_encryption')::text = 'ENABLED' then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_encryption_in_transit_enabled","org":"turbot","name":"ecs_task_definition_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"ECS task definition encryption in transit should be enabled","description":"Ensure encryption in transit is enabled for EFS volumes in ECS Task definitions.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS task definition encryption in transit should be enabled","controlDescription":"Ensure encryption in transit is enabled for EFS volumes in ECS Task definitions.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_no_host_pid_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_no_host_pid_mode","org":"turbot","name":"ecs_task_definition_no_host_pid_mode","sql":"with task_with_host as (\n select\n distinct (address ) as name\n from\n terraform_resource,\n jsonb_array_elements(\n case when ((attributes_std ->> 'container_definitions') = '')\n then null\n else (attributes_std ->> 'container_definitions')::jsonb end\n ) as s where s ->> 'pidMode' = 'host' and type = 'aws_ecs_task_definition'\n )\n select\n r.address as resource,\n case\n when h.name is null then 'ok'\n else 'alarm'\n end status,\n split_part(r.address, '.', 2) || case\n when h.name is null then ' shares the host process namespace'\n else ' does not share the host process namespace'\n end || '.' reason\n \n , path || ':' || start_line\n from\n terraform_resource as r\n left join task_with_host as h on h.name = r.address\n where\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":137,"endLineNumber":168,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_no_host_pid_mode","org":"turbot","name":"ecs_task_definition_no_host_pid_mode","mod":"Terraform AWS Compliance","title":"ECS task definitions should not share the host's process namespace","description":"This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS task definitions should not share the host's process namespace","controlDescription":"This control checks if Amazon ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_role_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_role_check","org":"turbot","name":"ecs_task_definition_role_check","sql":"$4a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":90,"endLineNumber":113,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_role_check","org":"turbot","name":"ecs_task_definition_role_check","mod":"Terraform AWS Compliance","title":"ECS Task definition should have different Execution Role ARN and Task Role ARN","description":"This control checks whether the Execution Role ARN and the Task Role ARN are different in ECS Task definitions.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS Task definition should have different Execution Role ARN and Task Role ARN","controlDescription":"This control checks whether the Execution Role ARN and the Task Role ARN are different in ECS Task definitions.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_cluster_logging_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_cluster_logging_encrypted_with_kms_cmk","org":"turbot","name":"ecs_cluster_logging_encrypted_with_kms_cmk","sql":"$4b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":68,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_cluster_logging_encrypted_with_kms_cmk","org":"turbot","name":"ecs_cluster_logging_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"ECS cluster logging should be encrypted with KMS CMK","description":"This control checks whether logging is encrypted with KMS CMK for the ECS cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS cluster logging should be encrypted with KMS CMK","controlDescription":"This control checks whether logging is encrypted with KMS CMK for the ECS cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_container_readonly_root_filesystem":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_container_readonly_root_filesystem","org":"turbot","name":"ecs_task_definition_container_readonly_root_filesystem","sql":"with task_with_readonly_root_filesystem as (\n select\n distinct (address ) as name\n from\n terraform_resource,\n jsonb_array_elements(\n case when ((attributes_std ->> 'container_definitions') = '')\n then null\n else (attributes_std ->> 'container_definitions')::jsonb end\n ) as s where (s ->> 'ReadonlyRootFilesystem')::boolean and type = 'aws_ecs_task_definition'\n )\n select\n r.address as resource,\n case\n when p.name is not null then 'ok'\n else 'alarm'\n end status,\n split_part(r.address, '.', 2) || case\n when p.name is not null then ' containers limited to read-only access to root filesystems'\n else ' containers not limited to read-only access to root filesystems'\n end || '.' reason\n \n , path || ':' || start_line\n from\n terraform_resource as r\n left join task_with_readonly_root_filesystem as p on p.name = r.address\n where\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":203,"endLineNumber":234,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_container_readonly_root_filesystem","org":"turbot","name":"ecs_task_definition_container_readonly_root_filesystem","mod":"Terraform AWS Compliance","title":"ECS containers should be limited to read-only access to root filesystems","description":"This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS containers should be limited to read-only access to root filesystems","controlDescription":"This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_container_non_privileged":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_container_non_privileged","org":"turbot","name":"ecs_task_definition_container_non_privileged","sql":"with task_with_root_privilege as (\n select\n distinct (address ) as name\n from\n terraform_resource,\n jsonb_array_elements(\n case when ((attributes_std ->> 'container_definitions') = '')\n then null\n else (attributes_std ->> 'container_definitions')::jsonb end\n ) as s where (s ->> 'privilege')::boolean and type = 'aws_ecs_task_definition'\n )\n select\n r.address as resource,\n case\n when p.name is null then 'ok'\n else 'alarm'\n end status,\n split_part(r.address, '.', 2) || case\n when p.name is null then ' does not have elevated privileges'\n else ' has elevated privileges'\n end || '.' reason\n \n , path || ':' || start_line\n from\n terraform_resource as r\n left join task_with_root_privilege as p on p.name = r.address\n where\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":170,"endLineNumber":201,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_container_non_privileged","org":"turbot","name":"ecs_task_definition_container_non_privileged","mod":"Terraform AWS Compliance","title":"ECS containers should run in non-privileged mode","description":"This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS containers should run in non-privileged mode","controlDescription":"This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_cluster_container_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_cluster_container_insights_enabled","org":"turbot","name":"ecs_cluster_container_insights_enabled","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'setting' ->> 'name')::text = 'containerInsights'\n and (attributes_std -> 'setting' ->> 'value')::text = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'setting' ->> 'name')::text = 'containerInsights'\n and (attributes_std -> 'setting' ->> 'value')::text = 'enabled' then ' container insights enabled'\n else ' container insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_cluster_container_insights_enabled","org":"turbot","name":"ecs_cluster_container_insights_enabled","mod":"Terraform AWS Compliance","title":"ECS cluster container insights should be enabled","description":"One of the best practices when using AWS ECS is to enable cluster container insights for better visibility.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS cluster container insights should be enabled","controlDescription":"One of the best practices when using AWS ECS is to enable cluster container insights for better visibility.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_cluster_logging_enabled","org":"turbot","name":"ecs_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') in ('DEFAULT','OVERRIDE') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') in ('DEFAULT','OVERRIDE') then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_cluster_logging_enabled","org":"turbot","name":"ecs_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"ECS cluster logging should be enabled","description":"This control checks whether logging is enabled for the ECS cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS cluster logging should be enabled","controlDescription":"This control checks whether logging is enabled for the ECS cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_service_fargate_uses_latest_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_service_fargate_uses_latest_version","org":"turbot","name":"ecs_service_fargate_uses_latest_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'launch_type') = 'FARGATE' and (attributes_std ->> 'platform_version') = 'LATEST' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'launch_type') = 'FARGATE' and (attributes_std ->> 'platform_version') = 'LATEST' then ' fargate latest'\n when (attributes_std ->> 'launch_type') = 'FARGATE' and (attributes_std ->> 'platform_version') <> 'LATEST' then ' fargate not latest'\n else ' not fargate'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":115,"endLineNumber":135,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_service_fargate_uses_latest_version","org":"turbot","name":"ecs_service_fargate_uses_latest_version","mod":"Terraform AWS Compliance","title":"ECS Fargate services should run on the latest Fargate platform version","description":"This control checks whether ECS Fargate services run on the latest Fargate platform version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS Fargate services should run on the latest Fargate platform version","controlDescription":"This control checks whether ECS Fargate services run on the latest Fargate platform version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}},"ecr":{"ecr_repository_use_image_scanning":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecr_repository_use_image_scanning","org":"turbot","name":"ecr_repository_use_image_scanning","sql":"select\n address as resource,\n case\n when (attributes_std -> 'image_scanning_configuration' ->> 'scan_on_push')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'image_scanning_configuration' ->> 'scan_on_push')::boolean then ' uses image scanning'\n else ' does not use image scanning'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecr_repository';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecr.pp","startLineNumber":49,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecr_repository_use_image_scanning","org":"turbot","name":"ecr_repository_use_image_scanning","mod":"Terraform AWS Compliance","title":"ECR repository should use image scanning","description":"One of the best practices when making containers available through AWS ECR is to scan them for vulnerabilities before sharing or using them.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}}],"controlTitle":"ECR repository should use image scanning","controlDescription":"One of the best practices when making containers available through AWS ECR is to scan them for vulnerabilities before sharing or using them.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}},"ecr_repository_tags_immutable":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecr_repository_tags_immutable","org":"turbot","name":"ecr_repository_tags_immutable","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'image_tag_mutability')::text = 'IMMUTABLE' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'image_tag_mutability')::text = 'IMMUTABLE' then ' has immutable tags'\n else ' does not have immutable tags'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecr_repository';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecr.pp","startLineNumber":28,"endLineNumber":47,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecr_repository_tags_immutable","org":"turbot","name":"ecr_repository_tags_immutable","mod":"Terraform AWS Compliance","title":"ECR repository tags should be immutable","description":"AWS ECR should have all tags be immutable - once a container is published, another image cannot assume the same tag.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR","type":"Benchmark"}}],"controlTitle":"ECR repository tags should be immutable","controlDescription":"AWS ECR should have all tags be immutable - once a container is published, another image cannot assume the same tag.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR","type":"Benchmark"}},"ecr_repository_encrypted_with_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecr_repository_encrypted_with_kms","org":"turbot","name":"ecr_repository_encrypted_with_kms","sql":"select\n address as resource,\n case\n when\n (attributes_std ->> 'encryption_configuration') is not null\n and coalesce((attributes_std -> 'encryption_configuration' ->> 'encryption_type'), '') = 'KMS'\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std ->> 'encryption_configuration') is not null\n and coalesce((attributes_std -> 'encryption_configuration' ->> 'encryption_type'), '') = 'KMS'\n then ' encrypted using KMS'\n else ' not encrypted using KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecr_repository';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecr.pp","startLineNumber":1,"endLineNumber":26,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecr_repository_encrypted_with_kms","org":"turbot","name":"ecr_repository_encrypted_with_kms","mod":"Terraform AWS Compliance","title":"ECR repository should be encrypted with KMS","description":"Ensure ECR repositories being created are set to be encrypted at rest using KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}}],"controlTitle":"ECR repository should be encrypted with KMS","controlDescription":"Ensure ECR repositories being created are set to be encrypted at rest using KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}},"ecr_repository_policy_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecr_repository_policy_prohibit_public_access","org":"turbot","name":"ecr_repository_policy_prohibit_public_access","sql":"$4c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecr.pp","startLineNumber":70,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecr_repository_policy_prohibit_public_access","org":"turbot","name":"ecr_repository_policy_prohibit_public_access","mod":"Terraform AWS Compliance","title":"ECR repository policy should prohibit public access","description":"Ensure ECR repository associated policy prohibits public access.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}}],"controlTitle":"ECR repository policy should prohibit public access","controlDescription":"Ensure ECR repository associated policy prohibits public access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECR"}}},"ec_2":{"ec2_launch_configuration_ebs_encryption_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_launch_configuration_ebs_encryption_check","org":"turbot","name":"ec2_launch_configuration_ebs_encryption_check","sql":"$4d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":329,"endLineNumber":348,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_launch_configuration_ebs_encryption_check","org":"turbot","name":"ec2_launch_configuration_ebs_encryption_check","mod":"Terraform AWS Compliance","title":"EC2 launch configuration EBS encryption should be enabled","description":"This control checks whether EC2 launch configurations have EBS encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 launch configuration EBS encryption should be enabled","controlDescription":"This control checks whether EC2 launch configurations have EBS encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_launch_configuration_metadata_hop_limit_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_launch_configuration_metadata_hop_limit_check","org":"turbot","name":"ec2_launch_configuration_metadata_hop_limit_check","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata_options' ->> 'http_put_response_hop_limit')::int > 1 then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata_options' ->> 'http_put_response_hop_limit')::int > 1 then ' metadata response hop limit value is greater than 1'\n else ' metadata response hop limit value is less than 1'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_launch_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":308,"endLineNumber":327,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_launch_configuration_metadata_hop_limit_check","org":"turbot","name":"ec2_launch_configuration_metadata_hop_limit_check","mod":"Terraform AWS Compliance","title":"EC2 launch configuration should not have a metadata response hop limit greater than 1","description":"This control checks whether EC2 launch configurations have a metadata response hop limit less than 1.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 launch configuration should not have a metadata response hop limit greater than 1","controlDescription":"This control checks whether EC2 launch configurations have a metadata response hop limit less than 1.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}},"ec2_launch_template_metadata_hop_limit_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_launch_template_metadata_hop_limit_check","org":"turbot","name":"ec2_launch_template_metadata_hop_limit_check","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata_options' ->> 'http_put_response_hop_limit')::int > 1 then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata_options' ->> 'http_put_response_hop_limit')::int > 1 then ' metadata response hop limit value is greater than 1'\n else ' metadata response hop limit value is not less than 1'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_launch_template';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":287,"endLineNumber":306,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_launch_template_metadata_hop_limit_check","org":"turbot","name":"ec2_launch_template_metadata_hop_limit_check","mod":"Terraform AWS Compliance","title":"EC2 launch template should not have a metadata response hop limit greater than 1","description":"This control checks whether EC2 launch templates have a metadata response hop limit less than 1.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 launch template should not have a metadata response hop limit greater than 1","controlDescription":"This control checks whether EC2 launch templates have a metadata response hop limit less than 1.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_user_data_no_secrets":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_user_data_no_secrets","org":"turbot","name":"ec2_instance_user_data_no_secrets","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'user_data') is null then 'skip'\n when (attributes_std ->> 'user_data') like any (array ['%pass%', '%secret%','%token%','%key%'])\n or (attributes_std ->> 'user_data') ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'user_data') is null then ' no user data defined.'\n when (attributes_std ->> 'user_data') like any (array ['%pass%', '%secret%','%token%','%key%'])\n or (attributes_std ->> 'user_data') ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then ' potential secret found in user data.'\n else ' no secrets found in user data.'\n end as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":199,"endLineNumber":222,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_user_data_no_secrets","org":"turbot","name":"ec2_instance_user_data_no_secrets","mod":"Terraform AWS Compliance","title":"EC2 instances should not contain secrets in user data","description":"To help protect sensitive information, ensure that Amazon Elastic Compute Cloud (Amazon EC2) instances do not contain secrets in user data.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 instances should not contain secrets in user data","controlDescription":"To help protect sensitive information, ensure that Amazon Elastic Compute Cloud (Amazon EC2) instances do not contain secrets in user data.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_uses_imdsv2":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_uses_imdsv2","org":"turbot","name":"ec2_instance_uses_imdsv2","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std -> 'metadata_options' ->> 'http_tokens'),'') in ('optional', '') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata_options' -> 'http_tokens') is null then ' ''http_tokens'' is not defined'\n when (attributes_std -> 'metadata_options' ->> 'http_tokens') = 'optional'\n then ' not configured to use Instance Metadata Service Version 2 (IMDSv2)'\n else ' configured to use Instance Metadata Service Version 2 (IMDSv2)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":176,"endLineNumber":197,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_uses_imdsv2","org":"turbot","name":"ec2_instance_uses_imdsv2","mod":"Terraform AWS Compliance","title":"EC2 instances should use IMDSv2","description":"Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 instances should use IMDSv2","controlDescription":"Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of Amazon Elastic Compute Cloud (Amazon EC2) instance metadata.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_termination_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_termination_protection_enabled","org":"turbot","name":"ec2_instance_termination_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'root_block_device' ->> 'delete_on_termination')::bool is true then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'root_block_device' ->> 'delete_on_termination')::bool is true then ' instance termination protection enabled'\n else ' instance termination protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":155,"endLineNumber":174,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_termination_protection_enabled","org":"turbot","name":"ec2_instance_termination_protection_enabled","mod":"Terraform AWS Compliance","title":"EC2 instances termination protection should be enabled","description":"To prevent your instance from being accidentally terminated using Amazon EC2, you can enable termination protection for the instance.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 instances termination protection should be enabled","controlDescription":"To prevent your instance from being accidentally terminated using Amazon EC2, you can enable termination protection for the instance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_not_use_multiple_enis":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_not_use_multiple_enis","org":"turbot","name":"ec2_instance_not_use_multiple_enis","sql":"select\n address as resource,\n case\n when jsonb_typeof(attributes_std -> 'network_interface') is null then 'skip'\n when (jsonb_typeof(attributes_std -> 'network_interface'))::text = 'object' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when jsonb_typeof(attributes_std -> 'network_interface') is null then ' has no ENI attached'\n when (jsonb_typeof(attributes_std -> 'network_interface'))::text = 'object' then ' has 1 ENI attached'\n else ' has ' || (jsonb_array_length(attributes_std -> 'network_interface')) || ' ENI(s) attached'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":132,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_not_use_multiple_enis","org":"turbot","name":"ec2_instance_not_use_multiple_enis","mod":"Terraform AWS Compliance","title":"EC2 instances should not use multiple ENIs","description":"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 instances should not use multiple ENIs","controlDescription":"This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_ebs_optimized":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_ebs_optimized","org":"turbot","name":"ec2_instance_ebs_optimized","sql":"select\n address as resource,\n case\n when (attributes_std -> 'ebs_optimized')::bool is true then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ebs_optimized')::bool is true then ' EBS optimization enabled'\n else ' EBS optimization disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":67,"endLineNumber":86,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_ebs_optimized","org":"turbot","name":"ec2_instance_ebs_optimized","mod":"Terraform AWS Compliance","title":"EC2 instance should have EBS optimization enabled","description":"An optimized instance in Amazon Elastic Block Store (Amazon EBS) provides additional, dedicated capacity for Amazon EBS I/O operations.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EC2","soc_2":"true"}}],"controlTitle":"EC2 instance should have EBS optimization enabled","controlDescription":"An optimized instance in Amazon Elastic Block Store (Amazon EBS) provides additional, dedicated capacity for Amazon EBS I/O operations.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EC2","soc_2":"true"}},"ec2_instance_not_use_default_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_not_use_default_vpc","org":"turbot","name":"ec2_instance_not_use_default_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_id') is null then 'skip'\n when split_part((attributes_std ->> 'subnet_id'), '.', 2) in (select name from terraform_resource where type = 'aws_subnet' and (attributes_std ->> 'vpc_id') like '%default%') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_id') is null then ' does not have a subnet id defined'\n when split_part((attributes_std ->> 'subnet_id'), '.', 2) in (select name from terraform_resource where type = 'aws_subnet' and (attributes_std ->> 'vpc_id') like '%default%') then ' deployed to a default VPC'\n else ' not deployed to a default VPC'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":109,"endLineNumber":130,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_not_use_default_vpc","org":"turbot","name":"ec2_instance_not_use_default_vpc","mod":"Terraform AWS Compliance","title":"Ensure EC2 instances do not use default VPC","description":"One of the best practices when using EC2s in AWS is not to deploy any resources to the default VPC.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"Ensure EC2 instances do not use default VPC","controlDescription":"One of the best practices when using EC2s in AWS is not to deploy any resources to the default VPC.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_ebs_encryption_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_ebs_encryption_check","org":"turbot","name":"ec2_instance_ebs_encryption_check","sql":"$4e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":350,"endLineNumber":369,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_ebs_encryption_check","org":"turbot","name":"ec2_instance_ebs_encryption_check","mod":"Terraform AWS Compliance","title":"EC2 instance EBS encryption should be enabled","description":"This control checks whether EC2 instances have EBS encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 instance EBS encryption should be enabled","controlDescription":"This control checks whether EC2 instances have EBS encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_not_publicly_accessible","org":"turbot","name":"ec2_instance_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'associate_public_ip_address') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'associate_public_ip_address') is null then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":88,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_not_publicly_accessible","org":"turbot","name":"ec2_instance_not_publicly_accessible","mod":"Terraform AWS Compliance","title":"EC2 instances should not have a public IP address","description":"Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EC2","soc_2":"true"}}],"controlTitle":"EC2 instances should not have a public IP address","controlDescription":"Manage access to the AWS Cloud by ensuring Amazon Elastic Compute Cloud (Amazon EC2) instances cannot be publicly accessed.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EC2","soc_2":"true"}},"ec2_ami_launch_permission_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_launch_permission_restricted","org":"turbot","name":"ec2_ami_launch_permission_restricted","sql":"select\n address as resource,\n case\n when (attributes_std -> 'account_id') is not null then 'ok'\n when (attributes_std -> 'group') is not null then 'info'\n when (attributes_std -> 'organizational_arn') is not null then 'info'\n when (attributes_std -> 'organizational_unit_arn') is not null then 'info'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'account_id') is not null then ' is restrictive to account(s)'\n when (attributes_std -> 'group') is not null then ' is open to IAM group'\n when (attributes_std -> 'organizational_arn') is not null then ' is open to organization'\n when (attributes_std -> 'organizational_unit_arn') is not null then ' is open to organization unit'\n else ' is wide open'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ami_launch_permission';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":434,"endLineNumber":459,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_launch_permission_restricted","org":"turbot","name":"ec2_ami_launch_permission_restricted","mod":"Terraform AWS Compliance","title":"EC2 AMI launch permission should be restricted","description":"This control checks whether EC2 AMI launch permission is restrictive in nature.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI launch permission should be restricted","controlDescription":"This control checks whether EC2 AMI launch permission is restrictive in nature.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_instance_detailed_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_instance_detailed_monitoring_enabled","org":"turbot","name":"ec2_instance_detailed_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'monitoring')::bool is true then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'monitoring')::bool is true then ' detailed monitoring enabled'\n else ' detailed monitoring disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":46,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_instance_detailed_monitoring_enabled","org":"turbot","name":"ec2_instance_detailed_monitoring_enabled","mod":"Terraform AWS Compliance","title":"EC2 instance detailed monitoring should be enabled","description":"Enable this rule to help improve Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring on the Amazon EC2 console, which displays monitoring graphs with a one minute period for the instance.","tags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EC2","soc_2":"true"}}],"controlTitle":"EC2 instance detailed monitoring should be enabled","controlDescription":"Enable this rule to help improve Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring on the Amazon EC2 console, which displays monitoring graphs with a one minute period for the instance.","controlTags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EC2","soc_2":"true"}},"ec2_ebs_default_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ebs_default_encryption_enabled","org":"turbot","name":"ec2_ebs_default_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled') is null then 'alarm'\n when (attributes_std ->> 'enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled') is null then ' ''enabled'' is not defined'\n when (attributes_std ->> 'enabled')::bool then ' default EBS encryption enabled'\n else ' default EBS encryption disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ebs_encryption_by_default';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":24,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ebs_default_encryption_enabled","org":"turbot","name":"ec2_ebs_default_encryption_enabled","mod":"Terraform AWS Compliance","title":"EBS default encryption should be enabled","description":"To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EBS default encryption should be enabled","controlDescription":"To help protect data at rest, ensure that encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_encryption_enabled","org":"turbot","name":"ec2_ami_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'ebs_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'ebs_block_device' ->> 'snapshot_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ebs_block_device' ->> 'encrypted') = 'true' or (attributes_std -> 'ebs_block_device' ->> 'snapshot_id') is not null then ' is encrypted'\n else ' is not encrypted'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ami';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":413,"endLineNumber":432,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_encryption_enabled","org":"turbot","name":"ec2_ami_encryption_enabled","mod":"Terraform AWS Compliance","title":"EC2 AMI should be encrypted","description":"This control checks whether EC2 AMI has encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI should be encrypted","controlDescription":"This control checks whether EC2 AMI has encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_imagebuilder_component_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_imagebuilder_component_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_component_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' is not encrypted with CMK'\n else ' is encrypted with CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_imagebuilder_component';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":224,"endLineNumber":243,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_imagebuilder_component_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_component_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EC2 AMI image builder components should be encrypted with KMS CMK","description":"This control checks whether EC2 AMI image builder components are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI image builder components should be encrypted with KMS CMK","controlDescription":"This control checks whether EC2 AMI image builder components are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_copy_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_copy_encryption_enabled","org":"turbot","name":"ec2_ami_copy_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encrypted') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encrypted') = 'true' then ' is encrypted'\n else ' is not encrypted'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ami_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":371,"endLineNumber":390,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_copy_encryption_enabled","org":"turbot","name":"ec2_ami_copy_encryption_enabled","mod":"Terraform AWS Compliance","title":"EC2 AMI copy should be encrypted","description":"This control checks whether EC2 AMI copy has encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI copy should be encrypted","controlDescription":"This control checks whether EC2 AMI copy has encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'distribution' -> 'ami_distribution_configuration' ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'distribution' -> 'ami_distribution_configuration' ->> 'kms_key_id') is null then ' is not encrypted with CMK'\n else ' is encrypted with CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_imagebuilder_distribution_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":245,"endLineNumber":264,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_distribution_configuration_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EC2 AMI image builder distribution configurations should be encrypted with KMS CMK","description":"This control checks whether EC2 AMI image builder distribution configurations are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI image builder distribution configurations should be encrypted with KMS CMK","controlDescription":"This control checks whether EC2 AMI image builder distribution configurations are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'kms_key_id') is null or (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'encrypted') <> 'true' or (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'encrypted') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'kms_key_id') is null or (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'encrypted') <> 'true' or (attributes_std -> 'block_device_mapping' -> 'ebs' ->> 'encrypted') is null then ' is not encrypted with CMK'\n else ' is encrypted with CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_imagebuilder_image_recipe';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":266,"endLineNumber":285,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_imagebuilder_image_recipe_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EC2 AMI image builder image recipes should be encrypted with KMS CMK","description":"This control checks whether EC2 AMI image builder image recipes are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI image builder image recipes should be encrypted with KMS CMK","controlDescription":"This control checks whether EC2 AMI image builder image recipes are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}},"ec2_ami_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_ami_copy_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' is encrypted with CMK'\n else ' is not encrypted with CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ami_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":392,"endLineNumber":411,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_ami_copy_encrypted_with_kms_cmk","org":"turbot","name":"ec2_ami_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EC2 AMI copy should be encrypted with KMS CMK","description":"This control checks whether EC2 AMI copy is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}],"controlTitle":"EC2 AMI copy should be encrypted with KMS CMK","controlDescription":"This control checks whether EC2 AMI copy is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EC2"}}},"ebs":{"ebs_snapshot_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ebs_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"ebs_snapshot_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is null then 'alarm'\n when (attributes_std ->> 'encrypted')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is null then ' ''encrypted'' is not defined'\n when (attributes_std ->> 'encrypted')::bool then ' encrypted'\n else ' not encrypted'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ebs_snapshot_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ebs.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ebs_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"ebs_snapshot_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"EBS snapshots should be encrypted with KMS CMK","description":"This control checks whether EBS snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EBS"}}],"controlTitle":"EBS snapshots should be encrypted with KMS CMK","controlDescription":"This control checks whether EBS snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EBS"}},"ebs_volume_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ebs_volume_encryption_at_rest_enabled","org":"turbot","name":"ebs_volume_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is null then 'alarm'\n when (attributes_std ->> 'encrypted')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is null then ' ''encrypted'' is not defined'\n when (attributes_std ->> 'encrypted')::bool then ' encrypted'\n else ' not encrypted'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ebs_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ebs.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ebs_volume_encryption_at_rest_enabled","org":"turbot","name":"ebs_volume_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"EBS volumes should have encryption enabled","description":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EBS"}}],"controlTitle":"EBS volumes should have encryption enabled","controlDescription":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elastic Block Store (Amazon EBS) volumes.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/EBS"}}},"dynamo_db":{"dynamodb_vpc_endpoint_routetable_association":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dynamodb_vpc_endpoint_routetable_association","org":"turbot","name":"dynamodb_vpc_endpoint_routetable_association","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is null then 'alarm'\n when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is null then ' VPC Endpoint for DynamoDB disabled'\n when (attributes_std ->> 'service_name') like '%dynamodb%' and (attributes_std -> 'route_table_ids') is not null then ' VPC Endpoint for DynamoDB enabled'\n else ' VPC Endpoint for DynamoDB disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_vpc_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dynamodb.pp","startLineNumber":70,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dynamodb_vpc_endpoint_routetable_association","org":"turbot","name":"dynamodb_vpc_endpoint_routetable_association","mod":"Terraform AWS Compliance","title":"DynamoDB VPC endpoint should be enabled in all route tables in use in a VPC","description":"Using VPC endpoints helps to secure traffic by ensuring that the data does not traverse the internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DynamoDB"}}],"controlTitle":"DynamoDB VPC endpoint should be enabled in all route tables in use in a VPC","controlDescription":"Using VPC endpoints helps to secure traffic by ensuring that the data does not traverse the internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DynamoDB"}},"dynamodb_table_point_in_time_recovery_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dynamodb_table_point_in_time_recovery_enabled","org":"turbot","name":"dynamodb_table_point_in_time_recovery_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'point_in_time_recovery') is null then 'alarm'\n when (attributes_std -> 'point_in_time_recovery' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'point_in_time_recovery') is null then ' ''point_in_time_recovery'' disabled'\n when (attributes_std -> 'point_in_time_recovery' ->> 'enabled')::boolean then ' ''point_in_time_recovery'' enabled'\n else ' ''point_in_time_recovery'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dynamodb_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dynamodb.pp","startLineNumber":47,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dynamodb_table_point_in_time_recovery_enabled","org":"turbot","name":"dynamodb_table_point_in_time_recovery_enabled","mod":"Terraform AWS Compliance","title":"DynamoDB table point-in-time recovery should be enabled","description":"Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DynamoDB","soc_2":"true"}}],"controlTitle":"DynamoDB table point-in-time recovery should be enabled","controlDescription":"Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in Amazon DynamoDB.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DynamoDB","soc_2":"true"}},"dynamodb_table_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dynamodb_table_encryption_enabled","org":"turbot","name":"dynamodb_table_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption') is not null then ' server-side encryption not set to DynamoDB owned KMS key'\n else ' server-side encryption set to AWS owned CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dynamodb_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dynamodb.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dynamodb_table_encryption_enabled","org":"turbot","name":"dynamodb_table_encryption_enabled","mod":"Terraform AWS Compliance","title":"DynamoDB table should have encryption enabled","description":"Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/DynamoDB"}}],"controlTitle":"DynamoDB table should have encryption enabled","controlDescription":"Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/DynamoDB"}},"dynamodb_table_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dynamodb_table_encrypted_with_kms_cmk","org":"turbot","name":"dynamodb_table_encrypted_with_kms_cmk","sql":"$4f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dynamodb.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dynamodb_table_encrypted_with_kms_cmk","org":"turbot","name":"dynamodb_table_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"DynamoDB table should be encrypted with AWS KMS","description":"Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DynamoDB"}}],"controlTitle":"DynamoDB table should be encrypted with AWS KMS","controlDescription":"Ensure that encryption is enabled for your Amazon DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DynamoDB"}}},"document_db":{"docdb_cluster_paramater_group_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_paramater_group_logging_enabled","org":"turbot","name":"docdb_cluster_paramater_group_logging_enabled","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'parameter'->> 'name') = 'audit_logs'\n and (attributes_std -> 'parameter'->> 'value') = 'enabled'\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'parameter'->> 'name') = 'audit_logs'\n and (attributes_std -> 'parameter'->> 'value') = 'enabled'\n then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster_parameter_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":51,"endLineNumber":76,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_paramater_group_logging_enabled","org":"turbot","name":"docdb_cluster_paramater_group_logging_enabled","mod":"Terraform AWS Compliance","title":"DocDB parameter group should have audit logs enabled","description":"This control checks whether DocDB parameter group has logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB parameter group should have audit logs enabled","controlDescription":"This control checks whether DocDB parameter group has logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_cluster_encrypted_with_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_encrypted_with_kms","org":"turbot","name":"docdb_cluster_encrypted_with_kms","sql":"select\n address as resource,\n case\n when\n (attributes_std ->> 'storage_encrypted')::boolean\n and coalesce(trim(attributes_std ->> 'kms_key_id'), '') <> ''\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std ->> 'storage_encrypted')::boolean\n and coalesce(trim(attributes_std ->> 'kms_key_id'), '') <> ''\n then ' encrypted at rest using KMS CMK'\n else ' not encrypted at rest using KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":24,"endLineNumber":49,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_encrypted_with_kms","org":"turbot","name":"docdb_cluster_encrypted_with_kms","mod":"Terraform AWS Compliance","title":"DocDB cluster should be encrypted using KMS","description":"Ensure DocDB clusters being created are set to be encrypted at rest using KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB cluster should be encrypted using KMS","controlDescription":"Ensure DocDB clusters being created are set to be encrypted at rest using KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_cluster_parameter_group_tls_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_parameter_group_tls_enabled","org":"turbot","name":"docdb_cluster_parameter_group_tls_enabled","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'parameter'->> 'name') = 'tls'\n and (attributes_std -> 'parameter'->> 'value') = 'enabled'\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'parameter'->> 'name') = 'tls'\n and (attributes_std -> 'parameter'->> 'value') = 'enabled'\n then ' TLS enabled'\n else ' TLS disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster_parameter_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":128,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_parameter_group_tls_enabled","org":"turbot","name":"docdb_cluster_parameter_group_tls_enabled","mod":"Terraform AWS Compliance","title":"DocDB TLS should be enabled","description":"This control checks whether DocDB TLS is enabled through its parameter group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB TLS should be enabled","controlDescription":"This control checks whether DocDB TLS is enabled through its parameter group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_cluster_audit_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_audit_logs_enabled","org":"turbot","name":"docdb_cluster_audit_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled_cloudwatch_logs_exports') is null then 'alarm'\n when '\"audit\"' in (select jsonb_array_elements(attributes_std -> 'enabled_cloudwatch_logs_exports') from terraform_resource where type = 'aws_docdb_cluster') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled_cloudwatch_logs_exports') is null then ' logging not enabled'\n when '\"audit\"' in (select jsonb_array_elements(attributes_std -> 'enabled_cloudwatch_logs_exports') from terraform_resource where type = 'aws_docdb_cluster') then ' audit logging enabled'\n else ' audit logging not enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_audit_logs_enabled","org":"turbot","name":"docdb_cluster_audit_logs_enabled","mod":"Terraform AWS Compliance","title":"DocDB cluster audit logging should be enabled","description":"Ensure DocDB cluster audit logging is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB cluster audit logging should be enabled","controlDescription":"Ensure DocDB cluster audit logging is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_cluster_log_exports_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_log_exports_enabled","org":"turbot","name":"docdb_cluster_log_exports_enabled","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'enabled_cloudwatch_logs_exports') is not null\n then ' cloudwatch log exports enabled'\n else ' cloudwatch log exports disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":103,"endLineNumber":126,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_log_exports_enabled","org":"turbot","name":"docdb_cluster_log_exports_enabled","mod":"Terraform AWS Compliance","title":"DocDB cluster should have log export enabled","description":"This control checks whether DocDB cluster has log export enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB cluster should have log export enabled","controlDescription":"This control checks whether DocDB cluster has log export enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_cluster_backup_retention_period_7":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_cluster_backup_retention_period_7","org":"turbot","name":"docdb_cluster_backup_retention_period_7","sql":"select\n address as resource,\n case\n when (attributes_std -> 'backup_retention_period') is null then 'alarm'\n when ((attributes_std ->> 'backup_retention_period'))::int >= 7 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'backup_retention_period') is null then ' backup retention not set'\n else ' backup retention set to ' || (attributes_std ->> 'backup_retention_period')\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":155,"endLineNumber":175,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_cluster_backup_retention_period_7","org":"turbot","name":"docdb_cluster_backup_retention_period_7","mod":"Terraform AWS Compliance","title":"DocDB cluster backup retention period should be at least 7 days","description":"This control checks whether DocDB cluster backup retention is set to 7 or greater than 7.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB cluster backup retention period should be at least 7 days","controlDescription":"This control checks whether DocDB cluster backup retention is set to 7 or greater than 7.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}},"docdb_global_cluster_encrypted":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/docdb_global_cluster_encrypted","org":"turbot","name":"docdb_global_cluster_encrypted","sql":"select\n address as resource,\n case\n when\n (attributes_std ->> 'storage_encrypted')::boolean\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std ->> 'storage_encrypted')::boolean\n then ' Global Cluster is encrypted'\n else ' Global Cluster is not encrypted'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_docdb_global_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/docdb.pp","startLineNumber":78,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.docdb_global_cluster_encrypted","org":"turbot","name":"docdb_global_cluster_encrypted","mod":"Terraform AWS Compliance","title":"DocDB Global Cluster encryption at rest enabled","description":"This control checks whether DocDB Global Cluster is enabled with encryption at rest (default is unencrypted).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}],"controlTitle":"DocDB Global Cluster encryption at rest enabled","controlDescription":"This control checks whether DocDB Global Cluster is enabled with encryption at rest (default is unencrypted).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DocumentDB"}}},"dms":{"dms_replication_instance_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dms_replication_instance_not_publicly_accessible","org":"turbot","name":"dms_replication_instance_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'publicly_accessible') is null then 'ok'\n when (attributes_std -> 'publicly_accessible')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'publicly_accessible') is null then ' not publicly accessible'\n when (attributes_std -> 'publicly_accessible')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dms_replication_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dms.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dms_replication_instance_not_publicly_accessible","org":"turbot","name":"dms_replication_instance_not_publicly_accessible","mod":"Terraform AWS Compliance","title":"DMS replication instances should not be publicly accessible","description":"Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DMS"}}],"controlTitle":"DMS replication instances should not be publicly accessible","controlDescription":"Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/DMS"}},"dms_s3_endpoint_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dms_s3_endpoint_encrypted_with_kms_cmk","org":"turbot","name":"dms_s3_endpoint_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dms_s3_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dms.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dms_s3_endpoint_encrypted_with_kms_cmk","org":"turbot","name":"dms_s3_endpoint_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"DMS S3 endpoints should be encrypted with KMS CMK","description":"This control checks whether DMS S3 endpoints are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}}],"controlTitle":"DMS S3 endpoints should be encrypted with KMS CMK","controlDescription":"This control checks whether DMS S3 endpoints are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}},"dms_replication_instance_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dms_replication_instance_encrypted_with_kms_cmk","org":"turbot","name":"dms_replication_instance_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dms_replication_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dms.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dms_replication_instance_encrypted_with_kms_cmk","org":"turbot","name":"dms_replication_instance_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"DMS replication instances should be encrypted with KMS CMK","description":"This control checks whether DMS replication instances are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}}],"controlTitle":"DMS replication instances should be encrypted with KMS CMK","controlDescription":"This control checks whether DMS replication instances are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}},"dms_replication_instance_automatic_minor_version_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dms_replication_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"dms_replication_instance_automatic_minor_version_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auto_minor_version_upgrade')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auto_minor_version_upgrade')::bool then ' automatic minor version upgrade enabled'\n else ' automatic minor version upgrade disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dms_replication_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dms.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dms_replication_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"dms_replication_instance_automatic_minor_version_upgrade_enabled","mod":"Terraform AWS Compliance","title":"DMS replication instances should have automatic minor version upgrade enabled","description":"This control checks whether DMS replication instances have automatic minor version upgrade enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}}],"controlTitle":"DMS replication instances should have automatic minor version upgrade enabled","controlDescription":"This control checks whether DMS replication instances have automatic minor version upgrade enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DMS"}}},"dlm":{"dlm_lifecycle_policy_events_cross_region_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dlm_lifecycle_policy_events_cross_region_encryption_enabled","org":"turbot","name":"dlm_lifecycle_policy_events_cross_region_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'encrypted')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'encrypted')::boolean then ' events cross-region encryption enabled'\n else ' events cross-region encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dlm_lifecycle_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dlm.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dlm_lifecycle_policy_events_cross_region_encryption_enabled","org":"turbot","name":"dlm_lifecycle_policy_events_cross_region_encryption_enabled","mod":"Terraform AWS Compliance","title":"DLM lifecycle policy events cross-region encryption should be enabled","description":"This control checks whether the DLM lifecycle policy events cross-region encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}}],"controlTitle":"DLM lifecycle policy events cross-region encryption should be enabled","controlDescription":"This control checks whether the DLM lifecycle policy events cross-region encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}},"dlm_schedule_cross_region_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dlm_schedule_cross_region_encryption_enabled","org":"turbot","name":"dlm_schedule_cross_region_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'policy_details' -> 'schedule' -> 'cross_region_copy_rule') is null then 'skip'\n when (attributes_std -> 'policy_details' -> 'schedule' -> 'cross_region_copy_rule' ->> 'encrypted')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'policy_details' -> 'schedule' -> 'cross_region_copy_rule') is null then ' schedule cross-region not configured'\n when (attributes_std -> 'policy_details' -> 'schedule' -> 'cross_region_copy_rule' ->> 'encrypted')::boolean then ' schedule cross-region encryption enabled'\n else ' schedule cross-region encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dlm_lifecycle_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dlm.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dlm_schedule_cross_region_encryption_enabled","org":"turbot","name":"dlm_schedule_cross_region_encryption_enabled","mod":"Terraform AWS Compliance","title":"DLM schedule cross-region encryption should be enabled","description":"This control checks whether the DLM schedule cross-region encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}}],"controlTitle":"DLM schedule cross-region encryption should be enabled","controlDescription":"This control checks whether the DLM schedule cross-region encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}},"dlm_schedule_cross_region_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dlm_schedule_cross_region_encrypted_with_kms_cmk","org":"turbot","name":"dlm_schedule_cross_region_encrypted_with_kms_cmk","sql":"$50","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dlm.pp","startLineNumber":66,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dlm_schedule_cross_region_encrypted_with_kms_cmk","org":"turbot","name":"dlm_schedule_cross_region_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"DLM schedule cross-region encryption with KMS CMK should be enabled","description":"This control checks whether the DLM schedule cross has cross-region encryption with KMS CMK enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}}],"controlTitle":"DLM schedule cross-region encryption with KMS CMK should be enabled","controlDescription":"This control checks whether the DLM schedule cross has cross-region encryption with KMS CMK enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}},"dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk","org":"turbot","name":"dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'encrypted')::boolean and (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'cmk_arn') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'encrypted')::boolean and (attributes_std -> 'policy_details' -> 'action' -> 'cross_region_copy' -> 'encryption_configuration' ->> 'cmk_arn') is not null then ' events cross-region encrypted with KMS CMK'\n else ' events cross-region not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dlm_lifecycle_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dlm.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk","org":"turbot","name":"dlm_lifecycle_policy_events_cross_region_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"DLM lifecycle policy events cross-region encryption with KMS CMK should be enabled","description":"This control checks whether the DLM lifecycle policy events has cross-region encryption with KMS CMK enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}}],"controlTitle":"DLM lifecycle policy events cross-region encryption with KMS CMK should be enabled","controlDescription":"This control checks whether the DLM lifecycle policy events has cross-region encryption with KMS CMK enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DLM"}}},"dax":{"dax_cluster_endpoint_encryption_tls_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dax_cluster_endpoint_encryption_tls_enabled","org":"turbot","name":"dax_cluster_endpoint_encryption_tls_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'cluster_endpoint_encryption_type') = 'TLS' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'cluster_endpoint_encryption_type') = 'TLS' then ' endpoint encryption tls enabled'\n else ' endpoint encryption tls disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dax_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dax.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dax_cluster_endpoint_encryption_tls_enabled","org":"turbot","name":"dax_cluster_endpoint_encryption_tls_enabled","mod":"Terraform AWS Compliance","title":"DAX clusters endpoint encryption should have TLS enabled","description":"This control checks whether a DAX cluster endpoint encryption has TLS enabled. TLS encrypts the connection between the application and the DAX cluster. Encrypting data in transit protects it from being intercepted by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DAX"}}],"controlTitle":"DAX clusters endpoint encryption should have TLS enabled","controlDescription":"This control checks whether a DAX cluster endpoint encryption has TLS enabled. TLS encrypts the connection between the application and the DAX cluster. Encrypting data in transit protects it from being intercepted by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DAX"}},"dax_cluster_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/dax_cluster_encryption_at_rest_enabled","org":"turbot","name":"dax_cluster_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption') is null then ' encryption at rest disabled'\n else ' encryption at rest disabled enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_dax_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dax.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.dax_cluster_encryption_at_rest_enabled","org":"turbot","name":"dax_cluster_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"DynamoDB Accelerator (DAX) clusters should be encrypted at rest","description":"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/DAX"}}],"controlTitle":"DynamoDB Accelerator (DAX) clusters should be encrypted at rest","controlDescription":"This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/DAX"}}},"connect":{"connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk","org":"turbot","name":"connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_config' -> 'kinesis_video_stream_config' -> 'encryption_config' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_config' -> 'kinesis_video_stream_config' -> 'encryption_config' ->> 'key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_connect_instance_storage_config';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/connectinstance.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk","org":"turbot","name":"connect_instance_kinesis_video_stream_storage_config_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Connect instance kinesis video stream storage config is encrypted with KMS CMK","description":"This control checks whether Connect instance Kinesis video stream storage config is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Connect"}}],"controlTitle":"Connect instance kinesis video stream storage config is encrypted with KMS CMK","controlDescription":"This control checks whether Connect instance Kinesis video stream storage config is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Connect"}},"connect_instance_s3_storage_config_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/connect_instance_s3_storage_config_encrypted_with_kms_cmk","org":"turbot","name":"connect_instance_s3_storage_config_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_config' -> 's3_config' -> 'encryption_config' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_config' -> 's3_config' -> 'encryption_config' ->> 'key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_connect_instance_storage_config';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/connectinstance.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.connect_instance_s3_storage_config_encrypted_with_kms_cmk","org":"turbot","name":"connect_instance_s3_storage_config_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Connect instance S3 storage config is encrypted with KMS CMK","description":"This control checks whether Connect instance S3 storage config is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Connect"}}],"controlTitle":"Connect instance S3 storage config is encrypted with KMS CMK","controlDescription":"This control checks whether Connect instance S3 storage config is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Connect"}}},"data_sync":{"datasync_location_object_storage_expose_secret":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/datasync_location_object_storage_expose_secret","org":"turbot","name":"datasync_location_object_storage_expose_secret","sql":"select\n address as resource,\n case\n when (attributes_std -> 'secret_key') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'secret_key') is null then ' does not expose any secret key details'\n else ' exposes secret key details'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_datasync_location_object_storage';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datasync.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.datasync_location_object_storage_expose_secret","org":"turbot","name":"datasync_location_object_storage_expose_secret","mod":"Terraform AWS Compliance","title":"DataSync object storage location configuration should restrict secret key exposure","description":"This control checks whether DataSync object storage location configuration exposes to any access key secrets.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/DataSync"}}],"controlTitle":"DataSync object storage location configuration should restrict secret key exposure","controlDescription":"This control checks whether DataSync object storage location configuration exposes to any access key secrets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/DataSync"}}},"comprehend":{"comprehend_entity_recognizer_model_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/comprehend_entity_recognizer_model_encrypted_with_kms_cmk","org":"turbot","name":"comprehend_entity_recognizer_model_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'model_kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'model_kms_key_id') is not null then ' uses KMS CMK'\n else ' does not use KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_comprehend_entity_recognizer';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/comprehend.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.comprehend_entity_recognizer_model_encrypted_with_kms_cmk","org":"turbot","name":"comprehend_entity_recognizer_model_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Comprehend entity recognizer model encrypted with KMS CMK","description":"This control checks whether AWS Comprehend entity recognizer models are encrypted with KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Comprehend"}}],"controlTitle":"Comprehend entity recognizer model encrypted with KMS CMK","controlDescription":"This control checks whether AWS Comprehend entity recognizer models are encrypted with KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Comprehend"}},"comprehend_entity_recognizer_volume_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/comprehend_entity_recognizer_volume_encrypted_with_kms_cmk","org":"turbot","name":"comprehend_entity_recognizer_volume_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'volume_kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'volume_kms_key_id') is not null then ' uses KMS CMK'\n else ' does not use KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_comprehend_entity_recognizer';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/comprehend.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.comprehend_entity_recognizer_volume_encrypted_with_kms_cmk","org":"turbot","name":"comprehend_entity_recognizer_volume_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Comprehend entity recognizer volume encrypted with KMS CMK","description":"This control checks whether AWS Comprehend entity recognizer volumes are encrypted with KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Comprehend"}}],"controlTitle":"Comprehend entity recognizer volume encrypted with KMS CMK","controlDescription":"This control checks whether AWS Comprehend entity recognizer volumes are encrypted with KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Comprehend"}}},"config":{"config_aggregator_enabled_all_regions":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/config_aggregator_enabled_all_regions","org":"turbot","name":"config_aggregator_enabled_all_regions","sql":"select\n address as resource,\n case\n when (attributes_std -> 'account_aggregation_source' ->> 'all_regions')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'account_aggregation_source' ->> 'all_regions')::boolean then ' enabled in all regions'\n else ' not enabled in all regions'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_config_configuration_aggregator';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/config.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.config_aggregator_enabled_all_regions","org":"turbot","name":"config_aggregator_enabled_all_regions","mod":"Terraform AWS Compliance","title":"Config aggregator should be enabled in all regions","description":"AWS Config should enable the config aggregator - allowing you to analyze the configuration across multiple accounts and regions.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Config"}}],"controlTitle":"Config aggregator should be enabled in all regions","controlDescription":"AWS Config should enable the config aggregator - allowing you to analyze the configuration across multiple accounts and regions.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Config"}}},"code_pipeline":{"codepipeline_artifacts_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codepipeline_artifacts_encrypted_with_kms_cmk","org":"turbot","name":"codepipeline_artifacts_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'artifact_store' -> 'encryption_key' ->> 'id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'artifact_store' -> 'encryption_key' ->> 'id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codepipeline';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codepipeline.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codepipeline_artifacts_encrypted_with_kms_cmk","org":"turbot","name":"codepipeline_artifacts_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"CodePipeline Artifacts encrypted with KMS CMK","description":"This control checks whether the CodePipeline Artifacts are encrypted.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodePipeline"}}],"controlTitle":"CodePipeline Artifacts encrypted with KMS CMK","controlDescription":"This control checks whether the CodePipeline Artifacts are encrypted.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodePipeline"}}},"code_commit":{"codecommit_approval_rule_template_number_of_approval_2":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codecommit_approval_rule_template_number_of_approval_2","org":"turbot","name":"codecommit_approval_rule_template_number_of_approval_2","sql":"with number_of_approvals_needed as (\n select\n address as name,\n (s -> 'NumberOfApprovalsNeeded')::int as num_of_approval\n from\n terraform_resource,\n jsonb_array_elements((attributes_std ->> 'content')::jsonb -> 'Statements') as s\n where\n type = 'aws_codecommit_approval_rule_template'\n)\nselect\n r.address as resource,\n case\n when num_of_approval >= 2 then 'ok'\n else 'alarm'\n end as status,\n split_part(r.address, '.', 2) || ' number of approvals is set to ' || num_of_approval || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource as r\n left join number_of_approvals_needed as n on n.name = r.address\nwhere\n r.type = 'aws_codecommit_approval_rule_template';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codecommit.pp","startLineNumber":1,"endLineNumber":27,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codecommit_approval_rule_template_number_of_approval_2","org":"turbot","name":"codecommit_approval_rule_template_number_of_approval_2","mod":"Terraform AWS Compliance","title":"CodeCommit approval rule template should have at least 2 approvals","description":"Ensure that codecommit branch changes receive a minimum of 2 approvals.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeCommit"}}],"controlTitle":"CodeCommit approval rule template should have at least 2 approvals","controlDescription":"Ensure that codecommit branch changes receive a minimum of 2 approvals.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeCommit"}}},"code_build":{"codebuild_project_privileged_mode_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_privileged_mode_disabled","org":"turbot","name":"codebuild_project_privileged_mode_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'environment' ->> 'privileged_mode')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'environment' ->> 'privileged_mode')::boolean then ' has privileged mode enabled'\n else ' has privileged mode disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codebuild_project';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":147,"endLineNumber":166,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_privileged_mode_disabled","org":"turbot","name":"codebuild_project_privileged_mode_disabled","mod":"Terraform AWS Compliance","title":"CodeBuild project privileged mode should be disabled","description":"This control checks whether CodeBuild project privileged mode is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeBuild"}}],"controlTitle":"CodeBuild project privileged mode should be disabled","controlDescription":"This control checks whether CodeBuild project privileged mode is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeBuild"}},"codebuild_project_source_repo_oauth_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_source_repo_oauth_configured","org":"turbot","name":"codebuild_project_source_repo_oauth_configured","sql":"$51","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":65,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_source_repo_oauth_configured","org":"turbot","name":"codebuild_project_source_repo_oauth_configured","mod":"Terraform AWS Compliance","title":"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth","description":"Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/CodeBuild","soc_2":"true"}}],"controlTitle":"CodeBuild GitHub or Bitbucket source repository URLs should use OAuth","controlDescription":"Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/CodeBuild","soc_2":"true"}},"codebuild_project_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_encryption_at_rest_enabled","org":"turbot","name":"codebuild_project_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std ->> 'encryption_key'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim(attributes_std ->> 'encryption_key'), '') = '' then ' not encrypted at rest'\n else ' encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codebuild_project';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_encryption_at_rest_enabled","org":"turbot","name":"codebuild_project_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"CodeBuild project encryption at rest should be enabled","description":"Ensure CodeBuild projects are set to be encrypted at rest with KMS CMK to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeBuild"}}],"controlTitle":"CodeBuild project encryption at rest should be enabled","controlDescription":"Ensure CodeBuild projects are set to be encrypted at rest with KMS CMK to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeBuild"}},"codebuild_project_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_logging_enabled","org":"turbot","name":"codebuild_project_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs_config' ->> 'cloudwatch_logs') is not null\n or (attributes_std -> 'logs_config' ->> 's3_logs') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs_config' ->> 'cloudwatch_logs') is not null\n or (attributes_std -> 'logs_config' ->> 's3_logs') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codebuild_project';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":124,"endLineNumber":145,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_logging_enabled","org":"turbot","name":"codebuild_project_logging_enabled","mod":"Terraform AWS Compliance","title":"CodeBuild project environments should have logging enabled","description":"This control checks whether CodeBuild project environments have logging enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa_final_omnibus_security_rule_2013":"true","hipaa_security_rule_2003":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CodeBuild"}}],"controlTitle":"CodeBuild project environments should have logging enabled","controlDescription":"This control checks whether CodeBuild project environments have logging enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa_final_omnibus_security_rule_2013":"true","hipaa_security_rule_2003":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CodeBuild"}},"codebuild_project_s3_logs_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_s3_logs_encryption_enabled","org":"turbot","name":"codebuild_project_s3_logs_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs_config' -> 's3_logs' ->> 'encryption_disabled')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs_config' -> 's3_logs' ->> 'encryption_disabled')::boolean then ' not encrypted at rest'\n else ' encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codebuild_project';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":103,"endLineNumber":122,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_s3_logs_encryption_enabled","org":"turbot","name":"codebuild_project_s3_logs_encryption_enabled","mod":"Terraform AWS Compliance","title":"CodeBuild project S3 logs encryption should be enabled","description":"This control checks whether CodeBuild project S3 logs are encrypted.","tags":{"aws_foundational_security":"true","category":"Compliance","gxp_21_cfr_part_11":"true","gxp_eu_annex_11":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CodeBuild"}}],"controlTitle":"CodeBuild project S3 logs encryption should be enabled","controlDescription":"This control checks whether CodeBuild project S3 logs are encrypted.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gxp_21_cfr_part_11":"true","gxp_eu_annex_11":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CodeBuild"}},"codebuild_project_plaintext_env_variables_no_sensitive_aws_values":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codebuild_project_plaintext_env_variables_no_sensitive_aws_values","org":"turbot","name":"codebuild_project_plaintext_env_variables_no_sensitive_aws_values","sql":"$52","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codebuild.pp","startLineNumber":22,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codebuild_project_plaintext_env_variables_no_sensitive_aws_values","org":"turbot","name":"codebuild_project_plaintext_env_variables_no_sensitive_aws_values","mod":"Terraform AWS Compliance","title":"CodeBuild project plaintext environment variables should not contain sensitive AWS values","description":"Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/CodeBuild","soc_2":"true"}}],"controlTitle":"CodeBuild project plaintext environment variables should not contain sensitive AWS values","controlDescription":"Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/CodeBuild","soc_2":"true"}}},"cloud_trail":{"cloudtrail_trail_sns_topic_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudtrail_trail_sns_topic_enabled","org":"turbot","name":"cloudtrail_trail_sns_topic_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sns_topic_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sns_topic_name') is not null then ' sns topic enabled'\n else ' sns topic disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudtrail.pp","startLineNumber":68,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudtrail_trail_sns_topic_enabled","org":"turbot","name":"cloudtrail_trail_sns_topic_enabled","mod":"Terraform AWS Compliance","title":"CloudTrail trail should have SNS topic enabled","description":"Enable SNS topic for CloudTrail trails to notify when new log files are delivered.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudTrail"}}],"controlTitle":"CloudTrail trail should have SNS topic enabled","controlDescription":"Enable SNS topic for CloudTrail trails to notify when new log files are delivered.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudTrail"}},"cloudtrail_event_data_store_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudtrail_event_data_store_encrypted_with_kms_cmk","org":"turbot","name":"cloudtrail_event_data_store_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' event data store encrypted using KMS CMK'\n else ' event data store not encrypted using KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail_event_data_store';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudtrail.pp","startLineNumber":89,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudtrail_event_data_store_encrypted_with_kms_cmk","org":"turbot","name":"cloudtrail_event_data_store_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"CloudTrail event data should be stored encrypted with KMS CMK","description":"This control checks whether a CloudTrail event data store is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudTrail"}}],"controlTitle":"CloudTrail event data should be stored encrypted with KMS CMK","controlDescription":"This control checks whether a CloudTrail event data store is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudTrail"}},"cloudtrail_trail_validation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudtrail_trail_validation_enabled","org":"turbot","name":"cloudtrail_trail_validation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_log_file_validation')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_log_file_validation')::boolean then ' log file validation enabled'\n else ' log file validation disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudtrail.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudtrail_trail_validation_enabled","org":"turbot","name":"cloudtrail_trail_validation_enabled","mod":"Terraform AWS Compliance","title":"CloudTrail trail log file validation should be enabled","description":"Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","service":"AWS/CloudTrail","soc_2":"true"}}],"controlTitle":"CloudTrail trail log file validation should be enabled","controlDescription":"Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","service":"AWS/CloudTrail","soc_2":"true"}},"cloudtrail_trail_logs_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudtrail_trail_logs_encrypted_with_kms_cmk","org":"turbot","name":"cloudtrail_trail_logs_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is not null then ' logs are encrypted at rest'\n else ' logs are not encrypted at rest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudtrail.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudtrail_trail_logs_encrypted_with_kms_cmk","org":"turbot","name":"cloudtrail_trail_logs_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"CloudTrail trail logs should be encrypted with KMS CMK","description":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudTrail"}}],"controlTitle":"CloudTrail trail logs should be encrypted with KMS CMK","controlDescription":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudTrail"}},"cloudtrail_enabled_all_regions":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudtrail_enabled_all_regions","org":"turbot","name":"cloudtrail_enabled_all_regions","sql":"$53","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudtrail.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudtrail_enabled_all_regions","org":"turbot","name":"cloudtrail_enabled_all_regions","mod":"Terraform AWS Compliance","title":"Ensure CloudTrail is enabled in all regions","description":"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.","tags":{"category":"Compliance","cis":"true","gdpr":"true","pci":"true","plugin":"terraform","service":"AWS/CloudTrail"}}],"controlTitle":"Ensure CloudTrail is enabled in all regions","controlDescription":"CloudTrail is a service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","pci":"true","plugin":"terraform","service":"AWS/CloudTrail"}}},"cloud_search":{"cloudsearch_domain_enforced_https_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudsearch_domain_enforced_https_enabled","org":"turbot","name":"cloudsearch_domain_enforced_https_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'endpoint_options' ->> 'enforce_https')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'endpoint_options' ->> 'enforce_https')::boolean then ' enforce https enabled'\n else ' enforce https disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudsearch_domain'; \n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudsearch.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudsearch_domain_enforced_https_enabled","org":"turbot","name":"cloudsearch_domain_enforced_https_enabled","mod":"Terraform AWS Compliance","title":"CloudSearch should have enforced HTTPS enabled","description":"This control checks whether the CloudSearch has enforced HTTPS enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudSearch"}}],"controlTitle":"CloudSearch should have enforced HTTPS enabled","controlDescription":"This control checks whether the CloudSearch has enforced HTTPS enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudSearch"}},"cloudsearch_domain_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudsearch_domain_uses_latest_tls_version","org":"turbot","name":"cloudsearch_domain_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then ' uses latest TLS version'\n else ' uses old TLS version'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudsearch_domain'; \n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudsearch.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudsearch_domain_uses_latest_tls_version","org":"turbot","name":"cloudsearch_domain_uses_latest_tls_version","mod":"Terraform AWS Compliance","title":"CloudSearch should use the latest TLS version","description":"This control checks whether the CloudSearch uses the latest TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudSearch"}}],"controlTitle":"CloudSearch should use the latest TLS version","controlDescription":"This control checks whether the CloudSearch uses the latest TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudSearch"}}},"wa_fv_2":{"wafv2_web_acl_rule_attached":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/wafv2_web_acl_rule_attached","org":"turbot","name":"wafv2_web_acl_rule_attached","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rule') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rule') is not null then ' has rule(s) attached'\n else ' has no attached rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_wafv2_web_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/wafv2.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.wafv2_web_acl_rule_attached","org":"turbot","name":"wafv2_web_acl_rule_attached","mod":"Terraform AWS Compliance","title":"WAFV2 web ACL should have at least one rule or rule group attached","description":"This control checks if a WAFV2 Web ACL contains any WAF rules or rule groups. The rule is non compliant if there are no WAF rules or rule groups present within a Web ACL.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAFv2"}}],"controlTitle":"WAFV2 web ACL should have at least one rule or rule group attached","controlDescription":"This control checks if a WAFV2 Web ACL contains any WAF rules or rule groups. The rule is non compliant if there are no WAF rules or rule groups present within a Web ACL.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAFv2"}}},"waf":{"waf_web_acl_rule_attached":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_web_acl_rule_attached","org":"turbot","name":"waf_web_acl_rule_attached","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rules') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rules') is not null then ' has rule(s) attached'\n else ' has no attached rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_waf_web_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_web_acl_rule_attached","org":"turbot","name":"waf_web_acl_rule_attached","mod":"Terraform AWS Compliance","title":"WAF web ACL should have at least one rule or rule group","description":"This control checks whether WAF web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF web ACL should have at least one rule or rule group","controlDescription":"This control checks whether WAF web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}},"waf_web_acl_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_web_acl_logging_enabled","org":"turbot","name":"waf_web_acl_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' ->> 'log_destination') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' ->> 'log_destination') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_waf_web_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_web_acl_logging_enabled","org":"turbot","name":"waf_web_acl_logging_enabled","mod":"Terraform AWS Compliance","title":"WAF web ACL logging should be enabled","description":"To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF web ACL logging should be enabled","controlDescription":"To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}},"waf_regional_web_acl_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_regional_web_acl_logging_enabled","org":"turbot","name":"waf_regional_web_acl_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' ->> 'log_destination') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' ->> 'log_destination' ) is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_wafregional_web_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_regional_web_acl_logging_enabled","org":"turbot","name":"waf_regional_web_acl_logging_enabled","mod":"Terraform AWS Compliance","title":"WAF regional web ACL logging should be enabled","description":"To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF regional web ACL logging should be enabled","controlDescription":"To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}},"waf_web_acl_rule_with_action":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_web_acl_rule_with_action","org":"turbot","name":"waf_web_acl_rule_with_action","sql":"$54","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":85,"endLineNumber":123,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_web_acl_rule_with_action","org":"turbot","name":"waf_web_acl_rule_with_action","mod":"Terraform AWS Compliance","title":"WAF web ACLs should have rules with actions","description":"Ensure WAF web ACLs have all have rules actions defined.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF web ACLs should have rules with actions","controlDescription":"Ensure WAF web ACLs have all have rules actions defined.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}},"waf_regional_web_acl_rule_attached":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_regional_web_acl_rule_attached","org":"turbot","name":"waf_regional_web_acl_rule_attached","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rule') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rule') is not null then ' has rule(s) attached'\n else ' has no attached rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_wafregional_web_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_regional_web_acl_rule_attached","org":"turbot","name":"waf_regional_web_acl_rule_attached","mod":"Terraform AWS Compliance","title":"WAF regional web ACL should have at least one rule or rule group attached","description":"This control checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is non compliant if there are no WAF rules or rule groups present within a Web ACL.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF regional web ACL should have at least one rule or rule group attached","controlDescription":"This control checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is non compliant if there are no WAF rules or rule groups present within a Web ACL.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}},"waf_regional_web_acl_rule_with_action":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/waf_regional_web_acl_rule_with_action","org":"turbot","name":"waf_regional_web_acl_rule_with_action","sql":"$55","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/waf.pp","startLineNumber":125,"endLineNumber":163,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.waf_regional_web_acl_rule_with_action","org":"turbot","name":"waf_regional_web_acl_rule_with_action","mod":"Terraform AWS Compliance","title":"WAF regional web ACLs should have rules with actions","description":"Ensure WAF regional web ACLs have all have rules actions defined.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}],"controlTitle":"WAF regional web ACLs should have rules with actions","controlDescription":"Ensure WAF regional web ACLs have all have rules actions defined.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/WAF"}}},"timestream":{"timestream_database_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/timestream_database_encrypted_with_kms_cmk","org":"turbot","name":"timestream_database_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_timestreamwrite_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/timestream.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.timestream_database_encrypted_with_kms_cmk","org":"turbot","name":"timestream_database_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Timestream databases should be encrypted using KMS CMK","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Timestream database.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Timestream"}}],"controlTitle":"Timestream databases should be encrypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Timestream database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Timestream"}}},"ssm":{"ssm_parameter_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ssm_parameter_encrypted_with_kms_cmk","org":"turbot","name":"ssm_parameter_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ssm_parameter';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ssm.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ssm_parameter_encrypted_with_kms_cmk","org":"turbot","name":"ssm_parameter_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"SSM parameter should be encypted using KMS CMK","description":"To help protect data at rest, ensure encryption is enabled for your SSM parameter using KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}],"controlTitle":"SSM parameter should be encypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption is enabled for your SSM parameter using KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}},"ssm_document_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ssm_document_prohibit_public_access","org":"turbot","name":"ssm_document_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'permissions' ->> 'account_ids') = 'All' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'permissions' ->> 'account_ids') = 'All' then ' is publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ssm_document';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ssm.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ssm_document_prohibit_public_access","org":"turbot","name":"ssm_document_prohibit_public_access","mod":"Terraform AWS Compliance","title":"SSM documents should not be publicly accessible","description":"This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}],"controlTitle":"SSM documents should not be publicly accessible","controlDescription":"This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}},"sqs":{"sqs_queue_policy_no_action_star":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_policy_no_action_star","org":"turbot","name":"sqs_queue_policy_no_action_star","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Action\": \"*\"}]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Action\": \"*\"}]' then ' policy allow wildcard action'\n else ' policy is ok'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":48,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_policy_no_action_star","org":"turbot","name":"sqs_queue_policy_no_action_star","mod":"Terraform AWS Compliance","title":"SQS queue policies should not allow ALL (*) actions","description":"SQS CloudWatch Logs destination policy should avoid wildcard in 'actions'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"SQS queue policies should not allow ALL (*) actions","controlDescription":"SQS CloudWatch Logs destination policy should avoid wildcard in 'actions'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_vpc_endpoint_without_dns_resolution":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_vpc_endpoint_without_dns_resolution","org":"turbot","name":"sqs_vpc_endpoint_without_dns_resolution","sql":"$56","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":24,"endLineNumber":46,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_vpc_endpoint_without_dns_resolution","org":"turbot","name":"sqs_vpc_endpoint_without_dns_resolution","mod":"Terraform AWS Compliance","title":"VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC","description":"Using VPC endpoints helps secure traffic by ensuring the data does not traverse the Internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC","controlDescription":"Using VPC endpoints helps secure traffic by ensuring the data does not traverse the Internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_queue_encrypted_at_rest":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_encrypted_at_rest","org":"turbot","name":"sqs_queue_encrypted_at_rest","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_master_key_id') is null then 'alarm'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_master_key_id') is null then ' ''kms_master_key_id'' is not defined'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') <> '' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_encrypted_at_rest","org":"turbot","name":"sqs_queue_encrypted_at_rest","mod":"Terraform AWS Compliance","title":"Amazon SQS queues should be encrypted at rest","description":"This control checks whether Amazon SQS queues are encrypted at rest.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"Amazon SQS queues should be encrypted at rest","controlDescription":"This control checks whether Amazon SQS queues are encrypted at rest.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_queue_policy_no_principal_star":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_policy_no_principal_star","org":"turbot","name":"sqs_queue_policy_no_principal_star","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Principal\": \"*\"}]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Principal\": \"*\"}]' then ' policy allow all principal'\n else ' policy is ok'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":69,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_policy_no_principal_star","org":"turbot","name":"sqs_queue_policy_no_principal_star","mod":"Terraform AWS Compliance","title":"SQS queue policies should not allow ALL (*) principal","description":"Ensure that the SQS queue policy restricts access to specific services or principals, ensuring that it is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"SQS queue policies should not allow ALL (*) principal","controlDescription":"Ensure that the SQS queue policy restricts access to specific services or principals, ensuring that it is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}},"sns":{"sns_topic_policy_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sns_topic_policy_restrict_public_access","org":"turbot","name":"sns_topic_policy_restrict_public_access","sql":"$57","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sns.pp","startLineNumber":23,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sns_topic_policy_restrict_public_access","org":"turbot","name":"sns_topic_policy_restrict_public_access","mod":"Terraform AWS Compliance","title":"SNS topic policies should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SNS"}}],"controlTitle":"SNS topic policies should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SNS"}},"sns_topic_encrypted_at_rest":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sns_topic_encrypted_at_rest","org":"turbot","name":"sns_topic_encrypted_at_rest","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_master_key_id') is null then ' ''kms_master_key_id'' is not defined'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') <> '' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sns_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sns.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sns_topic_encrypted_at_rest","org":"turbot","name":"sns_topic_encrypted_at_rest","mod":"Terraform AWS Compliance","title":"SNS topics should be encrypted at rest","description":"To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SNS"}}],"controlTitle":"SNS topics should be encrypted at rest","controlDescription":"To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SNS"}}},"step_functions":{"sfn_state_machine_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sfn_state_machine_xray_tracing_enabled","org":"turbot","name":"sfn_state_machine_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'tracing_configuration' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'tracing_configuration' ->> 'enabled') = 'true' then ' has tracing enabled'\n else ' has tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sfn_state_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sfn.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sfn_state_machine_xray_tracing_enabled","org":"turbot","name":"sfn_state_machine_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"Step Functions state machine should have X-Ray tracing enabled","description":"Ensure State Machine has X-Ray tracing enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}],"controlTitle":"Step Functions state machine should have X-Ray tracing enabled","controlDescription":"Ensure State Machine has X-Ray tracing enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}},"sfn_state_machine_execution_history_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sfn_state_machine_execution_history_logging_enabled","org":"turbot","name":"sfn_state_machine_execution_history_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' ->> 'include_execution_data') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' ->> 'include_execution_data') = 'true' then ' execution history logging enabled'\n else ' execution history logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sfn_state_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sfn.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sfn_state_machine_execution_history_logging_enabled","org":"turbot","name":"sfn_state_machine_execution_history_logging_enabled","mod":"Terraform AWS Compliance","title":"Step Functions state machine should have execution history logging enabled","description":"Ensure State Machine have execution history logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}],"controlTitle":"Step Functions state machine should have execution history logging enabled","controlDescription":"Ensure State Machine have execution history logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}},"secrets_manager":{"secretsmanager_secret_automatic_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_automatic_rotation_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rotation_rules') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rotation_rules') is null then ' automatic rotation disabled'\n else ' automatic rotation enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_automatic_rotation_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_enabled","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should have automatic rotation enabled","description":"This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should have automatic rotation enabled","controlDescription":"This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/SecretsManager"}},"secretsmanager_secret_automatic_rotation_lambda_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_automatic_rotation_lambda_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_lambda_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rotation_rules') is not null and (attributes_std -> 'rotation_lambda_arn') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rotation_rules') is not null and (attributes_std -> 'rotation_lambda_arn') is not null then ' scheduled for rotation using Lambda function'\n else ' automatic rotation using Lambda function disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_automatic_rotation_lambda_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_lambda_enabled","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should be rotated within a specified number of days","description":"This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should be rotated within a specified number of days","controlDescription":"This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}},"secretsmanager_secret_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_encrypted_with_kms_cmk","org":"turbot","name":"secretsmanager_secret_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'kms_key_id')), '') = '' or\n (attributes_std ->> 'kms_key_id') = 'aws/secretsmanager'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'kms_key_id')), '') = '' or\n (attributes_std ->> 'kms_key_id') = 'aws/secretsmanager'\n then ' is encrypted at rest default KMS key'\n else ' is encrypted at rest using KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":44,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_encrypted_with_kms_cmk","org":"turbot","name":"secretsmanager_secret_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should be encrypted with KMS CMK","description":"Ensure Secrets Manager secrets are encrypted at rest with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should be encrypted with KMS CMK","controlDescription":"Ensure Secrets Manager secrets are encrypted at rest with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}},"ses":{"ses_configuration_set_tls_enforced":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ses_configuration_set_tls_enforced","org":"turbot","name":"ses_configuration_set_tls_enforced","sql":"select\n address as resource,\n case\n when (attributes_std -> 'delivery_options' ->> 'tls_policy') = 'Require' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'delivery_options' ->> 'tls_policy')= 'Require' then ' TLS enforced'\n else ' TLS not enforced'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ses_configuration_set';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ses.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ses_configuration_set_tls_enforced","org":"turbot","name":"ses_configuration_set_tls_enforced","mod":"Terraform AWS Compliance","title":"SES configuration set should enforce TLS usage","description":"This control ensures that TLS is enforced for SES configuration set. Enforcing TLS usage in SES configuration set is essential in securing email communications, ensuring data privacy, and maintaining compliance with various data protection standards.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SES"}}],"controlTitle":"SES configuration set should enforce TLS usage","controlDescription":"This control ensures that TLS is enforced for SES configuration set. Enforcing TLS usage in SES configuration set is essential in securing email communications, ensuring data privacy, and maintaining compliance with various data protection standards.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SES"}}},"sage_maker":{"sagemaker_notebook_instance_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_notebook_instance_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' encryption at rest disabled'\n else ' encryption at rest enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_notebook_instance_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instance encryption should be enabled","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instance encryption should be enabled","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_root_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_root_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_root_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'root_access') = 'Disabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'root_access') = 'Disabled' then ' root access disabled'\n else ' root access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":86,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_root_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_root_access_disabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances root access should be disabled","description":"Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances root access should be disabled","controlDescription":"Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_in_vpc","org":"turbot","name":"sagemaker_notebook_instance_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_id') is not null then ' in VPC'\n else ' not in VPC'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":65,"endLineNumber":84,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_in_vpc","org":"turbot","name":"sagemaker_notebook_instance_in_vpc","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances should be in a VPC","description":"Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an Amazon Virtual Private Cloud (Amazon VPC).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances should be in a VPC","controlDescription":"Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_endpoint_configuration_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_endpoint_configuration_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_endpoint_configuration_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' encryption at rest not enabled'\n else ' encryption at rest enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_endpoint_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_endpoint_configuration_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_endpoint_configuration_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"SageMaker endpoint configuration encryption should be enabled","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker endpoint configuration encryption should be enabled","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}},"sagemaker_domain_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_domain_encrypted_with_kms_cmk","org":"turbot","name":"sagemaker_domain_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":107,"endLineNumber":126,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_domain_encrypted_with_kms_cmk","org":"turbot","name":"sagemaker_domain_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"SageMaker domain should be encypted using KMS CMK","description":"To help protect data at rest, ensure encryption is enabled for your SageMaker domain using KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker domain should be encypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption is enabled for your SageMaker domain using KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_direct_internet_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_direct_internet_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_direct_internet_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'direct_internet_access') is null or (attributes_std ->> 'direct_internet_access') = 'Disabled' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when trim(attributes_std ->> 'direct_internet_access') = '' then ' ''direct_internet_access'' is not defined'\n when (attributes_std -> 'direct_internet_access') is null or (attributes_std ->> 'direct_internet_access') = 'Disabled' then ' direct internet access disabled'\n else ' direct internet access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":22,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_direct_internet_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_direct_internet_access_disabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances should not have direct internet access","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances should not have direct internet access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}},"s_3":{"s3_public_access_block_account":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_public_access_block_account","org":"turbot","name":"s3_public_access_block_account","sql":"$58","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":205,"endLineNumber":250,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_public_access_block_account","org":"turbot","name":"s3_public_access_block_account","mod":"Terraform AWS Compliance","title":"S3 public access should be blocked at account level","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 public access should be blocked at account level","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_public_access_blocked","org":"turbot","name":"s3_bucket_public_access_blocked","sql":"$59","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":135,"endLineNumber":180,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_public_access_blocked","org":"turbot","name":"s3_bucket_public_access_blocked","mod":"Terraform AWS Compliance","title":"S3 Block Public Access setting should be enabled at the bucket level","description":"This control checks whether S3 buckets have bucket-level public access blocks applied.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 Block Public Access setting should be enabled at the bucket level","controlDescription":"This control checks whether S3 buckets have bucket-level public access blocks applied.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_object_lock_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_lock_enabled","org":"turbot","name":"s3_bucket_object_lock_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std -> 'object_lock_configuration' ->> 'object_lock_enabled'), '') = 'Enabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'object_lock_configuration' -> 'object_lock_enabled') is null then ' ''object_lock_enabled'' is not defined'\n when (attributes_std -> 'object_lock_configuration' ->> 'object_lock_enabled') = 'Enabled' then ' object lock enabled'\n else ' object lock not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":113,"endLineNumber":133,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_lock_enabled","org":"turbot","name":"s3_bucket_object_lock_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket object lock should be enabled","description":"Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket object lock should be enabled","controlDescription":"Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3","soc_2":"true"}},"s3_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_versioning_enabled","org":"turbot","name":"s3_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'enabled')), '') in ('true', 'false') and (attributes_std -> 'versioning' -> 'enabled')::bool\n then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'enabled')), '') not in ('true', 'false') then ' versioning disabled'\n when (attributes_std -> 'versioning' ->> 'enabled')::bool then ' versioning enabled'\n else ' versioning disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":182,"endLineNumber":203,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_versioning_enabled","org":"turbot","name":"s3_bucket_versioning_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket versioning should be enabled","description":"Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket versioning should be enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}},"s3_bucket_object_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_copy_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_object_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":314,"endLineNumber":332,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_copy_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"S3 bucket object copy should be encrypted with KMS CMK","description":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket object copy should be encrypted with KMS CMK","controlDescription":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_logging_enabled","org":"turbot","name":"s3_bucket_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging' -> 'target_bucket') is null then 'alarm'\n when coalesce(trim(attributes_std -> 'logging' ->> 'target_bucket'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging' -> 'target_bucket') is null then ' ''target_bucket'' is not defined'\n when coalesce(trim(attributes_std -> 'logging' ->> 'target_bucket'), '') = '' then ' logging disabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":69,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_logging_enabled","org":"turbot","name":"s3_bucket_logging_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket logging should be enabled","description":"Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket logging should be enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}},"s3_bucket_block_public_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_block_public_policy_enabled","org":"turbot","name":"s3_bucket_block_public_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'block_public_policy')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'block_public_policy') is null then ' block_public_acls not defined'\n when (attributes_std ->> 'block_public_policy')::boolean then ' block_public_policy enabled'\n else ' block_public_policy disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_public_access_block';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":252,"endLineNumber":271,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_block_public_policy_enabled","org":"turbot","name":"s3_bucket_block_public_policy_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket should have block public policy enabled","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket should have block public policy enabled","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_ignore_public_acls_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_ignore_public_acls_enabled","org":"turbot","name":"s3_bucket_ignore_public_acls_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ignore_public_acls')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ignore_public_acls') is null then ' ignore_public_acls not defined'\n when (attributes_std ->> 'ignore_public_acls')::boolean then ' ignore_public_acls enabled'\n else ' ignore_public_acls disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_public_access_block';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":293,"endLineNumber":312,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_ignore_public_acls_enabled","org":"turbot","name":"s3_bucket_ignore_public_acls_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket should ignore public ACLs","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets should ignore public ACLs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket should ignore public ACLs","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets should ignore public ACLs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_mfa_delete_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_mfa_delete_enabled","org":"turbot","name":"s3_bucket_mfa_delete_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'mfa_delete')), '') in ('true', 'false') and (attributes_std -> 'versioning' ->> 'mfa_delete')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'versioning' ->> 'mfa_delete')::bool then ' MFA delete enabled'\n else ' MFA delete disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_mfa_delete_enabled","org":"turbot","name":"s3_bucket_mfa_delete_enabled","mod":"Terraform AWS Compliance","title":"Ensure MFA Delete is enabled on S3 buckets","description":"Once MFA delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"Ensure MFA Delete is enabled on S3 buckets","controlDescription":"Once MFA delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_object_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_object';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":273,"endLineNumber":291,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"S3 bucket object should be encrypted with KMS CMK","description":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket object should be encrypted with KMS CMK","controlDescription":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_abort_incomplete_multipart_upload_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_abort_incomplete_multipart_upload_enabled","org":"turbot","name":"s3_bucket_abort_incomplete_multipart_upload_enabled","sql":"with lifecycle_configuration_with_abort_incomplete_multipart_upload as (\n select\n concat(address) as name\n from\n terraform_resource,\n jsonb_array_elements(attributes_std -> 'rule') as r\n where\n r ->> 'id' = 'AbortIncompleteMultipartUploadRule'\n and r ->> 'status' = 'Enabled'\n and type = 'aws_s3_bucket_lifecycle_configuration'\n)\nselect\n r.address as resource,\n case\n when u.name is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(r.address, '.', 2) || case\n when u.name is not null then ' has abort incomplete multipart upload enabled'\n else ' has abort incomplete multipart upload disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource as r\n left join lifecycle_configuration_with_abort_incomplete_multipart_upload as u on u.name = r.address\nwhere\n r.type = 'aws_s3_bucket_lifecycle_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":334,"endLineNumber":364,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_abort_incomplete_multipart_upload_enabled","org":"turbot","name":"s3_bucket_abort_incomplete_multipart_upload_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket lifecycle configuration should abort incomplete multipart uploads","description":"Ensure that the S3 lifecycle configuration includes a rule to set a specific period for automatically aborting failed uploads.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket lifecycle configuration should abort incomplete multipart uploads","controlDescription":"Ensure that the S3 lifecycle configuration includes a rule to set a specific period for automatically aborting failed uploads.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_default_encryption_enabled_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_default_encryption_enabled_kms","org":"turbot","name":"s3_bucket_default_encryption_enabled_kms","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm'), '') <> 'aws:kms'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm'), '') = '' then ' ''sse_algorithm'' is not defined'\n when trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm') = 'aws:kms' then ' default encryption with KMS enabled'\n else ' default encryption with KMS disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":23,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_default_encryption_enabled_kms","org":"turbot","name":"s3_bucket_default_encryption_enabled_kms","mod":"Terraform AWS Compliance","title":"S3 bucket default encryption should be enabled with KMS","description":"To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets using KMS.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}}],"controlTitle":"S3 bucket default encryption should be enabled with KMS","controlDescription":"To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets using KMS.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}},"s3_bucket_default_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_default_encryption_enabled","org":"turbot","name":"s3_bucket_default_encryption_enabled","sql":"$5a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":46,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_default_encryption_enabled","org":"turbot","name":"s3_bucket_default_encryption_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket default encryption should be enabled","description":"To help protect data at rest, ensure default encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}}],"controlTitle":"S3 bucket default encryption should be enabled","controlDescription":"To help protect data at rest, ensure default encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}},"s3_bucket_cross_region_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_cross_region_replication_enabled","org":"turbot","name":"s3_bucket_cross_region_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cors_rule')::jsonb ?& array['allowed_methods', 'allowed_origins'] then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cors_rule') is null then ' ''cors_rule'' is not defined'\n when (attributes_std -> 'cors_rule')::jsonb ?& array['allowed_methods', 'allowed_origins'] then ' enabled with cross-region replication'\n else ' not enabled with cross-region replication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_cross_region_replication_enabled","org":"turbot","name":"s3_bucket_cross_region_replication_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket cross-region replication should enabled","description":"Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket cross-region replication should enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}},"redshift":{"redshift_cluster_deployed_in_ec2_classic_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_deployed_in_ec2_classic_mode","org":"turbot","name":"redshift_cluster_deployed_in_ec2_classic_mode","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_subnet_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_subnet_group_name') is not null then ' deployed inside VPC'\n else ' not deployed inside VPC'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_deployed_in_ec2_classic_mode","org":"turbot","name":"redshift_cluster_deployed_in_ec2_classic_mode","mod":"Terraform AWS Compliance","title":"Redshift clusters should not be using EC2 classic mode","description":"Ensure EC2-Classic mode is not used for the deployment of redshift clusters","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should not be using EC2 classic mode","controlDescription":"Ensure EC2-Classic mode is not used for the deployment of redshift clusters","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_maintenance_settings_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_maintenance_settings_check","org":"turbot","name":"redshift_cluster_maintenance_settings_check","sql":"$5b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":160,"endLineNumber":183,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_maintenance_settings_check","org":"turbot","name":"redshift_cluster_maintenance_settings_check","mod":"Terraform AWS Compliance","title":"Amazon Redshift should have required maintenance settings","description":"Ensure whether Amazon Redshift clusters have the specified maintenance settings. Redshift clusters 'allowVersionUpgrade' should be set to 'true' and 'automatedSnapshotRetentionPeriod' should be greater than 7.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift should have required maintenance settings","controlDescription":"Ensure whether Amazon Redshift clusters have the specified maintenance settings. Redshift clusters 'allowVersionUpgrade' should be set to 'true' and 'automatedSnapshotRetentionPeriod' should be greater than 7.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}},"redshift_cluster_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_prohibit_public_access","org":"turbot","name":"redshift_cluster_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'publicly_accessible') is null then 'alarm'\n when (attributes_std -> 'publicly_accessible')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'publicly_accessible') is null then ' publicly accessible'\n when (attributes_std -> 'publicly_accessible')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":185,"endLineNumber":206,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_prohibit_public_access","org":"turbot","name":"redshift_cluster_prohibit_public_access","mod":"Terraform AWS Compliance","title":"Redshift clusters should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}},"redshift_cluster_automatic_snapshots_min_7_days":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_automatic_snapshots_min_7_days","org":"turbot","name":"redshift_cluster_automatic_snapshots_min_7_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'automated_snapshot_retention_period') is null then 'ok'\n when (attributes_std -> 'automated_snapshot_retention_period')::integer > 7 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automated_snapshot_retention_period') is null then ' ''automated_snapshot_retention_period'' set to 1 day by default'\n when (attributes_std -> 'automated_snapshot_retention_period')::integer > 7 then ' ''automated_snapshot_retention_period'' set to ' || (attributes_std ->> 'automated_snapshot_retention_period')::integer || ' day(s)'\n else ' ''automated_snapshot_retention_period'' set to 0 days'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_automatic_snapshots_min_7_days","org":"turbot","name":"redshift_cluster_automatic_snapshots_min_7_days","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should have automatic snapshots enabled","description":"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift","soc_2":"true"}}],"controlTitle":"Amazon Redshift clusters should have automatic snapshots enabled","controlDescription":"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift","soc_2":"true"}},"redshift_serverless_namespace_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_serverless_namespace_encrypted_with_kms_cmk","org":"turbot","name":"redshift_serverless_namespace_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshiftserverless_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":252,"endLineNumber":271,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_serverless_namespace_encrypted_with_kms_cmk","org":"turbot","name":"redshift_serverless_namespace_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Redshift serverless namespaces should be encrypted with KMS CMK","description":"Ensure that Redshift serverless namespaces are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift serverless namespaces should be encrypted with KMS CMK","controlDescription":"Ensure that Redshift serverless namespaces are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_kms_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_kms_enabled","org":"turbot","name":"redshift_cluster_kms_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is not null and (attributes_std -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is not null and (attributes_std -> 'kms_key_id') is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":116,"endLineNumber":135,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_kms_enabled","org":"turbot","name":"redshift_cluster_kms_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should be encrypted with KMS","description":"Ensure if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is complaint if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non complaint if the cluster is not encrypted or encrypted with another key.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should be encrypted with KMS","controlDescription":"Ensure if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is complaint if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non complaint if the cluster is not encrypted or encrypted with another key.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}},"redshift_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_logging_enabled","org":"turbot","name":"redshift_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging') is null then 'alarm'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging') is null then ' audit logging disabled'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":137,"endLineNumber":158,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_logging_enabled","org":"turbot","name":"redshift_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should have logging enabled","description":"Ensure that Amazon Redshift clusters have logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should have logging enabled","controlDescription":"Ensure that Amazon Redshift clusters have logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_enhanced_vpc_routing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_enhanced_vpc_routing_enabled","org":"turbot","name":"redshift_cluster_enhanced_vpc_routing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enhanced_vpc_routing') is null then 'alarm'\n when (attributes_std -> 'enhanced_vpc_routing')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enhanced_vpc_routing') is null then ' ''enhanced_vpc_routing'' set to false by default'\n when (attributes_std -> 'enhanced_vpc_routing')::bool then ' ''enhanced_vpc_routing'' set to true'\n else ' ''allow_version_upgrade'' set to false'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_enhanced_vpc_routing_enabled","org":"turbot","name":"redshift_cluster_enhanced_vpc_routing_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should use enhanced VPC routing","description":"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should use enhanced VPC routing","controlDescription":"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_snapshot_copy_grant_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_snapshot_copy_grant_encrypted_with_kms_cmk","org":"turbot","name":"redshift_snapshot_copy_grant_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_snapshot_copy_grant';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":273,"endLineNumber":292,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_snapshot_copy_grant_encrypted_with_kms_cmk","org":"turbot","name":"redshift_snapshot_copy_grant_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Redshift snapshot copy grant should be encrypted with KMS CMK","description":"Ensure that Redshift snapshot copy grant is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift snapshot copy grant should be encrypted with KMS CMK","controlDescription":"Ensure that Redshift snapshot copy grant is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_no_default_database_name":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_no_default_database_name","org":"turbot","name":"redshift_cluster_no_default_database_name","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'database_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'database_name') is not null then ' database name defined'\n else ' no database name defined'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":208,"endLineNumber":227,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_no_default_database_name","org":"turbot","name":"redshift_cluster_no_default_database_name","mod":"Terraform AWS Compliance","title":"Redshift clusters should not use the default database name","description":"This control checks whether a Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should not use the default database name","controlDescription":"This control checks whether a Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_encryption_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_encryption_logging_enabled","org":"turbot","name":"redshift_cluster_encryption_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is null then 'alarm'\n when (attributes_std -> 'logging') is null then 'alarm'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is null then ' not encrypted'\n when (attributes_std -> 'logging') is null then ' audit logging disabled'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":68,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_encryption_logging_enabled","org":"turbot","name":"redshift_cluster_encryption_logging_enabled","mod":"Terraform AWS Compliance","title":"Redshift cluster audit logging and encryption should be enabled","description":"To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift","soc_2":"true"}}],"controlTitle":"Redshift cluster audit logging and encryption should be enabled","controlDescription":"To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift","soc_2":"true"}},"redshift_cluster_automatic_upgrade_major_versions_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_automatic_upgrade_major_versions_enabled","org":"turbot","name":"redshift_cluster_automatic_upgrade_major_versions_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_version_upgrade') is null then 'ok'\n when (attributes_std -> 'allow_version_upgrade')::bool then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_version_upgrade') is null then ' ''allow_version_upgrade'' set to true by default'\n when (attributes_std -> 'allow_version_upgrade')::bool then ' ''allow_version_upgrade'' set to true'\n else ' ''allow_version_upgrade'' set to false'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_automatic_upgrade_major_versions_enabled","org":"turbot","name":"redshift_cluster_automatic_upgrade_major_versions_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift should have automatic upgrades to major versions enabled","description":"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift should have automatic upgrades to major versions enabled","controlDescription":"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_encryption_enabled","org":"turbot","name":"redshift_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encrypted') is null then 'alarm'\n when (attributes_std ->> 'encrypted')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encrypted') is null then ' encryption disabled'\n when (attributes_std ->> 'encrypted')::bool then ' encryption enabled'\n else ' encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":229,"endLineNumber":250,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_encryption_enabled","org":"turbot","name":"redshift_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"Redshift clusters should be encrypted","description":"Ensure that Redshift clusters are encrypted.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should be encrypted","controlDescription":"Ensure that Redshift clusters are encrypted.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}},"code_artifact":{"codeartifact_domain_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/codeartifact_domain_encrypted_with_kms_cmk","org":"turbot","name":"codeartifact_domain_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encryption_key') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encryption_key') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_codeartifact_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/codeartifact.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.codeartifact_domain_encrypted_with_kms_cmk","org":"turbot","name":"codeartifact_domain_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"CodeArtifact Domain should be encrypted with KMS CMK","description":"This control checks whether CodeArtifact Domain is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeArtifact"}}],"controlTitle":"CodeArtifact Domain should be encrypted with KMS CMK","controlDescription":"This control checks whether CodeArtifact Domain is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CodeArtifact"}}},"cloud_front":{"cloudfront_protocol_version_is_low":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_protocol_version_is_low","org":"turbot","name":"cloudfront_protocol_version_is_low","sql":"select\n address as resource,\n case\n when (attributes_std -> 'viewer_certificate' ->> 'minimum_protocol_version')::text = 'TLSv1.2_2019' then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'viewer_certificate' ->> 'minimum_protocol_version')::text = 'TLSv1.2_2019' then ' minimum protocol version is set to TLSv1.2_2019'\n else ' minimum protocol version is not set to TLSv1.2_2019'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":192,"endLineNumber":211,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_protocol_version_is_low","org":"turbot","name":"cloudfront_protocol_version_is_low","mod":"Terraform AWS Compliance","title":"CloudFront distributions minimum protocol version should be set","description":"CloudFront distributions minimum protocol version should be a good one. Minimum recommended version is TLSv1.2_2019.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions minimum protocol version should be set","controlDescription":"CloudFront distributions minimum protocol version should be a good one. Minimum recommended version is TLSv1.2_2019.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_enabled","org":"turbot","name":"cloudfront_distribution_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enabled')::boolean then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when(attributes_std ->> 'enabled')::boolean then ' is enabled'\n else ' is disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":241,"endLineNumber":260,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_enabled","org":"turbot","name":"cloudfront_distribution_enabled","mod":"Terraform AWS Compliance","title":"CloudFront distribution should be in enabled state","description":"This control checks whether CloudFront distribution is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distribution should be in enabled state","controlDescription":"This control checks whether CloudFront distribution is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_response_header_use_strict_transport_policy_setting":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_response_header_use_strict_transport_policy_setting","org":"turbot","name":"cloudfront_response_header_use_strict_transport_policy_setting","sql":"$5c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":213,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_response_header_use_strict_transport_policy_setting","org":"turbot","name":"cloudfront_response_header_use_strict_transport_policy_setting","mod":"Terraform AWS Compliance","title":"CloudFront response header policy should be configured with Strict Transport Security","description":"This control checks whether CloudFront response header policy enforces Strict Transport Security.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront response header policy should be configured with Strict Transport Security","controlDescription":"This control checks whether CloudFront response header policy enforces Strict Transport Security.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_configured_with_origin_failover":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_configured_with_origin_failover","org":"turbot","name":"cloudfront_distribution_configured_with_origin_failover","sql":"select\n address as resource,\n case\n when (attributes_std -> 'origin_group' -> 'member') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'origin_group' -> 'member' ) is not null then ' origin group is configured'\n else ' origin group not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_configured_with_origin_failover","org":"turbot","name":"cloudfront_distribution_configured_with_origin_failover","mod":"Terraform AWS Compliance","title":"CloudFront distributions should have origin failover configured","description":"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should have origin failover configured","controlDescription":"This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_waf_enabled","org":"turbot","name":"cloudfront_distribution_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'web_acl_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'web_acl_id') is not null then ' associated with WAF'\n else ' not associated with WAF'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":171,"endLineNumber":190,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_waf_enabled","org":"turbot","name":"cloudfront_distribution_waf_enabled","mod":"Terraform AWS Compliance","title":"CloudFront distributions should have AWS WAF enabled","description":"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should have AWS WAF enabled","controlDescription":"This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_origin_access_identity_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_origin_access_identity_enabled","org":"turbot","name":"cloudfront_distribution_origin_access_identity_enabled","sql":"$5d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":103,"endLineNumber":169,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_origin_access_identity_enabled","org":"turbot","name":"cloudfront_distribution_origin_access_identity_enabled","mod":"Terraform AWS Compliance","title":"CloudFront distributions should have origin access identity enabled","description":"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should have origin access identity enabled","controlDescription":"This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_logging_enabled","org":"turbot","name":"cloudfront_distribution_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_config') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_config') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":82,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_logging_enabled","org":"turbot","name":"cloudfront_distribution_logging_enabled","mod":"Terraform AWS Compliance","title":"CloudFront distributions should have logging enabled","description":"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should have logging enabled","controlDescription":"This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_encryption_in_transit_enabled","org":"turbot","name":"cloudfront_distribution_encryption_in_transit_enabled","sql":"$5e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":43,"endLineNumber":80,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_encryption_in_transit_enabled","org":"turbot","name":"cloudfront_distribution_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"CloudFront distributions should require encryption in transit","description":"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should require encryption in transit","controlDescription":"This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/CloudFront"}},"cloudfront_distribution_default_root_object_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudfront_distribution_default_root_object_configured","org":"turbot","name":"cloudfront_distribution_default_root_object_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_root_object') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_root_object') is not null then ' default root object configured'\n else ' default root object not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudfront_distribution';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfront.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudfront_distribution_default_root_object_configured","org":"turbot","name":"cloudfront_distribution_default_root_object_configured","mod":"Terraform AWS Compliance","title":"CloudFront distributions should have a default root object configured","description":"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}],"controlTitle":"CloudFront distributions should have a default root object configured","controlDescription":"This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/CloudFront"}}},"auto_scaling":{"autoscaling_launch_config_public_ip_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/autoscaling_launch_config_public_ip_disabled","org":"turbot","name":"autoscaling_launch_config_public_ip_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'associate_public_ip_address')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'associate_public_ip_address')::boolean then ' public IP enabled'\n else ' public IP disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_launch_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/autoscaling.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.autoscaling_launch_config_public_ip_disabled","org":"turbot","name":"autoscaling_launch_config_public_ip_disabled","mod":"Terraform AWS Compliance","title":"Auto Scaling launch config public IP should be disabled","description":"Ensure if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non complaint if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/AutoScaling"}}],"controlTitle":"Auto Scaling launch config public IP should be disabled","controlDescription":"Ensure if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non complaint if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/AutoScaling"}},"autoscaling_group_with_lb_use_health_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/autoscaling_group_with_lb_use_health_check","org":"turbot","name":"autoscaling_group_with_lb_use_health_check","sql":"select\n address as resource,\n case\n when (attributes_std -> 'load_balancers') is null and (attributes_std -> 'target_group_arns') is null then 'alarm'\n when (attributes_std ->> 'health_check_type') <> 'ELB' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'load_balancers') is null and (attributes_std -> 'target_group_arns') is null then ' not associated with a load balancer'\n when (attributes_std ->> 'health_check_type') <> 'ELB' then ' does not use ELB health check'\n else ' uses ELB health check'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_autoscaling_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/autoscaling.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.autoscaling_group_with_lb_use_health_check","org":"turbot","name":"autoscaling_group_with_lb_use_health_check","mod":"Terraform AWS Compliance","title":"Auto Scaling groups with a load balancer should use health checks","description":"The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups that support maintenance of adequate capacity and availability.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/AutoScaling"}}],"controlTitle":"Auto Scaling groups with a load balancer should use health checks","controlDescription":"The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups that support maintenance of adequate capacity and availability.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/AutoScaling"}},"autoscaling_group_tagging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/autoscaling_group_tagging_enabled","org":"turbot","name":"autoscaling_group_tagging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'tag') is not null or (attributes_std -> 'tags') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'tag') is not null or (attributes_std -> 'tags') is not null then ' tagging enabled'\n else ' tagging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_autoscaling_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/autoscaling.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.autoscaling_group_tagging_enabled","org":"turbot","name":"autoscaling_group_tagging_enabled","mod":"Terraform AWS Compliance","title":"Auto Scaling groups should have tagging enabled","description":"This control checks whether Amazon EC2 Auto Scaling groups have tagging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AutoScaling"}}],"controlTitle":"Auto Scaling groups should have tagging enabled","controlDescription":"This control checks whether Amazon EC2 Auto Scaling groups have tagging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AutoScaling"}},"autoscaling_group_uses_launch_template":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/autoscaling_group_uses_launch_template","org":"turbot","name":"autoscaling_group_uses_launch_template","sql":"select\n address as resource,\n case\n when (attributes_std -> 'launch_template') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'launch_template') is null then ' not using launch template'\n else ' using launch template'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_autoscaling_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/autoscaling.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.autoscaling_group_uses_launch_template","org":"turbot","name":"autoscaling_group_uses_launch_template","mod":"Terraform AWS Compliance","title":"Auto Scaling groups should use launch templates","description":"This control checks whether Amazon EC2 Auto Scaling groups use launch templates.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AutoScaling"}}],"controlTitle":"Auto Scaling groups should use launch templates","controlDescription":"This control checks whether Amazon EC2 Auto Scaling groups use launch templates.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AutoScaling"}}},"backup":{"backup_vault_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/backup_vault_encryption_at_rest_enabled","org":"turbot","name":"backup_vault_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' encryption at rest disabled'\n else ' encryption at rest enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_backup_vault';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/backup.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.backup_vault_encryption_at_rest_enabled","org":"turbot","name":"backup_vault_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Backup vault encryption at rest enabled","description":"Checks if AWS Backup vaults have encryption enabled. The rule is non complaint if the vault does not have encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Backup"}}],"controlTitle":"Backup vault encryption at rest enabled","controlDescription":"Checks if AWS Backup vaults have encryption enabled. The rule is non complaint if the vault does not have encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Backup"}},"backup_plan_min_retention_35_days":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/backup_plan_min_retention_35_days","org":"turbot","name":"backup_plan_min_retention_35_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rule') is null then 'alarm'\n when (attributes_std -> 'rule' -> 'lifecycle') is null then 'ok'\n when (attributes_std -> 'rule' -> 'lifecycle' ->> 'delete_after')::int >=35 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rule') is null then ' retention period not set'\n when (attributes_std -> 'rule' -> 'lifecycle') is null then ' retention period set to never expire'\n else ' retention period set to ' || (attributes_std -> 'rule' -> 'lifecycle' ->> 'delete_after')::int\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_backup_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/backup.pp","startLineNumber":22,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.backup_plan_min_retention_35_days","org":"turbot","name":"backup_plan_min_retention_35_days","mod":"Terraform AWS Compliance","title":"Backup plan min frequency and min retention check","description":"Checks if a backup plan has a backup rule that satisfies the required frequency and retention period(35 days). The rule is non complaint if recovery points are not created at least as often as the specified frequency or expire before the specified period.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Backup","soc_2":"true"}}],"controlTitle":"Backup plan min frequency and min retention check","controlDescription":"Checks if a backup plan has a backup rule that satisfies the required frequency and retention period(35 days). The rule is non complaint if recovery points are not created at least as often as the specified frequency or expire before the specified period.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Backup","soc_2":"true"}}},"cloud_formation":{"cloudformation_stack_notifications_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudformation_stack_notifications_enabled","org":"turbot","name":"cloudformation_stack_notifications_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'notification_arns') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'notification_arns') is not null then ' notifications enabled'\n else ' notifications disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudformation_stack';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudformation.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudformation_stack_notifications_enabled","org":"turbot","name":"cloudformation_stack_notifications_enabled","mod":"Terraform AWS Compliance","title":"CloudFormation Stacks should have notifications enabled","description":"This control checks whether CloudFormation Stacks are associated with an SNS topic to receive notifications when an event occurs.","tags":{"category":"Compliance","nist_csf":"true","other_checks":"true","plugin":"terraform","service":"AWS/CloudFormation"}}],"controlTitle":"CloudFormation Stacks should have notifications enabled","controlDescription":"This control checks whether CloudFormation Stacks are associated with an SNS topic to receive notifications when an event occurs.","controlTags":{"category":"Compliance","nist_csf":"true","other_checks":"true","plugin":"terraform","service":"AWS/CloudFormation"}}},"athena":{"athena_workgroup_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/athena_workgroup_encryption_at_rest_enabled","org":"turbot","name":"athena_workgroup_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'configuration' -> 'result_configuration' -> 'encryption_configuration') is not null\n then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'configuration' -> 'result_configuration' -> 'encryption_configuration') is not null\n then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_athena_workgroup';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/athena.pp","startLineNumber":21,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.athena_workgroup_encryption_at_rest_enabled","org":"turbot","name":"athena_workgroup_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Athena workgroup encryption at rest should be enabled","description":"Ensure Athena workgroup is encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}}],"controlTitle":"Athena workgroup encryption at rest should be enabled","controlDescription":"Ensure Athena workgroup is encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}},"athena_database_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/athena_database_encryption_at_rest_enabled","org":"turbot","name":"athena_database_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration') is not null then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_athena_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/athena.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.athena_database_encryption_at_rest_enabled","org":"turbot","name":"athena_database_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Athena database encryption at rest should be enabled","description":"Ensure Athena database is encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}}],"controlTitle":"Athena database encryption at rest should be enabled","controlDescription":"Ensure Athena database is encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}},"athena_workgroup_enforce_workgroup_configuration":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/athena_workgroup_enforce_workgroup_configuration","org":"turbot","name":"athena_workgroup_enforce_workgroup_configuration","sql":"select\n address as resource,\n case\n when (attributes_std -> 'configuration' -> 'enforce_workgroup_configuration')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'configuration' -> 'enforce_workgroup_configuration')::boolean then ' enforce workgroup configuration set'\n else ' enforce workgroup configuration not set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_athena_workgroup';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/athena.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.athena_workgroup_enforce_workgroup_configuration","org":"turbot","name":"athena_workgroup_enforce_workgroup_configuration","mod":"Terraform AWS Compliance","title":"Athena workgroup configuration should be enforced","description":"This control checks whether Athena Workgroup should enforce configuration to prevent client disabling encryption.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}}],"controlTitle":"Athena workgroup configuration should be enforced","controlDescription":"This control checks whether Athena Workgroup should enforce configuration to prevent client disabling encryption.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Athena"}}},"app_sync":{"appsync_api_cache_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appsync_api_cache_encryption_in_transit_enabled","org":"turbot","name":"appsync_api_cache_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appsync_api_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appsync.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appsync_api_cache_encryption_in_transit_enabled","org":"turbot","name":"appsync_api_cache_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"AppSync API cache encryption in transit should be enabled","description":"This control checks whether encryption in transit is enabled for the AppSync API cache.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}}],"controlTitle":"AppSync API cache encryption in transit should be enabled","controlDescription":"This control checks whether encryption in transit is enabled for the AppSync API cache.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}},"appsync_graphql_api_cloudwatch_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appsync_graphql_api_cloudwatch_logs_enabled","org":"turbot","name":"appsync_graphql_api_cloudwatch_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'log_config' ->> 'cloudwatch_logs_role_arn') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'log_config' ->> 'cloudwatch_logs_role_arn') is not null then ' cloudwatch logs enabled'\n else ' cloudwatch logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appsync_graphql_api';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appsync.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appsync_graphql_api_cloudwatch_logs_enabled","org":"turbot","name":"appsync_graphql_api_cloudwatch_logs_enabled","mod":"Terraform AWS Compliance","title":"AppSync GraphQL API CloudWatch logs should be enabled","description":"This control checks whether the CloudWatch logs are enabled for the AppSync GraphQL API.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}}],"controlTitle":"AppSync GraphQL API CloudWatch logs should be enabled","controlDescription":"This control checks whether the CloudWatch logs are enabled for the AppSync GraphQL API.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}},"appsync_graphql_api_field_level_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appsync_graphql_api_field_level_logs_enabled","org":"turbot","name":"appsync_graphql_api_field_level_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'log_config' ->> 'field_log_level') in ('ALL','ERROR') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'log_config' ->> 'field_log_level') in ('ALL','ERROR') then ' field level logs enabled'\n else ' field level logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appsync_graphql_api';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appsync.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appsync_graphql_api_field_level_logs_enabled","org":"turbot","name":"appsync_graphql_api_field_level_logs_enabled","mod":"Terraform AWS Compliance","title":"AppSync GraphQL API field level logs should be enabled","description":"This control checks whether field level logs are enabled for the AppSync GraphQL API.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}}],"controlTitle":"AppSync GraphQL API field level logs should be enabled","controlDescription":"This control checks whether field level logs are enabled for the AppSync GraphQL API.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}},"appsync_api_cache_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appsync_api_cache_encryption_at_rest_enabled","org":"turbot","name":"appsync_api_cache_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appsync_api_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appsync.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appsync_api_cache_encryption_at_rest_enabled","org":"turbot","name":"appsync_api_cache_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"AppSync API cache encryption at rest should be enabled","description":"This control checks whether encryption at rest is enabled for the AppSync API cache.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}}],"controlTitle":"AppSync API cache encryption at rest should be enabled","controlDescription":"This control checks whether encryption at rest is enabled for the AppSync API cache.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppSync"}}},"app_flow":{"appflow_flow_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appflow_flow_encrypted_with_kms_cmk","org":"turbot","name":"appflow_flow_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appflow_flow';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appflow.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appflow_flow_encrypted_with_kms_cmk","org":"turbot","name":"appflow_flow_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"AppFlow Flow should be encrypted with KMS CMK","description":"This control checks whether AppFlow Flow is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppFlow"}}],"controlTitle":"AppFlow Flow should be encrypted with KMS CMK","controlDescription":"This control checks whether AppFlow Flow is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppFlow"}},"appflow_connector_profile_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/appflow_connector_profile_encrypted_with_kms_cmk","org":"turbot","name":"appflow_connector_profile_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_appflow_connector_profile';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appflow.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.appflow_connector_profile_encrypted_with_kms_cmk","org":"turbot","name":"appflow_connector_profile_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"AppFlow Connector Profile should be encrypted with KMS CMK","description":"This control checks whether AppFlow Connector Profile is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppFlow"}}],"controlTitle":"AppFlow Connector Profile should be encrypted with KMS CMK","controlDescription":"This control checks whether AppFlow Connector Profile is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/AppFlow"}}},"api_gateway":{"apigateway_rest_api_stage_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_stage_xray_tracing_enabled","org":"turbot","name":"apigateway_rest_api_stage_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tracing_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tracing_enabled')::boolean then ' X-Ray tracing enabled'\n else ' X-Ray tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_stage';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_stage_xray_tracing_enabled","org":"turbot","name":"apigateway_rest_api_stage_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API stages should have AWS X-Ray tracing enabled","description":"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API stages should have AWS X-Ray tracing enabled","controlDescription":"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_rest_api_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_create_before_destroy_enabled","org":"turbot","name":"apigateway_rest_api_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_rest_api';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":159,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_create_before_destroy_enabled","org":"turbot","name":"apigateway_rest_api_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API should have create_before_destroy enabled","description":"This control checks whether AWS API Gateway REST API has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API should have create_before_destroy enabled","controlDescription":"This control checks whether AWS API Gateway REST API has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_stage_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_stage_logging_enabled","org":"turbot","name":"apigateway_stage_logging_enabled","sql":"$5f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":84,"endLineNumber":157,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_stage_logging_enabled","org":"turbot","name":"apigateway_stage_logging_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST and WebSocket API logging should be enabled","description":"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway","soc_2":"true"}}],"controlTitle":"API Gateway REST and WebSocket API logging should be enabled","controlDescription":"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway","soc_2":"true"}},"apigateway_rest_api_stage_use_ssl_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_stage_use_ssl_certificate","org":"turbot","name":"apigateway_rest_api_stage_use_ssl_certificate","sql":"select\n address as resource,\n case\n when (attributes_std -> 'client_certificate_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'client_certificate_id') is null then ' does not use SSL certificate'\n else ' uses SSL certificate'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_stage';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_stage_use_ssl_certificate","org":"turbot","name":"apigateway_rest_api_stage_use_ssl_certificate","mod":"Terraform AWS Compliance","title":"API Gateway stage should uses SSL certificate","description":"Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway stage should uses SSL certificate","controlDescription":"Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}},"apigateway_stage_cache_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_stage_cache_encryption_at_rest_enabled","org":"turbot","name":"apigateway_stage_cache_encryption_at_rest_enabled","sql":"$60","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":43,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_stage_cache_encryption_at_rest_enabled","org":"turbot","name":"apigateway_stage_cache_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API cache data should be encrypted at rest","description":"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API cache data should be encrypted at rest","controlDescription":"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}},"apigatewayv2_route_set_authorization_type":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigatewayv2_route_set_authorization_type","org":"turbot","name":"apigatewayv2_route_set_authorization_type","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'authorization_type') in ('AWS_IAM', 'CUSTOM', 'JWT') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'authorization_type') in ('AWS_IAM', 'CUSTOM', 'JWT') then ' defines an authorization type'\n else ' does not define an authorization type'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_apigatewayv2_route';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":262,"endLineNumber":281,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigatewayv2_route_set_authorization_type","org":"turbot","name":"apigatewayv2_route_set_authorization_type","mod":"Terraform AWS Compliance","title":"API Gateway V2 Route should have authorization type set","description":"This control checks whether API Gateway V2 Route has authorization type set. It is recommended to set authorization type for all routes in API Gateway V2.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway V2 Route should have authorization type set","controlDescription":"This control checks whether API Gateway V2 Route has authorization type set. It is recommended to set authorization type for all routes in API Gateway V2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_settings_data_trace_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_data_trace_enabled","org":"turbot","name":"apigateway_method_settings_data_trace_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'data_trace_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'data_trace_enabled') = 'true' then ' data trace enabled'\n else ' data trace disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":241,"endLineNumber":260,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_data_trace_enabled","org":"turbot","name":"apigateway_method_settings_data_trace_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have data trace disabled","description":"This control checks whether AWS API Gateway Method Settings has data trace disabled. It is recommended to disable data trace for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have data trace disabled","controlDescription":"This control checks whether AWS API Gateway Method Settings has data trace disabled. It is recommended to disable data trace for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_settings_cache_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_cache_encryption_enabled","org":"turbot","name":"apigateway_method_settings_cache_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'cache_data_encrypted') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'cache_data_encrypted') = 'true' then ' cache encryption enabled'\n else ' cache encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":220,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_cache_encryption_enabled","org":"turbot","name":"apigateway_method_settings_cache_encryption_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have cache encrypted","description":"This control checks whether AWS API Gateway Method Settings has cache encrypted. It is recommended to enable cache encryption for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have cache encrypted","controlDescription":"This control checks whether AWS API Gateway Method Settings has cache encrypted. It is recommended to enable cache encryption for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_settings_cache_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_cache_enabled","org":"turbot","name":"apigateway_method_settings_cache_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'caching_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'caching_enabled') = 'true' then ' caching enabled'\n else ' caching disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":199,"endLineNumber":218,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_cache_enabled","org":"turbot","name":"apigateway_method_settings_cache_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have cache enabled","description":"This control checks whether AWS API Gateway Method Settings has cache enabled. It is recommended to enable cache for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have cache enabled","controlDescription":"This control checks whether AWS API Gateway Method Settings has cache enabled. It is recommended to enable cache for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_domain_name_use_latest_tls":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_domain_name_use_latest_tls","org":"turbot","name":"apigateway_domain_name_use_latest_tls","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'security_policy') is null or (attributes_std ->> 'security_policy') = 'TLS_1_2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'security_policy') is null or (attributes_std ->> 'security_policy') = 'TLS_1_2' then ' uses latest TLS security policy'\n else ' does not use latest TLS security policy'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_domain_name';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":306,"endLineNumber":325,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_domain_name_use_latest_tls","org":"turbot","name":"apigateway_domain_name_use_latest_tls","mod":"Terraform AWS Compliance","title":"API Gateway Domain should have latest TLS security policy configured","description":"This control checks whether the API Gateway Domain is configured with latest Transport Layer Security (TLS) version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Domain should have latest TLS security policy configured","controlDescription":"This control checks whether the API Gateway Domain is configured with latest Transport Layer Security (TLS) version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_deployment_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_deployment_create_before_destroy_enabled","org":"turbot","name":"apigateway_deployment_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_deployment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":180,"endLineNumber":197,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_deployment_create_before_destroy_enabled","org":"turbot","name":"apigateway_deployment_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Deployment should have create_before_destroy enabled","description":"This control checks whether AWS API Gateway Deployment has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Deployment should have create_before_destroy enabled","controlDescription":"This control checks whether AWS API Gateway Deployment has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_restricts_open_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_restricts_open_access","org":"turbot","name":"apigateway_method_restricts_open_access","sql":"$61","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":283,"endLineNumber":304,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_restricts_open_access","org":"turbot","name":"apigateway_method_restricts_open_access","mod":"Terraform AWS Compliance","title":"API Gateway Method should have restrictive access","description":"This control checks whether the API Gateway Method is not open to broad unrestricted access.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method should have restrictive access","controlDescription":"This control checks whether the API Gateway Method is not open to broad unrestricted access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}},"acm":{"acm_certificate_transparency_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/acm_certificate_transparency_logging_enabled","org":"turbot","name":"acm_certificate_transparency_logging_enabled","sql":" select\n address as resource,\n case\n when (attributes_std -> 'options' ->> 'certificate_transparency_logging_preference')::text = 'ENABLED' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'options' ->> 'certificate_transparency_logging_preference')::text = 'ENABLED' then ' certificate transparency logging preference enabled'\n else ' certificate transparency logging preference disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_acm_certificate';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/acm.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.acm_certificate_transparency_logging_enabled","org":"turbot","name":"acm_certificate_transparency_logging_enabled","mod":"Terraform AWS Compliance","title":"ACM certificates should have transparency logging preference enabled","description":"This control checks whether ACM certificates transparency logging preference is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/ACM"}}],"controlTitle":"ACM certificates should have transparency logging preference enabled","controlDescription":"This control checks whether ACM certificates transparency logging preference is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/ACM"}},"acm_certificate_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/acm_certificate_create_before_destroy_enabled","org":"turbot","name":"acm_certificate_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_acm_certificate';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/acm.pp","startLineNumber":2,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.acm_certificate_create_before_destroy_enabled","org":"turbot","name":"acm_certificate_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"ACM certificate should have create before destroy enabled","description":"This control checks whether ACM certificate has create before destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this certificate, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ACM"}}],"controlTitle":"ACM certificate should have create before destroy enabled","controlDescription":"This control checks whether ACM certificate has create before destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this certificate, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ACM"}}},"web_pub_sub":{"web_pubsub_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/web_pubsub_uses_managed_identity","org":"turbot","name":"web_pubsub_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' identity is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_web_pubsub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/webpubsub.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.web_pubsub_uses_managed_identity","org":"turbot","name":"web_pubsub_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Web PubSubs should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Web PubSub to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}],"controlTitle":"Web PubSubs should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Web PubSub to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}},"web_pubsub_sku_with_sla":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/web_pubsub_sku_with_sla","org":"turbot","name":"web_pubsub_sku_with_sla","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Free_F1' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Free_F1' then ' using SKU tier without SLA'\n else ' using SKU tier with SLA'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_web_pubsub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/webpubsub.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.web_pubsub_sku_with_sla","org":"turbot","name":"web_pubsub_sku_with_sla","mod":"Terraform Azure Compliance","title":"Web PubSubs should use SKU with an SLA","description":"This control checks if Web PubSubs use SKU with an SLA. This control is considered non-compliant if Web PubSub uses SKUs without an SLA.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}],"controlTitle":"Web PubSubs should use SKU with an SLA","controlDescription":"This control checks if Web PubSubs use SKU with an SLA. This control is considered non-compliant if Web PubSub uses SKUs without an SLA.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}},"storage_sync":{"storage_sync_private_link_used":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_sync_private_link_used","org":"turbot","name":"storage_sync_private_link_used","sql":"select\n address as resource,\n case\n when (attributes_std -> 'incoming_traffic_policy') is null then 'alarm'\n when (attributes_std ->> 'incoming_traffic_policy') = 'AllowAllTraffic' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'incoming_traffic_policy') is null then ' does not use private link'\n when (attributes_std ->> 'incoming_traffic_policy') = 'AllowAllTraffic' then ' uses public networks'\n else ' uses private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_sync';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storagesync.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_sync_private_link_used","org":"turbot","name":"storage_sync_private_link_used","mod":"Terraform Azure Compliance","title":"Azure File Sync should use private link","description":"Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/StorageSync"}}],"controlTitle":"Azure File Sync should use private link","controlDescription":"Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/StorageSync"}}},"synapse_analytics":{"synapse_workspace_data_exfiltration_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_data_exfiltration_protection_enabled","org":"turbot","name":"synapse_workspace_data_exfiltration_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'data_exfiltration_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'data_exfiltration_protection_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'data_exfiltration_protection_enabled') is null then ' data exfiltration protection not defined'\n when (attributes_std ->> 'data_exfiltration_protection_enabled' ) = 'true' then ' data exfiltration protection enabled'\n else ' data exfiltration protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_synapse_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":60,"endLineNumber":81,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.synapse_workspace_data_exfiltration_protection_enabled","org":"turbot","name":"synapse_workspace_data_exfiltration_protection_enabled","mod":"Terraform Azure Compliance","title":"Synapse workspaces should have data exfiltration protection enabled","description":"This control checks whether Synapse workspace has data exfiltration protection enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}}],"controlTitle":"Synapse workspaces should have data exfiltration protection enabled","controlDescription":"This control checks whether Synapse workspace has data exfiltration protection enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}},"synapse_workspace_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_encryption_at_rest_using_cmk","org":"turbot","name":"synapse_workspace_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key') is null then 'alarm'\n when (attributes_std -> 'customer_managed_key' -> 'key_versionless_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key') is null then ' ''customer_managed_key'' not defined'\n when (attributes_std -> 'customer_managed_key' -> 'key_versionless_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_synapse_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.synapse_workspace_encryption_at_rest_using_cmk","org":"turbot","name":"synapse_workspace_encryption_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}}],"controlTitle":"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}},"synapse_workspace_private_link_used":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_private_link_used","org":"turbot","name":"synapse_workspace_private_link_used","sql":"with synapse_workspaces as (\n select\n '${azurerm_synapse_workspace.' || name || '.id}' as sw_id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_synapse_workspace'\n), synapse_workspace_private_link as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_synapse_managed_private_endpoint'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'synapse_workspace_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'synapse_workspace_id') is not null then ' uses private link'\n else ' not uses private link'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n synapse_workspaces as a\n left join synapse_workspace_private_link as s on a.sw_id = (s.attributes_std ->> 'synapse_workspace_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":24,"endLineNumber":58,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.synapse_workspace_private_link_used","org":"turbot","name":"synapse_workspace_private_link_used","mod":"Terraform Azure Compliance","title":"Azure Synapse workspaces should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}}],"controlTitle":"Azure Synapse workspaces should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SynapseAnalytics"}}},"terraform":{"storage_container_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_container_restrict_public_access","org":"turbot","name":"storage_container_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'container_access_type') = 'private' or (attributes_std ->> 'container_access_type') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'container_access_type') = 'private' or (attributes_std ->> 'container_access_type') is null then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_container';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":425,"endLineNumber":444,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_container_restrict_public_access","org":"turbot","name":"storage_container_restrict_public_access","mod":"Terraform Azure Compliance","title":"Storage container public access should be disabled","description":"This control checks whether the public access level is set to private for the storage container.","tags":{}}],"controlTitle":"Storage container public access should be disabled","controlDescription":"This control checks whether the public access level is set to private for the storage container.","controlTags":{}},"storage_account_uses_latest_minimum_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_latest_minimum_tls_version","org":"turbot","name":"storage_account_uses_latest_minimum_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'min_tls_version') in ('TLS1_2', 'TLS1_3') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'min_tls_version') in ('TLS1_2', 'TLS1_3') then ' use latest version of TLS encryption'\n when (attributes_std ->> 'min_tls_version') is null then ' version of TLS encryption is not set'\n else ' does not uses latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":381,"endLineNumber":401,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_uses_latest_minimum_tls_version","org":"turbot","name":"storage_account_uses_latest_minimum_tls_version","mod":"Terraform Azure Compliance","title":"Storage accounts should use latest minimum TLS version","description":"Use the latest minimum TLS version for your storage accounts to ensure that your data is encrypted in transit.","tags":{}}],"controlTitle":"Storage accounts should use latest minimum TLS version","controlDescription":"Use the latest minimum TLS version for your storage accounts to ensure that your data is encrypted in transit.","controlTags":{}},"storage_account_replication_type_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_replication_type_set","org":"turbot","name":"storage_account_replication_type_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'account_replication_type') in ('GRS', 'RAGRS', 'GZRS', 'RAGZRS') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'account_replication_type') in ('GRS', 'RAGRS', 'GZRS', 'RAGZRS') then ' replication type set correctly'\n when (attributes_std ->> 'account_replication_type') is null then ' replication type not set'\n else ' replication type not set correctly'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":403,"endLineNumber":423,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_replication_type_set","org":"turbot","name":"storage_account_replication_type_set","mod":"Terraform Azure Compliance","title":"Storage accounts should have replication type set","description":"This control checks whether the replication type is set to GRS or RAGRS or GZRS or RAGZRS for the storage account.","tags":{}}],"controlTitle":"Storage accounts should have replication type set","controlDescription":"This control checks whether the replication type is set to GRS or RAGRS or GZRS or RAGZRS for the storage account.","controlTags":{}}},"storage":{"storage_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_azure_defender_enabled","org":"turbot","name":"storage_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'StorageAccounts' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'StorageAccounts' then ' Azure defender enabled for StorageAccount(s)'\n else ' Azure defender enabled for ' || (attributes_std ->> 'resource_type') || ''\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_azure_defender_enabled","org":"turbot","name":"storage_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Storage should be enabled","description":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Azure Defender for Storage should be enabled","controlDescription":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_uses_private_link":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_private_link","org":"turbot","name":"storage_account_uses_private_link","sql":"select\n address as resource,\n case\n when (attributes_std -> 'private_link_access') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_link_access') is null then ' does not use private link'\n else ' uses private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":272,"endLineNumber":291,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_uses_private_link","org":"turbot","name":"storage_account_uses_private_link","mod":"Terraform Azure Compliance","title":"Storage accounts should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_blob_service_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","sql":"$62","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":249,"endLineNumber":270,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","mod":"Terraform Azure Compliance","title":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","controlDescription":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}},"storage_account_encryption_scopes_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_encryption_scopes_encrypted_at_rest_with_cmk","org":"turbot","name":"storage_account_encryption_scopes_encrypted_at_rest_with_cmk","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_encryption_scope' and (attributes_std ->> 'source') = 'Microsoft.KeyVault') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_encryption_scope' and (attributes_std ->> 'source') = 'Microsoft.KeyVault') then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":293,"endLineNumber":312,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_encryption_scopes_encrypted_at_rest_with_cmk","org":"turbot","name":"storage_account_encryption_scopes_encrypted_at_rest_with_cmk","mod":"Terraform Azure Compliance","title":"Storage account encryption scopes should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage account encryption scopes should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","sql":"select\n address as resource,\n case\n when (attributes_std -> 'resource_group_name') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'resource_group_name') is null then ' does not use azure resource group manager'\n else ' uses azure resource group manager'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":360,"endLineNumber":379,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","mod":"Terraform Azure Compliance","title":"Storage accounts should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_secure_transfer_required_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_https_traffic_only') is null then 'ok'\n when (attributes_std -> 'enable_https_traffic_only')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_https_traffic_only') is null then ' encryption in transit enabled'\n when (attributes_std -> 'enable_https_traffic_only')::bool then ' encryption in transit enabled'\n else ' encryption in transit not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":337,"endLineNumber":358,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","mod":"Terraform Azure Compliance","title":"Secure transfer to storage accounts should be enabled","description":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Secure transfer to storage accounts should be enabled","controlDescription":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_infrastructure_encryption_enabled","org":"turbot","name":"storage_account_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'infrastructure_encryption_enabled') is null then 'alarm'\n when (attributes_std -> 'infrastructure_encryption_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'infrastructure_encryption_enabled') is null then ' ''infrastructure_encryption_enabled'' parameter not defined'\n when (attributes_std -> 'infrastructure_encryption_enabled')::bool then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":134,"endLineNumber":155,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_infrastructure_encryption_enabled","org":"turbot","name":"storage_account_infrastructure_encryption_enabled","mod":"Terraform Azure Compliance","title":"Storage accounts should have infrastructure encryption","description":"Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should have infrastructure encryption","controlDescription":"Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","sql":"with storage_account_network_rules as (\n select\n name,\n address,\n type,\n path,\n start_line,\n split_part((attributes_std ->> 'storage_account_name'), '.',2) as storage_account_name\n from\n terraform_resource\n where\n type = 'azurerm_storage_account_network_rules'\n and (attributes_std ->> 'default_action') = 'Deny'\n), storage_account_name as (\n select\n name,\n address,\n type,\n path,\n _ctx,\n start_line\n from\n terraform_resource\n where\n type = 'azurerm_storage_account'\n)\nselect\n san.address as resource,\n case\n when sanr.address is null then 'alarm'\n else 'ok'\n end status,\n split_part(san.address, '.', 2) || case\n when sanr.address is null then ' does not use virtual service endpoint'\n else ' uses virtual service endpoint'\n end || '.' reason\n \n , san.path || ':' || san.start_line\nfrom\n storage_account_name as san\n left join storage_account_network_rules as sanr on sanr.storage_account_name = san.name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":67,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"Storage Accounts should use a virtual network service endpoint","description":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage Accounts should use a virtual network service endpoint","controlDescription":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_trusted_microsoft_services_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","sql":"$63","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":203,"endLineNumber":247,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","mod":"Terraform Azure Compliance","title":"Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","description":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","controlDescription":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}},"storage_account_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_account_customer_managed_key') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_account_customer_managed_key') then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":113,"endLineNumber":132,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"Storage accounts should use customer-managed key for encryption","description":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should use customer-managed key for encryption","controlDescription":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_blob_containers_public_access_private":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_blob_public_access') is null then 'ok'\n when (attributes_std -> 'allow_blob_public_access')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_blob_public_access') is null then ' does not allow public access to the blobs'\n when (attributes_std -> 'allow_blob_public_access')::bool then ' allows public access to all the blobs'\n else ' does not allow public access to the blobs'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":157,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","mod":"Terraform Azure Compliance","title":"Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Ensure that 'Public access level' is set to Private for blob containers","controlDescription":"Disable anonymous access to blob containers and disallow blob public access on storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Storage"}},"storage_account_default_network_access_rule_denied":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rules') is null then 'alarm'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Allow' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rules') is null then ' has no network rules defined'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Allow' then ' allows traffic from specific networks'\n else ' allows network access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":180,"endLineNumber":201,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","mod":"Terraform Azure Compliance","title":"Storage accounts should restrict network access","description":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access","controlDescription":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_block_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_block_public_access","org":"turbot","name":"storage_account_block_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_blob_public_access') is null then 'ok'\n when (attributes_std -> 'allow_blob_public_access')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_blob_public_access') is null then ' does not allow public access to the blobs or containers'\n when (attributes_std -> 'allow_blob_public_access')::bool then ' allows public access to all the blobs or containers'\n else ' does not allow public access to the blobs or containers'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":21,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_block_public_access","org":"turbot","name":"storage_account_block_public_access","mod":"Terraform Azure Compliance","title":"Storage account public access should be disallowed","description":"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage account public access should be disallowed","controlDescription":"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_restrict_network_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rules') is null then 'alarm'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rules') is null then ' allows network access'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Deny' then ' restricts network access'\n else ' allows network access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":314,"endLineNumber":335,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","mod":"Terraform Azure Compliance","title":"Storage accounts should restrict network access using virtual network rules","description":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access using virtual network rules","controlDescription":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}},"storage_account_queue_services_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_queue_services_logging_enabled","org":"turbot","name":"storage_account_queue_services_logging_enabled","sql":"$64","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_queue_services_logging_enabled","org":"turbot","name":"storage_account_queue_services_logging_enabled","mod":"Terraform Azure Compliance","title":"Ensure Storage logging is enabled for Queue service for read, write, and delete requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Ensure Storage logging is enabled for Queue service for read, write, and delete requests","controlDescription":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/Storage"}},"storage_bucket_uniform_access_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_uniform_access_enabled","org":"turbot","name":"storage_bucket_uniform_access_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'uniform_bucket_level_access')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'uniform_bucket_level_access') is null then ' ''uniform_bucket_level_access'' is not defined'\n when (attributes_std ->> 'uniform_bucket_level_access')::boolean then ' uniform bucket-level access enabled'\n else ' uniform bucket-level access not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_uniform_access_enabled","org":"turbot","name":"storage_bucket_uniform_access_enabled","mod":"Terraform GCP Compliance","title":"Ensure that Cloud Storage buckets have uniform bucket-level access enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Ensure that Cloud Storage buckets have uniform bucket-level access enabled","controlDescription":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.2","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_not_publicly_accessible","org":"turbot","name":"storage_bucket_not_publicly_accessible","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'entity')), '') like any (array ['', '%allAuthenticatedUsers%','%allUsers%'])\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'entity')), '') = '' then ' ''entity'' is not defined'\n when (attributes_std ->> 'entity') like any (array ['%allAuthenticatedUsers%','%allUsers%']) then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket_access_control';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_not_publicly_accessible","org":"turbot","name":"storage_bucket_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Ensure that Cloud Storage bucket is not anonymously or publicly accessible","description":"It is recommended that IAM policy on a Cloud Storage bucket does not allow anonymous or public access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Ensure that Cloud Storage bucket is not anonymously or publicly accessible","controlDescription":"It is recommended that IAM policy on a Cloud Storage bucket does not allow anonymous or public access.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_self_logging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_self_logging_disabled","org":"turbot","name":"storage_bucket_self_logging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging') is null then 'skip'\n when (attributes_std -> 'logging' ->> 'log_bucket') = (attributes_std ->> 'name') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging') is null then ' logging is undefined'\n when (attributes_std -> 'logging' ->> 'log_bucket') = (attributes_std ->> 'name') then ' self logging enabled'\n else ' self logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":87,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_self_logging_disabled","org":"turbot","name":"storage_bucket_self_logging_disabled","mod":"Terraform GCP Compliance","title":"Storage buckets self logging should be disabled","description":"It is recommended that self logging should be disabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets self logging should be disabled","controlDescription":"It is recommended that self logging should be disabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_versioning_enabled","org":"turbot","name":"storage_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'versioning' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'versioning' ->> 'enabled') = 'true' then ' versioning enabled'\n else ' versioning disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_versioning_enabled","org":"turbot","name":"storage_bucket_versioning_enabled","mod":"Terraform GCP Compliance","title":"Storage buckets versioning should be enabled","description":"It is recommended that versioning should be enabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets versioning should be enabled","controlDescription":"It is recommended that versioning should be enabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_public_access_prevention_enforced":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_public_access_prevention_enforced","org":"turbot","name":"storage_bucket_public_access_prevention_enforced","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_access_prevention') = 'enforced' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_access_prevention') = 'enforced' then ' public access prevention enforced'\n else ' public access prevention not enforced'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_public_access_prevention_enforced","org":"turbot","name":"storage_bucket_public_access_prevention_enforced","mod":"Terraform GCP Compliance","title":"Storage buckets public access prevention should be enforced","description":"It is recommended that public access prevention should be enforced for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets public access prevention should be enforced","controlDescription":"It is recommended that public access prevention should be enforced for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_logging_enabled","org":"turbot","name":"storage_bucket_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging' ->> 'log_bucket') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging' ->> 'log_bucket') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":110,"endLineNumber":129,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_logging_enabled","org":"turbot","name":"storage_bucket_logging_enabled","mod":"Terraform GCP Compliance","title":"Storage buckets logging should be enabled","description":"It is recommended that logging should be enabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets logging should be enabled","controlDescription":"It is recommended that logging should be enabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}},"sql":{"sql_database_allow_internet_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_allow_internet_access","org":"turbot","name":"sql_database_allow_internet_access","sql":"$65","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":198,"endLineNumber":231,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_allow_internet_access","org":"turbot","name":"sql_database_allow_internet_access","mod":"Terraform Azure Compliance","title":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","description":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP). SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","controlDescription":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP). SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}},"sql_server_auditing_storage_account_destination_retention_90_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_auditing_storage_account_destination_retention_90_days","org":"turbot","name":"sql_server_auditing_storage_account_destination_retention_90_days","sql":"$66","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":150,"endLineNumber":175,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_auditing_storage_account_destination_retention_90_days","org":"turbot","name":"sql_server_auditing_storage_account_destination_retention_90_days","mod":"Terraform Azure Compliance","title":"SQL servers with auditing to storage account destination should be configured with 90 days retention or higher","description":"For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers with auditing to storage account destination should be configured with 90 days retention or higher","controlDescription":"For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_server_all_security_alerts_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_all_security_alerts_enabled","org":"turbot","name":"sql_server_all_security_alerts_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disabled_alerts') is not null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disabled_alerts') is not null then ' some security alerts disabled'\n else ' all security alerts enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":298,"endLineNumber":317,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_all_security_alerts_enabled","org":"turbot","name":"sql_server_all_security_alerts_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have all Security Alerts enabled","description":"Enable all Security Alerts on SQL servers. It is recommended to enable all Security Alerts on SQL servers.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have all Security Alerts enabled","controlDescription":"Enable all Security Alerts on SQL servers. It is recommended to enable all Security Alerts on SQL servers.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_db_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_db_public_network_access_disabled","org":"turbot","name":"sql_db_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' ''public_network_access_enabled'' not defined'\n when (attributes_std -> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":233,"endLineNumber":254,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_db_public_network_access_disabled","org":"turbot","name":"sql_db_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Public network access on Azure SQL Database should be disabled","description":"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Public network access on Azure SQL Database should be disabled","controlDescription":"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_server_vm_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_vm_azure_defender_enabled","org":"turbot","name":"sql_server_vm_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SqlServerVirtualMachines'\n else ' Azure Defender off for SqlServerVirtualMachines'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":30,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_vm_azure_defender_enabled","org":"turbot","name":"sql_server_vm_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for SQL servers on machines should be enabled","description":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Azure Defender for SQL servers on machines should be enabled","controlDescription":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_server_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_uses_latest_tls_version","org":"turbot","name":"sql_server_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version') is null then 'ok'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version') is null then ' TLS version not defined by default uses 1.2'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then ' TLS version 1.2'\n else ' TLS version not 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":319,"endLineNumber":340,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_uses_latest_tls_version","org":"turbot","name":"sql_server_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"SQL servers should use the latest TLS version 1.2","description":"SQL servers currently allows user to set TLS version values as Disabled, 1.0, 1.1 and 1.2. It is recommended to use the latest TLS version 1.2.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should use the latest TLS version 1.2","controlDescription":"SQL servers currently allows user to set TLS version values as Disabled, 1.0, 1.1 and 1.2. It is recommended to use the latest TLS version 1.2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_server_email_security_alert_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_email_security_alert_enabled","org":"turbot","name":"sql_server_email_security_alert_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'email_addresses') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'email_addresses') is null then ' email security alert disabled'\n else ' email security alert enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":256,"endLineNumber":275,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_email_security_alert_enabled","org":"turbot","name":"sql_server_email_security_alert_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have Email Security Alert enabled","description":"Enable Email Security Alert on SQL servers. It is recommended to enable Email Security Alert on SQL servers.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have Email Security Alert enabled","controlDescription":"Enable Email Security Alert on SQL servers. It is recommended to enable Email Security Alert on SQL servers.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_server_azure_ad_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_azure_ad_authentication_enabled","org":"turbot","name":"sql_server_azure_ad_authentication_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'server_name'), '.', 2) from terraform_resource where type = 'azurerm_sql_active_directory_administrator') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'server_name'), '.', 2) from terraform_resource where type = 'azurerm_sql_active_directory_administrator') then ' has AzureAD authentication enabled'\n else ' does not have AzureAD authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_sql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":129,"endLineNumber":148,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_azure_ad_authentication_enabled","org":"turbot","name":"sql_server_azure_ad_authentication_enabled","mod":"Terraform Azure Compliance","title":"An Azure Active Directory administrator should be provisioned for SQL servers","description":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"An Azure Active Directory administrator should be provisioned for SQL servers","controlDescription":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_server_atp_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_atp_enabled","org":"turbot","name":"sql_server_atp_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'state') = 'Disabled' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' does not have ATP enabled'\n when (attributes_std -> 'threat_detection_policy' ->> 'state') = 'Disabled' then ' does not have ATP enabled'\n else ' has ATP enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_sql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":50,"endLineNumber":71,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_atp_enabled","org":"turbot","name":"sql_server_atp_enabled","mod":"Terraform Azure Compliance","title":"Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'","description":"Enable 'Azure Defender for SQL' on critical SQL Servers. It is recommended to enable Azure Defender for SQL on critical SQL Servers. Azure Defender for SQL is a unified package for advanced security capabilities","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'","controlDescription":"Enable 'Azure Defender for SQL' on critical SQL Servers. It is recommended to enable Azure Defender for SQL on critical SQL Servers. Azure Defender for SQL is a unified package for advanced security capabilities","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}},"sql_server_admins_email_security_alert_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_admins_email_security_alert_enabled","org":"turbot","name":"sql_server_admins_email_security_alert_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'email_account_admins')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'email_account_admins')::boolean then ' account administrators email security alert enabled'\n else ' account administrators email security alert disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":277,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_admins_email_security_alert_enabled","org":"turbot","name":"sql_server_admins_email_security_alert_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have Administrator Email Security Alert enabled","description":"Enable Email Security Alert on SQL server admins. It is recommended to enable Email Security Alert on SQL server admins.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have Administrator Email Security Alert enabled","controlDescription":"Enable Email Security Alert on SQL server admins. It is recommended to enable Email Security Alert on SQL server admins.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_db_active_directory_admin_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_db_active_directory_admin_configured","org":"turbot","name":"sql_db_active_directory_admin_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'azuread_administrator') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'azuread_administrator') is null then ' Azure AD authentication not configured.'\n else ' Azure AD authentication configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":177,"endLineNumber":196,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_db_active_directory_admin_configured","org":"turbot","name":"sql_db_active_directory_admin_configured","mod":"Terraform Azure Compliance","title":"Ensure that Azure Active Directory Admin is configured","description":"Use Azure Active Directory Authentication for authentication with SQL Database.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Ensure that Azure Active Directory Admin is configured","controlDescription":"Use Azure Active Directory Authentication for authentication with SQL Database.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/SQL"}},"sql_database_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_zone_redundant_enabled","org":"turbot","name":"sql_database_zone_redundant_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_redundant') is null then 'alarm'\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_redundant') is null then ' ''zone_redundant'' is not set'\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":365,"endLineNumber":386,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_zone_redundant_enabled","org":"turbot","name":"sql_database_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"SQL databases should be zone redundant","description":"This control ensures that SQL database is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases should be zone redundant","controlDescription":"This control ensures that SQL database is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_database_server_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_server_azure_defender_enabled","org":"turbot","name":"sql_database_server_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'SqlServers' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'SqlServers' then ' Azure defender enabled for SqlServer(s)'\n else ' Azure defender enabled for ' || (attributes_std ->> 'resource_type') || ''\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":73,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_server_azure_defender_enabled","org":"turbot","name":"sql_database_server_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Azure SQL Database servers should be enabled","description":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Azure Defender for Azure SQL Database servers should be enabled","controlDescription":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_database_long_term_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_long_term_geo_redundant_backup_enabled","org":"turbot","name":"sql_database_long_term_geo_redundant_backup_enabled","sql":"$67","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":1,"endLineNumber":28,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_long_term_geo_redundant_backup_enabled","org":"turbot","name":"sql_database_long_term_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","controlDescription":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_database_ledger_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_ledger_enabled","org":"turbot","name":"sql_database_ledger_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ledger_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ledger_enabled')::bool then ' ledger enabled'\n else ' ledger disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":388,"endLineNumber":407,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_ledger_enabled","org":"turbot","name":"sql_database_ledger_enabled","mod":"Terraform Azure Compliance","title":"SQL databases ledger should be enabled","description":"This control ensures that ledger is enabled for SQL database.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases ledger should be enabled","controlDescription":"This control ensures that ledger is enabled for SQL database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_database_log_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_log_monitoring_enabled","org":"turbot","name":"sql_database_log_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'log_monitoring_enabled') is null then 'ok'\n when (attributes_std -> 'log_monitoring_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'log_monitoring_enabled') is null then ' log monitoring enabled'\n when (attributes_std -> 'log_monitoring_enabled')::boolean then ' log monitoring enabled'\n else ' log monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database_extended_auditing_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":342,"endLineNumber":363,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_log_monitoring_enabled","org":"turbot","name":"sql_database_log_monitoring_enabled","mod":"Terraform Azure Compliance","title":"SQL databases should have log monitoring enabled","description":"Enable audit log monitoring on SQL database. It is recommended to enable Log Monitoring on SQL database.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases should have log monitoring enabled","controlDescription":"Enable audit log monitoring on SQL database. It is recommended to enable Log Monitoring on SQL database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_instance_sql_user_options_database_flag_not_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_user_options_database_flag_not_configured","org":"turbot","name":"sql_instance_sql_user_options_database_flag_not_configured","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'database_version')), '') = '' then 'alarm'\n when (attributes_std ->> 'database_version') not like 'SQLSERVER%' then 'skip'\n when (attributes_std -> 'settings' -> 'database_flags' ->> 'name') = 'user options'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'database_version')), '') = ''\n then ' ''database_version'' is not defined'\n when (attributes_std ->> 'database_version') not like 'SQLSERVER%'\n then ' not a SQL Server database'\n when (attributes_std -> 'settings' -> 'database_flags' ->> 'name') = 'user options'\n then ' ''user options'' database flag set'\n else ' ''user options'' database flag not set'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":153,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_user_options_database_flag_not_configured","org":"turbot","name":"sql_instance_sql_user_options_database_flag_not_configured","mod":"Terraform GCP Compliance","title":"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","controlDescription":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_3625_trace_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_3625_trace_database_flag_off","org":"turbot","name":"sql_instance_sql_3625_trace_database_flag_off","sql":"$68","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":295,"endLineNumber":331,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_3625_trace_database_flag_off","org":"turbot","name":"sql_instance_sql_3625_trace_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","org":"turbot","name":"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","sql":"$69","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":584,"endLineNumber":620,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","org":"turbot","name":"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.16","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","controlDescription":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.16","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_publicly_accessible","org":"turbot","name":"sql_instance_publicly_accessible","sql":"$6a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":936,"endLineNumber":960,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_publicly_accessible","org":"turbot","name":"sql_instance_publicly_accessible","mod":"Terraform GCP Compliance","title":"GCP SQL instance should not be publicly accessible","description":"This control checks whether the GCP SQL instance is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should not be publicly accessible","controlDescription":"This control checks whether the GCP SQL instance is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_disconnections_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_disconnections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_disconnections_database_flag_on","sql":"$6b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":508,"endLineNumber":544,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_disconnections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_disconnections_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_executor_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_executor_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_executor_stats_database_flag_off","sql":"$6c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":546,"endLineNumber":582,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_executor_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_executor_stats_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.11","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.11","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_require_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_require_ssl_enabled","org":"turbot","name":"sql_instance_require_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings') is null then ' ''settings'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration') is null then ' ''settings.ip_configuration'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl') is null\n then ' ''settings.ip_configuration.require_ssl'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl')::boolean then ' enforces SSL connections'\n else ' does not enforce SSL connections'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":447,"endLineNumber":468,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_require_ssl_enabled","org":"turbot","name":"sql_instance_require_ssl_enabled","mod":"Terraform GCP Compliance","title":"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL","description":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","tags":{"category":"Compliance","cft_scorecard_v1":"true","cis":"true","cis_item_id":"6.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the Cloud SQL database instance requires all incoming connections to use SSL","controlDescription":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","cis":"true","cis_item_id":"6.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_statement_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_statement_flag_set","sql":"$6d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":870,"endLineNumber":891,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_statement_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should log SQL statements","description":"This control checks whether the log_statement database flag for Cloud SQL PostgreSQL instance is set to log SQL statements.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should log SQL statements","controlDescription":"This control checks whether the log_statement database flag for Cloud SQL PostgreSQL instance is set to log SQL statements.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_contained_database_authentication_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_contained_database_authentication_database_flag_off","org":"turbot","name":"sql_instance_sql_contained_database_authentication_database_flag_off","sql":"$6e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":660,"endLineNumber":696,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_contained_database_authentication_database_flag_off","org":"turbot","name":"sql_instance_sql_contained_database_authentication_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","description":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.7","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","controlDescription":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.7","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_connections_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_connections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_connections_database_flag_on","sql":"$6f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":77,"endLineNumber":113,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_connections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_connections_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_cross_db_ownership_chaining_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_cross_db_ownership_chaining_database_flag_off","org":"turbot","name":"sql_instance_sql_cross_db_ownership_chaining_database_flag_off","sql":"$70","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":39,"endLineNumber":75,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_cross_db_ownership_chaining_database_flag_off","org":"turbot","name":"sql_instance_sql_cross_db_ownership_chaining_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross DB ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set cross DB ownership chaining database flag for Cloud SQL SQL Server instance to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_hostname_database_flag_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_hostname_database_flag_configured","org":"turbot","name":"sql_instance_postgresql_log_hostname_database_flag_configured","sql":"$71","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":219,"endLineNumber":255,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_hostname_database_flag_configured","org":"turbot","name":"sql_instance_postgresql_log_hostname_database_flag_configured","mod":"Terraform GCP Compliance","title":"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","description":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.8","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","controlDescription":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.8","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_mysql_skip_show_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_mysql_skip_show_database_flag_on","org":"turbot","name":"sql_instance_mysql_skip_show_database_flag_on","sql":"$72","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":257,"endLineNumber":293,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_mysql_skip_show_database_flag_on","org":"turbot","name":"sql_instance_mysql_skip_show_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","controlDescription":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_pgaudit_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_pgaudit_database_flag_on","org":"turbot","name":"sql_instance_postgresql_pgaudit_database_flag_on","sql":"$73","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":797,"endLineNumber":822,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_pgaudit_database_flag_on","org":"turbot","name":"sql_instance_postgresql_pgaudit_database_flag_on","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'","description":"This control checks whether the pgaudit database flag for Cloud SQL PostgreSQL instance is set to 'on'.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'","controlDescription":"This control checks whether the pgaudit database flag for Cloud SQL PostgreSQL instance is set to 'on'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_checkpoints_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_checkpoints_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_checkpoints_database_flag_on","sql":"$74","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":470,"endLineNumber":506,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_checkpoints_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_checkpoints_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_statement_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_statement_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_statement_stats_database_flag_off","sql":"$75","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":1,"endLineNumber":37,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_statement_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_statement_stats_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats).","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.12","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.12","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_duration_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_duration_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_duration_database_flag_on","sql":"$76","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":622,"endLineNumber":658,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_duration_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_duration_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.5","cis_level":"1","cis_type":"manual","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.5","cis_level":"1","cis_type":"manual","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_temp_files_database_flag_0":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_temp_files_database_flag_0","org":"turbot","name":"sql_instance_postgresql_log_temp_files_database_flag_0","sql":"$77","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":333,"endLineNumber":369,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_temp_files_database_flag_0","org":"turbot","name":"sql_instance_postgresql_log_temp_files_database_flag_0","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'","description":"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.15","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'","controlDescription":"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.15","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_planner_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_planner_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_planner_stats_database_flag_off","sql":"$78","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":409,"endLineNumber":445,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_planner_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_planner_stats_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.10","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.10","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_parser_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_parser_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_parser_stats_database_flag_off","sql":"$79","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":115,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_parser_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_parser_stats_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct, a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.9","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct, a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.9","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_min_messages_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_messages_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_messages_flag_set","sql":"$7a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":847,"endLineNumber":868,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_messages_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_messages_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value","description":"This control checks whether the log_min_messages database flag for Cloud SQL PostgreSQL instance is set to a valid value.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value","controlDescription":"This control checks whether the log_min_messages database flag for Cloud SQL PostgreSQL instance is set to a valid value.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_min_error_statement_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_error_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_error_statement_flag_set","sql":"$7b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":824,"endLineNumber":845,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_error_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_error_statement_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower","description":"This control checks whether the log_min_error_statement database flag for Cloud SQL PostgreSQL instance is set to ERROR or lower.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower","controlDescription":"This control checks whether the log_min_error_statement database flag for Cloud SQL PostgreSQL instance is set to ERROR or lower.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_mysql_local_infile_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_mysql_local_infile_database_flag_off","org":"turbot","name":"sql_instance_mysql_local_infile_database_flag_off","sql":"$7c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":736,"endLineNumber":772,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_mysql_local_infile_database_flag_off","org":"turbot","name":"sql_instance_mysql_local_infile_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","controlDescription":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_lock_waits_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_lock_waits_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_lock_waits_database_flag_on","sql":"$7d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":698,"endLineNumber":734,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_lock_waits_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_lock_waits_database_flag_on","mod":"Terraform GCP Compliance","title":"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_automated_backups_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_automated_backups_enabled","org":"turbot","name":"sql_instance_automated_backups_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings') is null then ' ''settings'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration') is null then ' ''settings.backup_configuration'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled') is null\n then ' ''settings.backup_configuration.enabled'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled')::boolean then ' automatic backups configured'\n else ' automatic backups not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":774,"endLineNumber":795,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_automated_backups_enabled","org":"turbot","name":"sql_instance_automated_backups_enabled","mod":"Terraform GCP Compliance","title":"Ensure that Cloud SQL database instances are configured with automated backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.7","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure that Cloud SQL database instances are configured with automated backups","controlDescription":"It is recommended to have all SQL database instances set to enable automated backups.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.7","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_external_scripts_enabled_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_external_scripts_enabled_database_flag_off","org":"turbot","name":"sql_instance_sql_external_scripts_enabled_database_flag_off","sql":"$7e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":181,"endLineNumber":217,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_external_scripts_enabled_database_flag_off","org":"turbot","name":"sql_instance_sql_external_scripts_enabled_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_using_latest_major_database_version":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_using_latest_major_database_version","org":"turbot","name":"sql_instance_using_latest_major_database_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'database_version') in ('POSTGRES_15', 'MYSQL_8_0', 'SQLSERVER_2019_STANDARD', 'SQLSERVER_2019_WEB', 'SQLSERVER_2019_ENTERPRISE', 'SQLSERVER_2019_EXPRESS') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'database_version') in ('POSTGRES_15', 'MYSQL_8_0', 'SQLSERVER_2019_STANDARD', 'SQLSERVER_2019_WEB', 'SQLSERVER_2019_ENTERPRISE', 'SQLSERVER_2019_EXPRESS') then ' latest major database version in use'\n else ' latest major database version not in use'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":916,"endLineNumber":934,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_using_latest_major_database_version","org":"turbot","name":"sql_instance_using_latest_major_database_version","mod":"Terraform GCP Compliance","title":"GCP SQL instance should be using latest major database version","description":"This control checks whether the GCP SQL instance is using the latest major database version.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should be using latest major database version","controlDescription":"This control checks whether the GCP SQL instance is using the latest major database version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_with_no_public_ip":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_with_no_public_ip","org":"turbot","name":"sql_instance_sql_with_no_public_ip","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled') is null then 'alarm'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled') is null then ' ipv4_enabled is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled')::boolean then ' public IP address configured'\n else ' no public IP address configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance'\n and (attributes_std ->> 'database_version') like 'SQLSERVER%';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":893,"endLineNumber":914,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_with_no_public_ip","org":"turbot","name":"sql_instance_sql_with_no_public_ip","mod":"Terraform GCP Compliance","title":"GCP SQL instance should not have public IP address","description":"This control checks whether the GCP SQL instance has a public IP address.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should not have public IP address","controlDescription":"This control checks whether the GCP SQL instance has a public IP address.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_remote_access_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_remote_access_database_flag_off","org":"turbot","name":"sql_instance_sql_remote_access_database_flag_off","sql":"$7f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":371,"endLineNumber":407,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_remote_access_database_flag_off","org":"turbot","name":"sql_instance_sql_remote_access_database_flag_off","mod":"Terraform GCP Compliance","title":"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/SQL"}}},"spring_cloud":{"spring_cloud_service_network_injection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_service_network_injection_enabled","org":"turbot","name":"spring_cloud_service_network_injection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network') is null then ' network injection disabled'\n else ' network injection enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.spring_cloud_service_network_injection_enabled","org":"turbot","name":"spring_cloud_service_network_injection_enabled","mod":"Terraform Azure Compliance","title":"Azure Spring Cloud should use network injection","description":"Azure Spring Cloud instances should use virtual network injection for the following purposes - 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SpringCloud"}}],"controlTitle":"Azure Spring Cloud should use network injection","controlDescription":"Azure Spring Cloud instances should use virtual network injection for the following purposes - 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SpringCloud"}},"spring_cloud_api_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_api_restrict_public_access","org":"turbot","name":"spring_cloud_api_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_api_portal';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.spring_cloud_api_restrict_public_access","org":"turbot","name":"spring_cloud_api_restrict_public_access","mod":"Terraform Azure Compliance","title":"Spring Cloud API should not be publicly accessible","description":"This control checks whether the Azure Spring Cloud API is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}],"controlTitle":"Spring Cloud API should not be publicly accessible","controlDescription":"This control checks whether the Azure Spring Cloud API is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}},"spring_cloud_api_https_only_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_api_https_only_enabled","org":"turbot","name":"spring_cloud_api_https_only_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'https_only_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'https_only_enabled')::boolean then ' HTTPS only enabled'\n else ' HTTPS only disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_api_portal';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.spring_cloud_api_https_only_enabled","org":"turbot","name":"spring_cloud_api_https_only_enabled","mod":"Terraform Azure Compliance","title":"Spring Cloud API should only be accessible over HTTPS","description":"This control checks whether the Azure Spring Cloud API is only accessible over HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}],"controlTitle":"Spring Cloud API should only be accessible over HTTPS","controlDescription":"This control checks whether the Azure Spring Cloud API is only accessible over HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}},"security_center":{"securitycenter_azure_defender_on_for_k8s":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_k8s","org":"turbot","name":"securitycenter_azure_defender_on_for_k8s","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Kubernetes Service'\n else ' Azure Defender off for Kubernetes Service'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":101,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_k8s","org":"turbot","name":"securitycenter_azure_defender_on_for_k8s","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Kubernetes","description":"Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.6","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Kubernetes","controlDescription":"Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.6","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_automatic_provisioning_monitoring_agent_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_automatic_provisioning_monitoring_agent_on","org":"turbot","name":"securitycenter_automatic_provisioning_monitoring_agent_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_provision') = 'On' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_provision') = 'On' then ' automatic provisioning of monitoring agent is on'\n else ' automatic provisioning of monitoring agent is off'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_auto_provisioning';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":221,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_automatic_provisioning_monitoring_agent_on","org":"turbot","name":"securitycenter_automatic_provisioning_monitoring_agent_on","mod":"Terraform Azure Compliance","title":"Auto provisioning of the Log Analytics agent should be enabled on your subscription","description":"To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Auto provisioning of the Log Analytics agent should be enabled on your subscription","controlDescription":"To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_containerregistry":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_containerregistry","org":"turbot","name":"securitycenter_azure_defender_on_for_containerregistry","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Container Registry'\n else ' Azure Defender off for Container Registry'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":61,"endLineNumber":79,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_containerregistry","org":"turbot","name":"securitycenter_azure_defender_on_for_containerregistry","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Container Registries","description":"Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.7","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Container Registries","controlDescription":"Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.7","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_appservice":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_appservice","org":"turbot","name":"securitycenter_azure_defender_on_for_appservice","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for App Services'\n else ' Azure Defender off for App Services'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":41,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_appservice","org":"turbot","name":"securitycenter_azure_defender_on_for_appservice","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for App Service","description":"Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.2","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for App Service","controlDescription":"Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.2","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_sqlservervm":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_sqlservervm","org":"turbot","name":"securitycenter_azure_defender_on_for_sqlservervm","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SQL servers on machines'\n else ' Azure Defender off for SQL servers on machines'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":121,"endLineNumber":139,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_sqlservervm","org":"turbot","name":"securitycenter_azure_defender_on_for_sqlservervm","mod":"Terraform Azure Compliance","title":"Azure Defender for SQL should be enabled for unprotected SQL Managed Instances","description":"Audit each SQL Managed Instance without advanced data security. Turning on Azure Defender enables threat detection for SQL Managed Instance, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for SQL should be enabled for unprotected SQL Managed Instances","controlDescription":"Audit each SQL Managed Instance without advanced data security. Turning on Azure Defender enables threat detection for SQL Managed Instance, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_email_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_email_configured","org":"turbot","name":"securitycenter_email_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'email') is not null and (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'email') is not null and (attributes_std -> 'alert_notifications')::bool is true then ' additional email & alert notifications configured'\n else ' additional email & alert notifications not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":201,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_email_configured","org":"turbot","name":"securitycenter_email_configured","mod":"Terraform Azure Compliance","title":"Subscriptions should have a contact email address for security issues","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Subscriptions should have a contact email address for security issues","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_uses_standard_pricing_tier":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_uses_standard_pricing_tier","org":"turbot","name":"securitycenter_uses_standard_pricing_tier","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' then ' uses standard pricing tier'\n else ' not use standard pricing tier'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":261,"endLineNumber":279,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_uses_standard_pricing_tier","org":"turbot","name":"securitycenter_uses_standard_pricing_tier","mod":"Terraform Azure Compliance","title":"Security Center should use the standard pricing tier","description":"The standard pricing tier provides advanced security capabilities, including threat detection for Azure and hybrid workloads, just-in-time (JIT) virtual machine (VM) access, and access and application controls.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Security Center should use the standard pricing tier","controlDescription":"The standard pricing tier provides advanced security capabilities, including threat detection for Azure and hybrid workloads, just-in-time (JIT) virtual machine (VM) access, and access and application controls.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_contact_number_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_contact_number_configured","org":"turbot","name":"securitycenter_contact_number_configured","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'phone') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'phone') is not null then ' contact number configured'\n else ' contact number not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":241,"endLineNumber":259,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_contact_number_configured","org":"turbot","name":"securitycenter_contact_number_configured","mod":"Terraform Azure Compliance","title":"Subscriptions should have a contact phone number for security issues","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive phone notifications from Security Center.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Subscriptions should have a contact phone number for security issues","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive phone notifications from Security Center.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_sqldb":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_sqldb","org":"turbot","name":"securitycenter_azure_defender_on_for_sqldb","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServers' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServers' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SQL database servers'\n else ' Azure Defender off for SQL database servers'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_azure_defender_enabled","org":"turbot","name":"sql_server_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for SQL should be enabled for unprotected Azure SQL servers","description":"Audit SQL servers without Advanced Data Security.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_sqldb","org":"turbot","name":"securitycenter_azure_defender_on_for_sqldb","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Azure SQL database servers","description":"Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Azure SQL database servers","controlDescription":"Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter","cis":"true","cis_item_id":"2.3","cis_level":"2","cis_type":"manual"}},"securitycenter_azure_defender_on_for_keyvault":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_keyvault","org":"turbot","name":"securitycenter_azure_defender_on_for_keyvault","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Key Vaults'\n else ' Azure Defender off for Key Vaults'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":161,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_keyvault","org":"turbot","name":"securitycenter_azure_defender_on_for_keyvault","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Key Vault","description":"Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.8","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Key Vault","controlDescription":"Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.8","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_storage":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_storage","org":"turbot","name":"securitycenter_azure_defender_on_for_storage","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'StorageAccounts' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'StorageAccounts' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Storage'\n else ' Azure Defender off for Storage'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":181,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_storage","org":"turbot","name":"securitycenter_azure_defender_on_for_storage","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Storage","description":"Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.5","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Storage","controlDescription":"Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.5","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_security_alerts_to_owner_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_security_alerts_to_owner_enabled","org":"turbot","name":"securitycenter_security_alerts_to_owner_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alerts_to_admins')::bool is true and (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alerts_to_admins')::bool is true and (attributes_std -> 'alert_notifications')::bool is true then ' notify alerts to admins configured'\n else ' notify alerts to admin not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_security_alerts_to_owner_enabled","org":"turbot","name":"securitycenter_security_alerts_to_owner_enabled","mod":"Terraform Azure Compliance","title":"Email notification to subscription owner for high severity alerts should be enabled","description":"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Email notification to subscription owner for high severity alerts should be enabled","controlDescription":"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_notify_alerts_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_notify_alerts_configured","org":"turbot","name":"securitycenter_notify_alerts_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alert_notifications')::bool is true then ' notify alerts configured'\n else ' notify alerts not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":141,"endLineNumber":159,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_notify_alerts_configured","org":"turbot","name":"securitycenter_notify_alerts_configured","mod":"Terraform Azure Compliance","title":"Email notification for high severity alerts should be enabled","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Email notification for high severity alerts should be enabled","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_server":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_server","org":"turbot","name":"securitycenter_azure_defender_on_for_server","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'VirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'VirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Servers'\n else ' Azure Defender off for Servers'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":81,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_azure_defender_enabled","org":"turbot","name":"compute_vm_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for servers should be enabled","description":"Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_server","org":"turbot","name":"securitycenter_azure_defender_on_for_server","mod":"Terraform Azure Compliance","title":"Ensure that Azure Defender is set to On for Servers","description":"Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1","cis_level":"2","cis_type":"manual","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Ensure that Azure Defender is set to On for Servers","controlDescription":"Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SecurityCenter","cis":"true","cis_item_id":"2.1","cis_level":"2","cis_type":"manual"}}},"cognitive_search":{"search_service_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_public_network_access_disabled","org":"turbot","name":"search_service_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku')::text = 'free' then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_public_network_access_disabled","org":"turbot","name":"search_service_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Azure Cognitive Search services should disable public network access","description":"Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your search service.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Azure Cognitive Search services should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your search service.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}},"search_service_uses_sku_supporting_private_link":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_uses_sku_supporting_private_link","org":"turbot","name":"search_service_uses_sku_supporting_private_link","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku')::text = 'free' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku')::text = 'free' then ' SKU does not supports private link'\n else ' SKU supports private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_uses_private_link","org":"turbot","name":"search_service_uses_private_link","mod":"Terraform Azure Compliance","title":"Azure Cognitive Search services should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Azure Cognitive Search services should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}},"search_service_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_uses_managed_identity","org":"turbot","name":"search_service_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_uses_managed_identity","org":"turbot","name":"search_service_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Cognitive Search services should use managed identity","description":"Cognitive Search services should use a managed identity for enhanced authentication security.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services should use managed identity","controlDescription":"Cognitive Search services should use a managed identity for enhanced authentication security.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}},"search_service_replica_count_3":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_replica_count_3","org":"turbot","name":"search_service_replica_count_3","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'replica_count')::int > 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'replica_count')::int > 3 then ' replica count is greater than 3'\n else ' replica count is greater than 3'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_replica_count_3","org":"turbot","name":"search_service_replica_count_3","mod":"Terraform Azure Compliance","title":"Cognitive Search services should maintain SLA for index updates","description":"This control checks if Cognitive Search maintains SLA for index updates.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services should maintain SLA for index updates","controlDescription":"This control checks if Cognitive Search maintains SLA for index updates.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/CognitiveSearch"}},"search_service_public_allowed_ip_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_public_allowed_ip_restrict_public_access","org":"turbot","name":"search_service_public_allowed_ip_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allowed_ips') @> '[\"0.0.0.0/0\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allowed_ips') @> '[\"0.0.0.0/0\"]' then ' allowed IPS does not restrict public access'\n else ' allowed IPS restrict public access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_public_allowed_ip_restrict_public_access","org":"turbot","name":"search_service_public_allowed_ip_restrict_public_access","mod":"Terraform Azure Compliance","title":"Cognitive Search services allowed IPs should restrict public access","description":"This control checks if Cognitive Search service allowed IPs restrict public access.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services allowed IPs should restrict public access","controlDescription":"This control checks if Cognitive Search service allowed IPs restrict public access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CognitiveSearch"}}},"postgre_sql":{"postgresql_server_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_infrastructure_encryption_enabled","org":"turbot","name":"postgresql_server_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'infrastructure_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'infrastructure_encryption_enabled') is null then ' ''infrastructure_encryption_enabled'' not set'\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":75,"endLineNumber":96,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_server_infrastructure_encryption_enabled","org":"turbot","name":"postgresql_server_infrastructure_encryption_enabled","mod":"Terraform Azure Compliance","title":"Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers","description":"Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers","controlDescription":"Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgresql_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_public_network_access_disabled","org":"turbot","name":"postgresql_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') is null then ' ''public_network_access_enabled'' not set'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":232,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_server_public_network_access_disabled","org":"turbot","name":"postgresql_server_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Public network access should be disabled for PostgreSQL servers","description":"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Public network access should be disabled for PostgreSQL servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_log_retention_days_3":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_retention_days_3","org":"turbot","name":"postgres_db_server_log_retention_days_3","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_disconnections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_retention_days'\n and (attributes_std ->> 'value')::int > 3\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' log files are retained for more than 3 days'\n else ' og files are retained for 3 days or lesser'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_disconnections_configuration as s on a.name = ( split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":1,"endLineNumber":36,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_log_retention_days_3","org":"turbot","name":"postgres_db_server_log_retention_days_3","mod":"Terraform Azure Compliance","title":"Enable log_retention_days on PostgreSQL Servers","description":"Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enable log_retention_days on PostgreSQL Servers","controlDescription":"Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_latest_tls_version","org":"turbot","name":"postgres_db_server_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_minimal_tls_version_enforced') is null or (attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_minimal_tls_version_enforced') is null or (attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2' then ' using the latest version of TLS encryption'\n else ' not using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":361,"endLineNumber":380,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_latest_tls_version","org":"turbot","name":"postgres_db_server_latest_tls_version","mod":"Terraform Azure Compliance","title":"PostgreSQL Servers should use at least TLS 1.2 version","description":"This control checks that the PostgreSQL server uses at least TLS 1.2 version. This control is non-compliant if PostgreSQL server uses older TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL Servers should use at least TLS 1.2 version","controlDescription":"This control checks that the PostgreSQL server uses at least TLS 1.2 version. This control is non-compliant if PostgreSQL server uses older TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_threat_detection_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_threat_detection_policy_enabled","org":"turbot","name":"postgres_db_server_threat_detection_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' threat detection policy not set'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then ' threat detection policy enabled'\n else ' threat detection policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":338,"endLineNumber":359,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_threat_detection_policy_enabled","org":"turbot","name":"postgres_db_server_threat_detection_policy_enabled","mod":"Terraform Azure Compliance","title":"PostgreSQL Servers threat detection policy should be enabled","description":"Ensure that PostgreSQL server threat detection policy is enabled. This control is non-compliant if PostgreSQL server threat detection policy is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL Servers threat detection policy should be enabled","controlDescription":"Ensure that PostgreSQL server threat detection policy is enabled. This control is non-compliant if PostgreSQL server threat detection policy is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgresql_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_ssl_enabled","org":"turbot","name":"postgresql_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled') is null then 'alarm'\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled') is null then ' ''ssl_enforcement_enabled'' not set'\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":292,"endLineNumber":313,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_ssl_enabled","org":"turbot","name":"postgresql_ssl_enabled","mod":"Terraform Azure Compliance","title":"Enforce SSL connection should be enabled for PostgreSQL database servers","description":"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enforce SSL connection should be enabled for PostgreSQL database servers","controlDescription":"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_log_checkpoints_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_checkpoints_on","org":"turbot","name":"postgres_db_server_log_checkpoints_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_checkpoints_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_checkpoints'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_checkpoints on'\n else ' server parameter log_checkpoints off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_checkpoints_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":158,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_log_checkpoints_on","org":"turbot","name":"postgres_db_server_log_checkpoints_on","mod":"Terraform Azure Compliance","title":"Enable log_checkpoints on PostgreSQL Servers","description":"Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enable log_checkpoints on PostgreSQL Servers","controlDescription":"Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then ' ''geo_redundant_backup_enabled'' not set'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' Geo-redundant backup enabled'\n else ' Geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":98,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_server_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","controlDescription":"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_flexible_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_flexible_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_flexible_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then ' ''geo_redundant_backup_enabled'' not set'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' geo-redundant backup enabled'\n else ' geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_flexible_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":315,"endLineNumber":336,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_flexible_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_flexible_server_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"PostgreSQL flexible serves Geo-redundant backup should be enabled","description":"Azure Database for PostgreSQL flexible serves allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL flexible serves Geo-redundant backup should be enabled","controlDescription":"Azure Database for PostgreSQL flexible serves allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_connection_throttling_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_connection_throttling_on","org":"turbot","name":"postgres_db_server_connection_throttling_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), connection_throttling_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'connection_throttling'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter connection_throttling on'\n else ' server parameter connection_throttling off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join connection_throttling_configuration as s on a.name = ( split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":38,"endLineNumber":73,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_connection_throttling_on","org":"turbot","name":"postgres_db_server_connection_throttling_on","mod":"Terraform Azure Compliance","title":"Enable connection_throttling on PostgreSQL Servers","description":"Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enable connection_throttling on PostgreSQL Servers","controlDescription":"Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_log_connections_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_connections_on","org":"turbot","name":"postgres_db_server_log_connections_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_connections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_connections'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_connections on'\n else ' server parameter log_connections off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_connections_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":195,"endLineNumber":230,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_log_connections_on","org":"turbot","name":"postgres_db_server_log_connections_on","mod":"Terraform Azure Compliance","title":"Enable log_connections on PostgreSQL Servers","description":"Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enable log_connections on PostgreSQL Servers","controlDescription":"Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_log_disconnections_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_disconnections_on","org":"turbot","name":"postgres_db_server_log_disconnections_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_disconnections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_disconnections'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_disconnections on'\n else ' server parameter log_disconnections off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_disconnections_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":255,"endLineNumber":290,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_log_disconnections_on","org":"turbot","name":"postgres_db_server_log_disconnections_on","mod":"Terraform Azure Compliance","title":"Enable log_disconnections on PostgreSQL Servers","description":"Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enable log_disconnections on PostgreSQL Servers","controlDescription":"Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgresql_server_encrypted_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"postgresql_server_encrypted_at_rest_using_cmk","sql":"with postgresql_server as (\n select\n '${azurerm_postgresql_server.' || name || '.id}' as pg_id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), server_keys as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server_key'\n and (attributes_std -> 'key_vault_key_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join server_keys as s on a.pg_id = ( s.attributes_std ->> 'server_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":121,"endLineNumber":156,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"postgresql_server_encrypted_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"PostgreSQL servers should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL servers should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}},"redis":{"redis_cache_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_restrict_public_access","org":"turbot","name":"redis_cache_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":67,"endLineNumber":86,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.redis_cache_restrict_public_access","org":"turbot","name":"redis_cache_restrict_public_access","mod":"Terraform Azure Compliance","title":"Redis Caches should restrict public access","description":"Disabling public network access improves security by ensuring that Redis Cache isn't exposed on the public internet. Creating private endpoints can limit exposure of Redis Cache.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Redis Caches should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that Redis Cache isn't exposed on the public internet. Creating private endpoints can limit exposure of Redis Cache.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}},"redis_cache_standard_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_standard_replication_enabled","org":"turbot","name":"redis_cache_standard_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_name') in ('Standard' , 'Premium') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_name') in ('Standard' , 'Premium') then ' standard replication enabled'\n else ' standard replication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":88,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.redis_cache_standard_replication_enabled","org":"turbot","name":"redis_cache_standard_replication_enabled","mod":"Terraform Azure Compliance","title":"Redis Caches standard replication should be enabled","description":"This control ensures that standard replication is enabled for Redis Caches.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Redis Caches standard replication should be enabled","controlDescription":"This control ensures that standard replication is enabled for Redis Caches.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}},"redis_cache_min_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_min_tls_1_2","org":"turbot","name":"redis_cache_min_tls_1_2","sql":"select\n address as resource,\n attributes_std ->> 'minimum_tls_version',\n case\n when (attributes_std -> 'minimum_tls_version') is null then 'alarm'\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'minimum_tls_version') is null then ' ''min_tls_version'' not defined'\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":43,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.redis_cache_min_tls_1_2","org":"turbot","name":"redis_cache_min_tls_1_2","mod":"Terraform Azure Compliance","title":"Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'","description":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'","controlDescription":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Redis"}},"azure_redis_cache_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/azure_redis_cache_ssl_enabled","org":"turbot","name":"azure_redis_cache_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_non_ssl_port')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_non_ssl_port')::boolean then ' secure connections disabled'\n else ' secure connections enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.azure_redis_cache_ssl_enabled","org":"turbot","name":"azure_redis_cache_ssl_enabled","mod":"Terraform Azure Compliance","title":"Only secure connections to your Azure Cache for Redis should be enabled","description":"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Only secure connections to your Azure Cache for Redis should be enabled","controlDescription":"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}},"azure_redis_cache_in_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/azure_redis_cache_in_virtual_network","org":"turbot","name":"azure_redis_cache_in_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_id') is not null then ' in virtual network'\n else ' not in virtual network'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.azure_redis_cache_in_virtual_network","org":"turbot","name":"azure_redis_cache_in_virtual_network","mod":"Terraform Azure Compliance","title":"Azure Cache for Redis should reside within a virtual network","description":"Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Azure Cache for Redis should reside within a virtual network","controlDescription":"Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}},"redis_instance_auth_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/redis_instance_auth_enabled","org":"turbot","name":"redis_instance_auth_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auth_enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auth_enabled') = 'true' then ' Auth enabled'\n else ' Auth disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_redis_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.redis_instance_auth_enabled","org":"turbot","name":"redis_instance_auth_enabled","mod":"Terraform GCP Compliance","title":"Redis instances should have auth enabled","description":"Ensure Redis instance has Auth enabled. This control is non-compliant if Auth is disabled for Redis instance.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}],"controlTitle":"Redis instances should have auth enabled","controlDescription":"Ensure Redis instance has Auth enabled. This control is non-compliant if Auth is disabled for Redis instance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}},"redis_instance_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/redis_instance_encryption_in_transit_enabled","org":"turbot","name":"redis_instance_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_mode') = 'SERVER_AUTHENTICATION' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_mode') = 'SERVER_AUTHENTICATION' then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_redis_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.redis_instance_encryption_in_transit_enabled","org":"turbot","name":"redis_instance_encryption_in_transit_enabled","mod":"Terraform GCP Compliance","title":"Redis instances encryption in transit should be enabled","description":"Ensure Redis instance encryption in transit is enabled. This control is non-compliant if encryption in transit is disabled for Redis instances.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}],"controlTitle":"Redis instances encryption in transit should be enabled","controlDescription":"Ensure Redis instance encryption in transit is enabled. This control is non-compliant if encryption in transit is disabled for Redis instances.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}},"network":{"network_virtual_network_dns_server_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_virtual_network_dns_server_2","org":"turbot","name":"network_virtual_network_dns_server_2","sql":"select\n address as resource,\n case\n when attributes_std -> 'dns_servers' is null then 'alarm'\n when jsonb_array_length(attributes_std -> 'dns_servers') > 1 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'dns_servers' is null then ' DNS servers not defined'\n else ' has ' || (jsonb_array_length(attributes_std -> 'dns_servers')) || ' DNS server(s) configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_network_dns_servers';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":538,"endLineNumber":557,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_virtual_network_dns_server_2","org":"turbot","name":"network_virtual_network_dns_server_2","mod":"Terraform Azure Compliance","title":"Network DNS server should have at least two connected DNS Endpoint","description":"This check ensures that Network DNS server has at least two connected DNS Endpoints.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network DNS server should have at least two connected DNS Endpoint","controlDescription":"This check ensures that Network DNS server has at least two connected DNS Endpoints.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_udp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_udp_access_restricted","org":"turbot","name":"network_security_group_udp_access_restricted","sql":"$80","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":114,"endLineNumber":161,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_udp_access_restricted","org":"turbot","name":"network_security_group_udp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups UDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed UDP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_udp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_udp_access_restricted","org":"turbot","name":"network_security_rule_udp_access_restricted","sql":"select\n address as resource,\n case\n when lower(attributes_std ->> 'protocol') = 'udp'\n and lower(attributes_std ->> 'direction') = 'inbound'\n and lower(attributes_std ->> 'access') = 'allow'\n and lower(attributes_std ->> 'source_address_prefix') in ('*', '0.0.0.0', '/0', '/0', 'internet', 'any') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when lower(attributes_std ->> 'protocol') = 'udp'\n and lower(attributes_std ->> 'direction') = 'inbound'\n and lower(attributes_std ->> 'access') = 'allow'\n and lower(attributes_std ->> 'source_address_prefix') in ('*', '0.0.0.0', '/0', '/0', 'internet', 'any') then ' allows UDP services from internet'\n else ' restricts UDP services from internet'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_security_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":163,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_udp_access_restricted","org":"turbot","name":"network_security_rule_udp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules UDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed UDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_rdp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","sql":"$81","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":240,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups RDP Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups RDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_ssh_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_ssh_access_restricted","org":"turbot","name":"network_security_rule_ssh_access_restricted","sql":"$82","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":298,"endLineNumber":347,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_ssh_access_restricted","org":"turbot","name":"network_security_rule_ssh_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules SSH Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules SSH Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_ssh_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","sql":"$83","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":349,"endLineNumber":405,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups SSH Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups SSH Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_http_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_http_access_restricted","org":"turbot","name":"network_security_rule_http_access_restricted","sql":"$84","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":407,"endLineNumber":456,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_http_access_restricted","org":"turbot","name":"network_security_rule_http_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules HTTP Services are restricted from the Internet","description":"Disable Internet exposed HTTP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules HTTP Services are restricted from the Internet","controlDescription":"Disable Internet exposed HTTP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_not_configured_gateway_subnets":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","sql":"$85","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":56,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","mod":"Terraform Azure Compliance","title":"Gateway subnets should not be configured with a network security group","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Gateway subnets should not be configured with a network security group","controlDescription":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Network"}},"network_watcher_flow_log_retention_period_90_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_watcher_flow_log_retention_period_90_days","org":"turbot","name":"network_watcher_flow_log_retention_period_90_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'false' then 'alarm'\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'true' and (attributes_std -> 'retention_policy' ->> 'days')::int >= 90 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'false' then ' retention policy disabled'\n else ' retention set to ' || (attributes_std -> 'retention_policy' ->> 'days') || ' day(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_watcher_flow_log';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":92,"endLineNumber":112,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_watcher_flow_log_retention_period_90_days","org":"turbot","name":"network_watcher_flow_log_retention_period_90_days","mod":"Terraform Azure Compliance","title":"Network Watcher flow logs should have retention set to 90 days or greater","description":"This control is non-compliant if Network Watcher flow log retention is set to less than 90 days.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Watcher flow logs should have retention set to 90 days or greater","controlDescription":"This control is non-compliant if Network Watcher flow log retention is set to less than 90 days.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_dns_server_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_dns_server_2","org":"turbot","name":"network_dns_server_2","sql":"select\n address as resource,\n case\n when attributes_std -> 'dns_servers' is null then 'alarm'\n when jsonb_array_length(attributes_std -> 'dns_servers') > 1 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'dns_servers' is null then ' DNS servers not defined'\n else ' has ' || (jsonb_array_length(attributes_std -> 'dns_servers')) || ' DNS server(s) configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":516,"endLineNumber":536,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_dns_server_2","org":"turbot","name":"network_dns_server_2","mod":"Terraform Azure Compliance","title":"Network should have at least two connected DNS Endpoints","description":"This check ensures that Network has at least two connected DNS Endpoints.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network should have at least two connected DNS Endpoints","controlDescription":"This check ensures that Network has at least two connected DNS Endpoints.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_rdp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_rdp_access_restricted","org":"turbot","name":"network_security_rule_rdp_access_restricted","sql":"$86","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":189,"endLineNumber":238,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_rdp_access_restricted","org":"turbot","name":"network_security_rule_rdp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules RDP Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules RDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_subnet_associated":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","sql":"with all_subnet as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_subnet'\n), network_security_group_association as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_subnet_network_security_group_association'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'subnet_id') is not null then ' associated with subnet'\n else ' not associated with subnet'\n end || '.' reason\n , a.path || ':' || a.start_line\nfrom\n all_subnet as a\n left join network_security_group_association as s on a.name = ( split_part((s.attributes_std ->> 'subnet_id'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":1,"endLineNumber":33,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","mod":"Terraform Azure Compliance","title":"Subnets should be associated with a Network Security Group","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Subnets should be associated with a Network Security Group","controlDescription":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Network"}},"network_security_group_http_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_http_access_restricted","org":"turbot","name":"network_security_group_http_access_restricted","sql":"$87","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":458,"endLineNumber":514,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_http_access_restricted","org":"turbot","name":"network_security_group_http_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups HTTP Services are restricted from the Internet","description":"Disable Internet exposed HTTP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups HTTP Services are restricted from the Internet","controlDescription":"Disable Internet exposed HTTP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"application_gateway_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'waf_configuration') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'waf_configuration') is not null then ' WAF enabled'\n else ' WAF disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_application_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","mod":"Terraform Azure Compliance","title":"Web Application Firewall (WAF) should be enabled for Application Gateway","description":"Deploy Azure Web Application Firewall (WAF) in front of public-facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Web Application Firewall (WAF) should be enabled for Application Gateway","controlDescription":"Deploy Azure Web Application Firewall (WAF) in front of public-facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Network"}}},"my_sql":{"mysql_server_encrypted_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"mysql_server_encrypted_at_rest_using_cmk","sql":"with mysql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_mysql_server'\n), server_keys as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_mysql_server_key'\n and (attributes_std -> 'key_vault_key_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n mysql_server as a\n left join server_keys as s on a.name = (split_part((s.attributes_std ->> 'server_id'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":85,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"mysql_server_encrypted_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"MySQL servers should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"MySQL servers should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_public_network_access_disabled","org":"turbot","name":"mysql_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_public_network_access_disabled","org":"turbot","name":"mysql_server_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Public network access should be disabled for MySQL servers","description":"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"Public network access should be disabled for MySQL servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_db_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_db_server_geo_redundant_backup_enabled","org":"turbot","name":"mysql_db_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' Geo-redundant backup enabled'\n else ' Geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_db_server_geo_redundant_backup_enabled","org":"turbot","name":"mysql_db_server_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for MySQL","description":"Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for MySQL","controlDescription":"Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_ssl_enabled","org":"turbot","name":"mysql_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_ssl_enabled","org":"turbot","name":"mysql_ssl_enabled","mod":"Terraform Azure Compliance","title":"Enforce SSL connection should be enabled for MySQL database servers","description":"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"Enforce SSL connection should be enabled for MySQL database servers","controlDescription":"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_server_min_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_min_tls_1_2","org":"turbot","name":"mysql_server_min_tls_1_2","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'ssl_minimal_tls_version_enforced') is null)\n or ((attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'ssl_minimal_tls_version_enforced') is null)\n or ((attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2') then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":121,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_min_tls_1_2","org":"turbot","name":"mysql_server_min_tls_1_2","mod":"Terraform Azure Compliance","title":"Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to the default value.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","controlDescription":"Ensure TLS version on MySQL flexible servers is set to the default value.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_server_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_infrastructure_encryption_enabled","org":"turbot","name":"mysql_server_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_infrastructure_encryption_enabled","org":"turbot","name":"mysql_server_infrastructure_encryption_enabled","mod":"Terraform Azure Compliance","title":"Infrastructure encryption should be enabled for Azure Database for MySQL servers","description":"Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"Infrastructure encryption should be enabled for Azure Database for MySQL servers","controlDescription":"Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MySQL"}},"mysql_server_threat_detection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_threat_detection_enabled","org":"turbot","name":"mysql_server_threat_detection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' threat detection policy not defined'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then ' threat detection policy enabled'\n else ' threat detection policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":144,"endLineNumber":165,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_threat_detection_enabled","org":"turbot","name":"mysql_server_threat_detection_enabled","mod":"Terraform Azure Compliance","title":"MySQL servers should have threat detection enabled","description":"Ensure MySQL server threat detection policy enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"MySQL servers should have threat detection enabled","controlDescription":"Ensure MySQL server threat detection policy enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MySQL"}}},"service_bus":{"service_bus_namespace_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_latest_tls_version","org":"turbot","name":"service_bus_namespace_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_latest_tls_version","org":"turbot","name":"service_bus_namespace_latest_tls_version","mod":"Terraform Azure Compliance","title":"Service bus namespaces should use the latest TLS version","description":"It is highly recommended to use the latest TLS 1.2 version for Service bus namespaces secure connections.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should use the latest TLS version","controlDescription":"It is highly recommended to use the latest TLS 1.2 version for Service bus namespaces secure connections.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_uses_managed_identity","org":"turbot","name":"service_bus_namespace_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not use managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_uses_managed_identity","org":"turbot","name":"service_bus_namespace_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Service bus namespaces should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your namespace to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your namespace to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_infrastructure_encryption_enabled","org":"turbot","name":"service_bus_namespace_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key' -> 'infrastructure_encryption_enabled')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key' -> 'infrastructure_encryption_enabled')::bool is true then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_infrastructure_encryption_enabled","org":"turbot","name":"service_bus_namespace_infrastructure_encryption_enabled","mod":"Terraform Azure Compliance","title":"Service Bus namespaces should have infrastructure encryption enabled","description":"Ensure Service Bus namespace infrastructure encryption is enabled. This control is non-complaint if namespace infrastructure encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service Bus namespaces should have infrastructure encryption enabled","controlDescription":"Ensure Service Bus namespace infrastructure encryption is enabled. This control is non-complaint if namespace infrastructure encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_local_auth_disabled","org":"turbot","name":"service_bus_namespace_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_local_auth_disabled","org":"turbot","name":"service_bus_namespace_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Service bus namespaces should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Service bus namespaces require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Service bus namespaces require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_restrict_public_access","org":"turbot","name":"service_bus_namespace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_restrict_public_access","org":"turbot","name":"service_bus_namespace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Service bus namespaces should restrict public access","description":"Disabling public network access improves security by ensuring that your Service bus namespace is not exposed on the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that your Service bus namespace is not exposed on the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_encrypted_with_cmk","org":"turbot","name":"service_bus_namespace_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key' -> 'key_vault_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key' -> 'key_vault_key_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_encrypted_with_cmk","org":"turbot","name":"service_bus_namespace_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Service Bus namespaces should use a customer-managed key for encryption","description":"Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service Bus namespaces should use a customer-managed key for encryption","controlDescription":"Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}},"service_fabric":{"servicefabric_cluster_active_directory_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/servicefabric_cluster_active_directory_authentication_enabled","org":"turbot","name":"servicefabric_cluster_active_directory_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'azure_active_directory') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'azure_active_directory') is null then ' does not use Azure Active Directory for client authentication'\n else ' uses Azure Active Directory for client authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_fabric_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicefabric.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.servicefabric_cluster_active_directory_authentication_enabled","org":"turbot","name":"servicefabric_cluster_active_directory_authentication_enabled","mod":"Terraform Azure Compliance","title":"Service Fabric clusters should only use Azure Active Directory for client authentication","description":"Audit usage of client authentication only via Azure Active Directory in Service Fabric.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ServiceFabric"}}],"controlTitle":"Service Fabric clusters should only use Azure Active Directory for client authentication","controlDescription":"Audit usage of client authentication only via Azure Active Directory in Service Fabric.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ServiceFabric"}},"servicefabric_cluster_protection_level_as_encrypt_and_sign":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/servicefabric_cluster_protection_level_as_encrypt_and_sign","org":"turbot","name":"servicefabric_cluster_protection_level_as_encrypt_and_sign","sql":"select\n address as resource,\n case\n when (attributes_std -> 'fabric_settings') is null then 'alarm'\n when (attributes_std -> 'fabric_settings' -> 'parameters') is null then 'alarm'\n when (attributes_std -> 'fabric_settings' ->> 'parameters') like '%EncryptAndSign%' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'fabric_settings') is null then ' Cluster Protection Level not set'\n when (attributes_std -> 'fabric_settings' -> 'parameters') is null then ' Cluster Protection Level not set to EncryptAndSign'\n when (attributes_std -> 'fabric_settings' ->> 'parameters') like '%EncryptAndSign%' then ' Cluster Protection Level set to EncryptAndSign'\n else ' Cluster Protection Level not set to EncryptAndSign'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_fabric_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicefabric.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.servicefabric_cluster_protection_level_as_encrypt_and_sign","org":"turbot","name":"servicefabric_cluster_protection_level_as_encrypt_and_sign","mod":"Terraform Azure Compliance","title":"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","description":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ServiceFabric"}}],"controlTitle":"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","controlDescription":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ServiceFabric"}}},"signal_r":{"signalr_services_uses_paid_sku":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/signalr_services_uses_paid_sku","org":"turbot","name":"signalr_services_uses_paid_sku","sql":"select\n address as resource,\n case\n when (attributes_std -> 'sku' ->> 'name') = 'Free_F1' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'sku' ->> 'name') = 'Free_F1' then ' is not using paid SKU'\n else ' is using paid SKU'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_signalr_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/signalr.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.signalr_services_uses_paid_sku","org":"turbot","name":"signalr_services_uses_paid_sku","mod":"Terraform Azure Compliance","title":"SignalR services should use paid SKU","description":"SignalR services should use paid SKU to enable advanced features such as auto-scaling, hybrid connections, and zone redundancy.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SignalR"}}],"controlTitle":"SignalR services should use paid SKU","controlDescription":"SignalR services should use paid SKU to enable advanced features such as auto-scaling, hybrid connections, and zone redundancy.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SignalR"}}},"io_t_hub":{"iot_hub_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iot_hub_logging_enabled","org":"turbot","name":"iot_hub_logging_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_iothub')then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_iothub')then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_iothub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iot.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.iot_hub_logging_enabled","org":"turbot","name":"iot_hub_logging_enabled","mod":"Terraform Azure Compliance","title":"Resource logs in IoT Hub should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/IoTHub"}}],"controlTitle":"Resource logs in IoT Hub should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/IoTHub"}},"iot_hub_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iot_hub_restrict_public_access","org":"turbot","name":"iot_hub_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public network access not defined'\n when (attributes_std ->> 'public_network_access_enabled') = 'true' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_iothub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iot.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.iot_hub_restrict_public_access","org":"turbot","name":"iot_hub_restrict_public_access","mod":"Terraform Azure Compliance","title":"IoT Hubs should disable public network access","description":"Disabling public network access improves security by ensuring that IoT Hub isn't exposed on the public internet. Creating private endpoints can limit exposure of IoT Hub.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/IoTHub"}}],"controlTitle":"IoT Hubs should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that IoT Hub isn't exposed on the public internet. Creating private endpoints can limit exposure of IoT Hub.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/IoTHub"}}},"healthcare_ap_is":{"healthcare_fhir_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/healthcare_fhir_public_network_access_disabled","org":"turbot","name":"healthcare_fhir_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public access enabled'\n when (attributes_std -> 'public_network_access_enabled')::bool then ' public access disabled'\n else ' public access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_healthcare_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/healthcare.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.healthcare_fhir_public_network_access_disabled","org":"turbot","name":"healthcare_fhir_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Azure API for FHIR should disable public network access","description":"Disabling public network access improves security by ensuring that Healthcare API isn't exposed on the public internet. Creating private endpoints can limit exposure of Healthcare APIs.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/HealthcareAPIs"}}],"controlTitle":"Azure API for FHIR should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that Healthcare API isn't exposed on the public internet. Creating private endpoints can limit exposure of Healthcare APIs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/HealthcareAPIs"}},"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","org":"turbot","name":"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cosmosdb_key_vault_key_versionless_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cosmosdb_key_vault_key_versionless_id') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_healthcare_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/healthcare.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","org":"turbot","name":"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","mod":"Terraform Azure Compliance","title":"Azure API for FHIR should use a customer-managed key to encrypt data at rest","description":"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/HealthcareAPIs"}}],"controlTitle":"Azure API for FHIR should use a customer-managed key to encrypt data at rest","controlDescription":"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/HealthcareAPIs"}}},"key_vault":{"keyvault_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_azure_defender_enabled","org":"turbot","name":"keyvault_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for KeyVaults'\n else ' Azure Defender off for KeyVaults'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":222,"endLineNumber":240,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_azure_defender_enabled","org":"turbot","name":"keyvault_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Key Vault should be enabled","description":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Azure Defender for Key Vault should be enabled","controlDescription":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_vault_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_vault_public_network_access_disabled","org":"turbot","name":"keyvault_vault_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'network_acls') is null then 'alarm'\n when (attributes_std -> 'network_acls' ->> 'default_action')::text != 'Deny' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'network_acls') is null then ' ''network_acls'' not set'\n when (attributes_std -> 'network_acls' ->> 'default_action')::text != 'Deny' then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":178,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_vault_public_network_access_disabled","org":"turbot","name":"keyvault_vault_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Azure Key Vault should disable public network access","description":"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Azure Key Vault should disable public network access","controlDescription":"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_secret_expiration_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_secret_expiration_set","org":"turbot","name":"keyvault_secret_expiration_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'expiration_date') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'expiration_date') is null then ' expiration_date not set'\n else ' expiration_date is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":242,"endLineNumber":261,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_secret_expiration_set","org":"turbot","name":"keyvault_secret_expiration_set","mod":"Terraform Azure Compliance","title":"Key Vault secrets should have an expiration date","description":"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault secrets should have an expiration date","controlDescription":"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_managed_hms_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_managed_hms_logging_enabled","org":"turbot","name":"keyvault_managed_hms_logging_enabled","sql":"$88","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":37,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_managed_hms_logging_enabled","org":"turbot","name":"keyvault_managed_hms_logging_enabled","mod":"Terraform Azure Compliance","title":"Resource logs in Azure Key Vault Managed HSM should be enabled","description":"To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Resource logs in Azure Key Vault Managed HSM should be enabled","controlDescription":"To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_managed_hms_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_managed_hms_purge_protection_enabled","org":"turbot","name":"keyvault_managed_hms_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled') is null then ' ''purge_protection_enabled'' not set'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_managed_hardware_security_module';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":84,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_managed_hms_purge_protection_enabled","org":"turbot","name":"keyvault_managed_hms_purge_protection_enabled","mod":"Terraform Azure Compliance","title":"Azure Key Vault Managed HSM should have purge protection enabled","description":"Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Azure Key Vault Managed HSM should have purge protection enabled","controlDescription":"Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_key_expiration_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_key_expiration_set","org":"turbot","name":"keyvault_key_expiration_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'expiration_date') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'expiration_date') is null then ' expiration_date not set'\n else ' expiration_date is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":201,"endLineNumber":220,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_key_expiration_set","org":"turbot","name":"keyvault_key_expiration_set","mod":"Terraform Azure Compliance","title":"Key Vault keys should have an expiration date","description":"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault keys should have an expiration date","controlDescription":"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_purge_protection_enabled","org":"turbot","name":"keyvault_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled') is null then ' ''purge_protection_enabled'' not set'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":155,"endLineNumber":176,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_purge_protection_enabled","org":"turbot","name":"keyvault_purge_protection_enabled","mod":"Terraform Azure Compliance","title":"Key vaults should have purge protection enabled","description":"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key vaults should have purge protection enabled","controlDescription":"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_secret_content_type_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_secret_content_type_set","org":"turbot","name":"keyvault_secret_content_type_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'content_type') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'content_type') is null then ' content type not set'\n else ' content type is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":263,"endLineNumber":282,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_secret_content_type_set","org":"turbot","name":"keyvault_secret_content_type_set","mod":"Terraform Azure Compliance","title":"Key Vault secrets should have a content type","description":"Secrets should have a defined content type. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set content types on secrets.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault secrets should have a content type","controlDescription":"Secrets should have a defined content type. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set content types on secrets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_logging_enabled","org":"turbot","name":"keyvault_logging_enabled","sql":"$89","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":107,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_logging_enabled","org":"turbot","name":"keyvault_logging_enabled","mod":"Terraform Azure Compliance","title":"Resource logs in Key Vault should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Resource logs in Key Vault should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_vault_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_vault_use_virtual_service_endpoint","org":"turbot","name":"keyvault_vault_use_virtual_service_endpoint","sql":"with key_vaults as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_key_vault'\n), key_vaults_subnet as (\n select\n distinct address\n from\n key_vaults as a,\n jsonb_array_elements(attributes_std -> 'network_acls' -> 'virtual_network_subnet_ids') as id\n)\nselect\n a.address as resource,\n case\n when (attributes_std -> 'network_acls' ->> 'default_action')::text <> 'Deny' then 'alarm'\n when s.address is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint'\n when s.address is null then ' not configured with virtual service endpoint'\n else ' configured with virtual service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n key_vaults as a\n left join key_vaults_subnet as s on a.address = s.address;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":1,"endLineNumber":35,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_vault_use_virtual_service_endpoint","org":"turbot","name":"keyvault_vault_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"Key Vault should use a virtual network service endpoint","description":"This policy audits any Key Vault not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault should use a virtual network service endpoint","controlDescription":"This policy audits any Key Vault not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/KeyVault"}}},"front_door":{"frontdoor_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/frontdoor_waf_enabled","org":"turbot","name":"frontdoor_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint') is null then 'alarm'\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint' -> 'web_application_firewall_policy_link_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint') is null then ' WAF disabled'\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint' -> 'web_application_firewall_policy_link_id') is null then ' WAF disabled'\n else ' WAF enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_frontdoor';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/frontdoor.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.frontdoor_waf_enabled","org":"turbot","name":"frontdoor_waf_enabled","mod":"Terraform Azure Compliance","title":"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service","description":"Deploy Azure Web Application Firewall (WAF) in front of public-facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/FrontDoor"}}],"controlTitle":"Web Application Firewall (WAF) should be enabled for Azure Front Door Service service","controlDescription":"Deploy Azure Web Application Firewall (WAF) in front of public-facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/FrontDoor"}},"frontdoor_firewall_policy_restrict_message_lookup_log4j2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/frontdoor_firewall_policy_restrict_message_lookup_log4j2","org":"turbot","name":"frontdoor_firewall_policy_restrict_message_lookup_log4j2","sql":"$8a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/frontdoor.pp","startLineNumber":24,"endLineNumber":74,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.frontdoor_firewall_policy_restrict_message_lookup_log4j2","org":"turbot","name":"frontdoor_firewall_policy_restrict_message_lookup_log4j2","mod":"Terraform Azure Compliance","title":"Front Door firewall policy should restricts message lookup in Log4j2","description":"This control checks that Front Door firewall policy restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/FrontDoor"}}],"controlTitle":"Front Door firewall policy should restricts message lookup in Log4j2","controlDescription":"This control checks that Front Door firewall policy restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/FrontDoor"}}},"firewall":{"firewall_policy_intrusion_detection_mode_set_to_deny":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_policy_intrusion_detection_mode_set_to_deny","org":"turbot","name":"firewall_policy_intrusion_detection_mode_set_to_deny","sql":"select\n address as resource,\n case\n when (attributes_std -> 'intrusion_detection' ->> 'mode') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'intrusion_detection' ->> 'mode') = 'Deny' then ' intrusion detection mode is set to deny'\n else ' intrusion detection mode is not set to deny'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_policy_intrusion_detection_mode_set_to_deny","org":"turbot","name":"firewall_policy_intrusion_detection_mode_set_to_deny","mod":"Terraform Azure Compliance","title":"Firewall policy intrusion detection mode set to deny","description":"This control checks whether the firewall policy intrusion detection mode is set to deny.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall policy intrusion detection mode set to deny","controlDescription":"This control checks whether the firewall policy intrusion detection mode is set to deny.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}},"firewall_threat_intel_mode_set_to_deny":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_threat_intel_mode_set_to_deny","org":"turbot","name":"firewall_threat_intel_mode_set_to_deny","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'threat_intel_mode') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'threat_intel_mode') = 'Deny' then ' threat intel mode is set to deny'\n else ' threat intel mode is not set to deny'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_threat_intel_mode_set_to_deny","org":"turbot","name":"firewall_threat_intel_mode_set_to_deny","mod":"Terraform Azure Compliance","title":"Firewall threat intel mode set to deny","description":"This control checks whether the firewall threat intel mode is set to deny.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall threat intel mode set to deny","controlDescription":"This control checks whether the firewall threat intel mode is set to deny.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}},"firewall_has_firewall_policy_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_has_firewall_policy_set","org":"turbot","name":"firewall_has_firewall_policy_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'firewall_policy_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'firewall_policy_id') is null then ' firewall policy is not set'\n else ' firewall policy is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_has_firewall_policy_set","org":"turbot","name":"firewall_has_firewall_policy_set","mod":"Terraform Azure Compliance","title":"Firewall has firewall policy set","description":"This control checks whether a firewall policy is set for the firewall.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall has firewall policy set","controlDescription":"This control checks whether a firewall policy is set for the firewall.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}},"event_hub":{"eventhub_namespace_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_use_virtual_service_endpoint","org":"turbot","name":"eventhub_namespace_use_virtual_service_endpoint","sql":"$8b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":1,"endLineNumber":38,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_use_virtual_service_endpoint","org":"turbot","name":"eventhub_namespace_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"Event Hub should use a virtual network service endpoint","description":"This policy audits any Event Hub not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub should use a virtual network service endpoint","controlDescription":"This policy audits any Event Hub not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/EventHub"}},"eventhub_namespace_zone_redundant":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_zone_redundant","org":"turbot","name":"eventhub_namespace_zone_redundant","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":83,"endLineNumber":102,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_zone_redundant","org":"turbot","name":"eventhub_namespace_zone_redundant","mod":"Terraform Azure Compliance","title":"Event Hub namespaces should be zone redundant","description":"This control ensures that Event Hub namespace is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub namespaces should be zone redundant","controlDescription":"This control ensures that Event Hub namespace is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}},"eventhub_namespace_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_uses_latest_tls_version","org":"turbot","name":"eventhub_namespace_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version') is null then 'ok'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version') is null then ' TLS version not defined by default uses 1.2'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then ' use TLS version 1.2'\n else ' does not use TLS version 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":60,"endLineNumber":81,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_uses_latest_tls_version","org":"turbot","name":"eventhub_namespace_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'","description":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'","controlDescription":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}},"eventhub_namespace_cmk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_cmk_encryption_enabled","org":"turbot","name":"eventhub_namespace_cmk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_key_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_key_ids') is not null then ' CMK encryption enabled'\n else ' CMK encryption disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace_customer_managed_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":40,"endLineNumber":58,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_cmk_encryption_enabled","org":"turbot","name":"eventhub_namespace_cmk_encryption_enabled","mod":"Terraform Azure Compliance","title":"Event Hub namespaces should be encrypted","description":"Azure Event Hub namespaces should be encrypted with an Azure Customer Managed Key.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub namespaces should be encrypted","controlDescription":"Azure Event Hub namespaces should be encrypted with an Azure Customer Managed Key.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}},"event_grid":{"eventgrid_topic_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_uses_managed_identity","org":"turbot","name":"eventgrid_topic_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_uses_managed_identity","org":"turbot","name":"eventgrid_topic_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Event Grid topics should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid topic to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid topic to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_domain_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_uses_managed_identity","org":"turbot","name":"eventgrid_domain_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_domain_uses_managed_identity","org":"turbot","name":"eventgrid_domain_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Event Grid domains should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid domain to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid domain to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_domain_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_restrict_public_access","org":"turbot","name":"eventgrid_domain_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_domain_restrict_public_access","org":"turbot","name":"eventgrid_domain_restrict_public_access","mod":"Terraform Azure Compliance","title":"Event Grid domains should disable public network access","description":"Disabling public network access improves security by ensuring that your Event Grid domain is not exposed on the public internet.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that your Event Grid domain is not exposed on the public internet.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_topic_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_restrict_public_access","org":"turbot","name":"eventgrid_topic_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_restrict_public_access","org":"turbot","name":"eventgrid_topic_restrict_public_access","mod":"Terraform Azure Compliance","title":"Event Grid topics should disable public network access","description":"Disabling public network access improves security by ensuring that your Event Grid topic is not exposed on the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that your Event Grid topic is not exposed on the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_topic_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_local_auth_disabled","org":"turbot","name":"eventgrid_topic_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_local_auth_disabled","org":"turbot","name":"eventgrid_topic_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Event Grid topics should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Event Grid topic require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Event Grid topic require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_domain_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_local_auth_disabled","org":"turbot","name":"eventgrid_domain_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_domain_local_auth_disabled","org":"turbot","name":"eventgrid_domain_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Event Grid domains should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Event Grid domain require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Event Grid domain require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}},"maria_db":{"mariadb_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_geo_redundant_backup_enabled","org":"turbot","name":"mariadb_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std -> 'geo_redundant_backup_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'geo_redundant_backup_enabled') is null then ' geo-redundant backup disabled'\n when (attributes_std -> 'geo_redundant_backup_enabled')::bool then ' geo-redundant backup enabled'\n else ' geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mariadb_server_geo_redundant_backup_enabled","org":"turbot","name":"mariadb_server_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MariaDB"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for MariaDB","controlDescription":"Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MariaDB"}},"mariadb_server_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_ssl_enabled","org":"turbot","name":"mariadb_server_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled') = 'true' then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mariadb_server_ssl_enabled","org":"turbot","name":"mariadb_server_ssl_enabled","mod":"Terraform Azure Compliance","title":"MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'","description":"This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/MariaDB"}}],"controlTitle":"MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'","controlDescription":"This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/MariaDB"}},"mariadb_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_public_network_access_disabled","org":"turbot","name":"mariadb_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public network access enabled'\n when (attributes_std -> 'public_network_access_enabled')::bool then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mariadb_server_public_network_access_disabled","org":"turbot","name":"mariadb_server_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Public network access should be disabled for MariaDB servers","description":"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MariaDB"}}],"controlTitle":"Public network access should be disabled for MariaDB servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MariaDB"}}},"monitor":{"monitor_log_profile_enabled_for_all_regions":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","sql":"$8c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","mod":"Terraform Azure Compliance","title":"Azure Monitor should collect activity logs from all regions","description":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor should collect activity logs from all regions","controlDescription":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Monitor"}},"monitor_logs_storage_container_not_public_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_logs_storage_container_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_not_public_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'container_access_type') is null then 'ok'\n when (attributes_std ->> 'container_access_type') ilike 'Private' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'container_access_type') is null then ' container insights-operational-logs storing activity logs not publicly accessible'\n when (attributes_std ->> 'container_access_type') ilike 'Private' then ' container insights-operational-logs storing activity logs not publicly accessible'\n else ' container insights-operational-logs storing activity logs publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_container'\n and (attributes_std ->> 'name') ilike 'insights-operational-logs';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":23,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.monitor_logs_storage_container_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_not_public_accessible","mod":"Terraform Azure Compliance","title":"Ensure the storage container storing the activity logs is not publicly accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Monitor"}}],"controlTitle":"Ensure the storage container storing the activity logs is not publicly accessible","controlDescription":"The storage account container containing the activity log export should not be publicly accessible.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Monitor"}},"monitor_log_profile_enabled_for_all_categories":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","sql":"select\n address as resource,\n case\n when (attributes_std -> 'categories') @> '[\"Write\", \"Action\", \"Delete\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'categories') @> '[\"Write\", \"Action\", \"Delete\"]' then ' collects logs for categories write, delete and action'\n else ' does not collects logs for all categories.'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_monitor_log_profile';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":47,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","mod":"Terraform Azure Compliance","title":"Azure Monitor log profile should collect logs for categories 'write', 'delete' and 'action'","description":"This policy ensures that a log profile collects logs for categories 'write', 'delete' and 'action'.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor log profile should collect logs for categories 'write', 'delete' and 'action'","controlDescription":"This policy ensures that a log profile collects logs for categories 'write', 'delete' and 'action'.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Monitor"}},"monitor_log_profile_retention_365_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","sql":"$8d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","mod":"Terraform Azure Compliance","title":"Monitor log profiles should have retention set to 365 days or greater","description":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Monitor"}}],"controlTitle":"Monitor log profiles should have retention set to 365 days or greater","controlDescription":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Monitor"}}},"kubernetes_service":{"kubernetes_cluster_max_pod_50":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_max_pod_50","org":"turbot","name":"kubernetes_cluster_max_pod_50","sql":"$8e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":195,"endLineNumber":220,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_max_pod_50","org":"turbot","name":"kubernetes_cluster_max_pod_50","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use a minimum number of 50 pods","description":"This control checks if Kubernetes cluster is using a minimum number of 50 pods.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use a minimum number of 50 pods","controlDescription":"This control checks if Kubernetes cluster is using a minimum number of 50 pods.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","org":"turbot","name":"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_set_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_set_id') is null then ' os and data diska not encrypted with CMK'\n else ' os and data diska encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","org":"turbot","name":"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys","description":"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys","controlDescription":"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_logging_enabled","org":"turbot","name":"kubernetes_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'oms_agent' -> 'log_analytics_workspace_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'oms_agent' -> 'log_analytics_workspace_id') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":222,"endLineNumber":241,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_logging_enabled","org":"turbot","name":"kubernetes_cluster_logging_enabled","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should have logging enabled","description":"This control checks if OMS agent is enabled for Kubernetes cluster.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should have logging enabled","controlDescription":"This control checks if OMS agent is enabled for Kubernetes cluster.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","org":"turbot","name":"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'enable_host_encryption')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'enable_host_encryption')::boolean then ' encrypted at host'\n else ' not encrypted at host'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","org":"turbot","name":"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","mod":"Terraform Azure Compliance","title":"Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host","description":"To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host","controlDescription":"To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_instance_rbac_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_instance_rbac_enabled","org":"turbot","name":"kubernetes_instance_rbac_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'role_based_access_control') is null then 'alarm'\n when (attributes_std -> 'role_based_access_control' -> 'azure_active_directory' -> 'azure_rbac_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'role_based_access_control') is null then ' ''role_based_access_control'' not defined'\n when (attributes_std -> 'role_based_access_control' -> 'azure_active_directory' -> 'azure_rbac_enabled')::boolean then ' role based access control enabled'\n else ' role based access control disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":89,"endLineNumber":110,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_instance_rbac_enabled","org":"turbot","name":"kubernetes_instance_rbac_enabled","mod":"Terraform Azure Compliance","title":"Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Role-Based Access Control (RBAC) should be used on Kubernetes Services","controlDescription":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_restrict_public_access","org":"turbot","name":"kubernetes_cluster_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":132,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_restrict_public_access","org":"turbot","name":"kubernetes_cluster_restrict_public_access","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should restrict public access","description":"Ensure that Kubernetes cluster enables private clusters to restrict public access.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should restrict public access","controlDescription":"Ensure that Kubernetes cluster enables private clusters to restrict public access.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_node_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_node_restrict_public_access","org":"turbot","name":"kubernetes_cluster_node_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'enable_node_public_ip') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'enable_node_public_ip') = 'true' then ' has public node'\n else ' has no public node'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":264,"endLineNumber":283,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_node_restrict_public_access","org":"turbot","name":"kubernetes_cluster_node_restrict_public_access","mod":"Terraform Azure Compliance","title":"Kubernetes cluster nodes should restrict public access","description":"Ensure Kubernetes cluster node do not have public IP addresses. This control is non-compliant if Kubernetes cluster node have a public IP address assigned.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes cluster nodes should restrict public access","controlDescription":"Ensure Kubernetes cluster node do not have public IP addresses. This control is non-compliant if Kubernetes cluster node have a public IP address assigned.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_upgrade_channel":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_upgrade_channel","org":"turbot","name":"kubernetes_cluster_upgrade_channel","sql":"select\n address as resource,\n case\n when (attributes_std -> 'automatic_channel_upgrade') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automatic_channel_upgrade') is null then ' upgrade channel not configured'\n else ' upgrade channel configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":306,"endLineNumber":325,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_upgrade_channel","org":"turbot","name":"kubernetes_cluster_upgrade_channel","mod":"Terraform Azure Compliance","title":"Kubernetes clusters upgrade channel should be configured","description":"Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters upgrade channel should be configured","controlDescription":"Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_authorized_ip_range_defined":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_authorized_ip_range_defined","org":"turbot","name":"kubernetes_cluster_authorized_ip_range_defined","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then 'ok'\n when (jsonb_array_length(attributes_std -> 'api_server_authorized_ip_ranges') > 0) or (jsonb_array_length(attributes_std -> 'api_server_access_profile' -> 'authorized_ip_ranges') > 0) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then ' is private cluster'\n when (jsonb_array_length(attributes_std -> 'api_server_authorized_ip_ranges') > 0) or (jsonb_array_length(attributes_std -> 'api_server_access_profile' -> 'authorized_ip_ranges') > 0 ) then ' authorized IP ranges defined'\n else ' authorized IP ranges not defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_authorized_ip_range_defined","org":"turbot","name":"kubernetes_cluster_authorized_ip_range_defined","mod":"Terraform Azure Compliance","title":"Authorized IP ranges should be defined on Kubernetes Services","description":"ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Authorized IP ranges should be defined on Kubernetes Services","controlDescription":"ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_network_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_network_policy_enabled","org":"turbot","name":"kubernetes_cluster_network_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_profile' -> 'network_policy') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_profile' -> 'network_policy') is not null then ' network policy enabled'\n else ' network policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":243,"endLineNumber":262,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_network_policy_enabled","org":"turbot","name":"kubernetes_cluster_network_policy_enabled","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should have network policy enabled","description":"This control checks if network policy is enabled for Kubernetes cluster.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should have network policy enabled","controlDescription":"This control checks if network policy is enabled for Kubernetes cluster.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_node_pool_type_scale_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_node_pool_type_scale_set","org":"turbot","name":"kubernetes_cluster_node_pool_type_scale_set","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'type') = 'AvailabilitySet' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'type') = 'AvailabilitySet' then ' is using AvailabilitySet node type'\n else ' is using VirtualMachineScaleSets node type'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":327,"endLineNumber":346,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_node_pool_type_scale_set","org":"turbot","name":"kubernetes_cluster_node_pool_type_scale_set","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use scale sets type nodes","description":"Ensure Kubernetes clusters uses scale sets type nodes. This control is non-compliant if Kubernetes clusters do not use scale sets type nodes.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use scale sets type nodes","controlDescription":"Ensure Kubernetes clusters uses scale sets type nodes. This control is non-compliant if Kubernetes clusters do not use scale sets type nodes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_sku_standard":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_sku_standard","org":"turbot","name":"kubernetes_cluster_sku_standard","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_tier') = 'Standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_tier') = 'Standard' then ' uses standard SKU tier'\n else ' uses free SKU tier'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":153,"endLineNumber":172,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_sku_standard","org":"turbot","name":"kubernetes_cluster_sku_standard","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use standard SKU","description":"Ensure that Kubernetes cluster uses standard SKU tier for production workloads. This control is non-compliant if Kubernetes cluster does not use standard SKU.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use standard SKU","controlDescription":"Ensure that Kubernetes cluster uses standard SKU tier for production workloads. This control is non-compliant if Kubernetes cluster does not use standard SKU.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_os_disk_ephemeral":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_os_disk_ephemeral","org":"turbot","name":"kubernetes_cluster_os_disk_ephemeral","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'os_disk_type') = 'Ephemeral' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'os_disk_type') = 'Ephemeral' then ' use ephemeral OS disks'\n else ' does not use ephemeral OS disks'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":348,"endLineNumber":367,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_os_disk_ephemeral","org":"turbot","name":"kubernetes_cluster_os_disk_ephemeral","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use type ephemeral OS disk","description":"Ensure Kubernetes clusters use ephemeral type OS disk. This control is non-compliant if Kubernetes clusters do not use ephemeral type OS disk.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use type ephemeral OS disk","controlDescription":"Ensure Kubernetes clusters use ephemeral type OS disk. This control is non-compliant if Kubernetes clusters do not use ephemeral type OS disk.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_critical_pods_on_system_nodes":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_critical_pods_on_system_nodes","org":"turbot","name":"kubernetes_cluster_critical_pods_on_system_nodes","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'only_critical_addons_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'only_critical_addons_enabled')::bool then ' critical addons enabled'\n else ' critical addons disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":369,"endLineNumber":388,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_critical_pods_on_system_nodes","org":"turbot","name":"kubernetes_cluster_critical_pods_on_system_nodes","mod":"Terraform Azure Compliance","title":"Kubernetes clusters only critical system pods should run on system nodes","description":"Ensure that only critical system pods runs on system node in Kubernetes clusters.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters only critical system pods should run on system nodes","controlDescription":"Ensure that only critical system pods runs on system node in Kubernetes clusters.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_key_vault_secret_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_key_vault_secret_rotation_enabled","org":"turbot","name":"kubernetes_cluster_key_vault_secret_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_secrets_provider' ->> 'secret_rotation_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_secrets_provider' ->> 'secret_rotation_enabled') = 'true' then ' key vault secret rotation enabled'\n else ' key vault secret rotation disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":285,"endLineNumber":304,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_key_vault_secret_rotation_enabled","org":"turbot","name":"kubernetes_cluster_key_vault_secret_rotation_enabled","mod":"Terraform Azure Compliance","title":"Kubernetes clusters key vault secret rotation should be enabled","description":"This control checks if key vault secret rotation is enabled for Kubernetes cluster.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters key vault secret rotation should be enabled","controlDescription":"This control checks if key vault secret rotation is enabled for Kubernetes cluster.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_azure_defender_enabled","org":"turbot","name":"kubernetes_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for KubernetesService'\n else ' Azure Defender off for KubernetesService'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":112,"endLineNumber":130,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_azure_defender_enabled","org":"turbot","name":"kubernetes_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Kubernetes should be enabled","description":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Azure Defender for Kubernetes should be enabled","controlDescription":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_add_on_azure_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_add_on_azure_policy_enabled","org":"turbot","name":"kubernetes_cluster_add_on_azure_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'addon_profile') is null then 'alarm'\n when (attributes_std -> 'addon_profile' -> 'azure_policy' ->>'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'addon_profile') is null then ' ''addon_profile'' not defined'\n when (attributes_std -> 'addon_profile' -> 'azure_policy' ->>'enabled')::boolean then ' add on azure policy enabled'\n else ' add on azure policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":66,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_add_on_azure_policy_enabled","org":"turbot","name":"kubernetes_cluster_add_on_azure_policy_enabled","mod":"Terraform Azure Compliance","title":"Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters","description":"Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters","controlDescription":"Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_local_admin_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_local_admin_disabled","org":"turbot","name":"kubernetes_cluster_local_admin_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_account_disabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_account_disabled') = 'true' then ' local account disabled'\n else ' local account enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":174,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_local_admin_disabled","org":"turbot","name":"kubernetes_cluster_local_admin_disabled","mod":"Terraform Azure Compliance","title":"Kubernetes clusters local admin should be disabled","description":"Ensure that Kubernetes cluster local admin is disabled. This control is non-compliant if Kubernetes cluster local admin is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters local admin should be disabled","controlDescription":"Ensure that Kubernetes cluster local admin is disabled. This control is non-compliant if Kubernetes cluster local admin is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}},"data_explorer":{"kusto_cluster_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_encrypted_at_rest_with_cmk","org":"turbot","name":"kusto_cluster_encrypted_at_rest_with_cmk","sql":"with kusto_clusters as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_kusto_cluster'\n), kusto_cluster_customer_managed_key as (\n select\n split_part((attributes_std ->> 'cluster_id'), '.', 2) as cluster_name\n from\n terraform_resource\n where\n type = 'azurerm_kusto_cluster_customer_managed_key'\n and (attributes_std ->> 'key_vault_id') is not null\n and (attributes_std ->> 'key_name') is not null\n and (attributes_std ->> 'key_version') is not null\n)\nselect\n address as resource,\n case\n when s.cluster_name is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when s.cluster_name is null then ' logging disabled'\n else ' logging enabled'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n kusto_clusters as a\n left join kusto_cluster_customer_managed_key as s on a.name = s.cluster_name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":1,"endLineNumber":37,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_encrypted_at_rest_with_cmk","org":"turbot","name":"kusto_cluster_encrypted_at_rest_with_cmk","mod":"Terraform Azure Compliance","title":"Azure Data Explorer encryption at rest should use a customer-managed key","description":"Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Azure Data Explorer encryption at rest should use a customer-managed key","controlDescription":"Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}},"kusto_cluster_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_uses_managed_identity","org":"turbot","name":"kusto_cluster_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_uses_managed_identity","org":"turbot","name":"kusto_cluster_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Kusto clusters should use managed identities","description":"Use a managed identity for enhanced authentication security.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Kusto clusters should use managed identities","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/DataExplorer"}},"kusto_cluster_sku_with_sla":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_sku_with_sla","org":"turbot","name":"kusto_cluster_sku_with_sla","sql":"select\n address as resource,\n case\n when (attributes_std -> 'sku' ->> 'name') in ('Dev(No SLA)_Standard_E2a_v4' , 'Dev(No SLA)_Standard_D11_v2') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'sku' ->> 'name') in ('Dev(No SLA)_Standard_E2a_v4' , 'Dev(No SLA)_Standard_D11_v2') then ' using SKU tier without SLA'\n else ' using SKU tier with SLA'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_sku_with_sla","org":"turbot","name":"kusto_cluster_sku_with_sla","mod":"Terraform Azure Compliance","title":"Kusto clusters should use SKU with an SLA","description":"This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Kusto clusters should use SKU with an SLA","controlDescription":"This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataExplorer"}},"kusto_cluster_double_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_double_encryption_enabled","org":"turbot","name":"kusto_cluster_double_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'double_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'double_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'double_encryption_enabled') is null then ' ''double_encryption_enabled'' not set'\n when (attributes_std ->> 'double_encryption_enabled')::boolean then ' double encryption enabled'\n else ' double encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":39,"endLineNumber":60,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_double_encryption_enabled","org":"turbot","name":"kusto_cluster_double_encryption_enabled","mod":"Terraform Azure Compliance","title":"Double encryption should be enabled on Azure Data Explorer","description":"Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Double encryption should be enabled on Azure Data Explorer","controlDescription":"Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}},"kusto_cluster_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_disk_encryption_enabled","org":"turbot","name":"kusto_cluster_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disk_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'disk_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disk_encryption_enabled') is null then ' ''disk_encryption_enabled'' not set'\n when (attributes_std ->> 'disk_encryption_enabled')::boolean then ' disk encryption enabled'\n else ' disk encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":62,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_disk_encryption_enabled","org":"turbot","name":"kusto_cluster_disk_encryption_enabled","mod":"Terraform Azure Compliance","title":"Disk encryption should be enabled on Azure Data Explorer","description":"Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Disk encryption should be enabled on Azure Data Explorer","controlDescription":"Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataExplorer"}}},"machine_learning":{"machine_learning_workspace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_workspace_restrict_public_access","org":"turbot","name":"machine_learning_workspace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":61,"endLineNumber":80,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_workspace_restrict_public_access","org":"turbot","name":"machine_learning_workspace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Machine Learning workspaces should restrict public access","description":"Disabling public network access improves security by ensuring that Machine Learning workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of Machine Learning workspace.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning workspaces should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that Machine Learning workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of Machine Learning workspace.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}},"machine_learning_workspace_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_workspace_encrypted_with_cmk","org":"turbot","name":"machine_learning_workspace_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_workspace_encrypted_with_cmk","org":"turbot","name":"machine_learning_workspace_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Azure Machine Learning workspaces should be encrypted with a customer-managed key","description":"Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Azure Machine Learning workspaces should be encrypted with a customer-managed key","controlDescription":"Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/MachineLearning"}},"machine_learning_compute_cluster_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_compute_cluster_local_auth_disabled","org":"turbot","name":"machine_learning_compute_cluster_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_compute_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_compute_cluster_local_auth_disabled","org":"turbot","name":"machine_learning_compute_cluster_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Machine Learning Compute Clusters local authentication should be disabled","description":"This control checks whether Machine Learning Compute Cluster local authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning Compute Clusters local authentication should be disabled","controlDescription":"This control checks whether Machine Learning Compute Cluster local authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}},"machine_learning_compute_cluster_minimum_node_zero":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_compute_cluster_minimum_node_zero","org":"turbot","name":"machine_learning_compute_cluster_minimum_node_zero","sql":"select\n address as resource,\n case\n when (attributes_std -> 'scale_settings' ->> 'min_node_count')::int = 0 then 'ok'\n else 'alarm'\n end status,\n name || ' minimum node count set to ' || (attributes_std -> 'scale_settings' ->> 'min_node_count') || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_compute_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":43,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_compute_cluster_minimum_node_zero","org":"turbot","name":"machine_learning_compute_cluster_minimum_node_zero","mod":"Terraform Azure Compliance","title":"Machine Learning Compute Clusters minimum node count should be set to zero","description":"This control checks whether Machine Learning Compute Cluster minimum node count is set to zero. This control is non-complaint if Machine Learning Compute Cluster minimum node count is not set to zero.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning Compute Clusters minimum node count should be set to zero","controlDescription":"This control checks whether Machine Learning Compute Cluster minimum node count is set to zero. This control is non-complaint if Machine Learning Compute Cluster minimum node count is not set to zero.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}},"resource_manager":{"resource_manager_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/resource_manager_azure_defender_enabled","org":"turbot","name":"resource_manager_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'Arm' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'Arm' and (attributes_std ->> 'tier') = 'Standard' then ' Arm azure defender enabled'\n else 'Arm azure defender disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/resourcemanagement.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.resource_manager_azure_defender_enabled","org":"turbot","name":"resource_manager_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Resource Manager should be enabled","description":"Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ResourceManager"}}],"controlTitle":"Azure Defender for Resource Manager should be enabled","controlDescription":"Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ResourceManager"}}},"compute":{"network_interface_ip_forwarding_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_ip_forwarding')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_ip_forwarding')::boolean then ' network interface enabled with IP forwarding'\n else ' network interface disabled with IP forwarding'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_interface'\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":35,"endLineNumber":54,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","mod":"Terraform Azure Compliance","title":"IP Forwarding on your virtual machine should be disabled","description":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"IP Forwarding on your virtual machine should be disabled","controlDescription":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_managed_disk_set_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_managed_disk_set_encryption_enabled","org":"turbot","name":"compute_managed_disk_set_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_set_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_set_id') is not null then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_managed_disk';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":292,"endLineNumber":311,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_managed_disk_set_encryption_enabled","org":"turbot","name":"compute_managed_disk_set_encryption_enabled","mod":"Terraform Azure Compliance","title":"Managed disks should be encrypted","description":"Managed disks should be encrypted to protect data at rest. Encryption at rest is enabled by default for all new managed disks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Managed disks should be encrypted","controlDescription":"Managed disks should be encrypted to protect data at rest. Encryption at rest is enabled by default for all new managed disks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_and_scale_set_encryption_at_host_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_scale_set_encryption_at_host_enabled","sql":"$8f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":179,"endLineNumber":225,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_scale_set_encryption_at_host_enabled","mod":"Terraform Azure Compliance","title":"Virtual machines and virtual machine scale sets should have encryption at host enabled","description":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines and virtual machine scale sets should have encryption at host enabled","controlDescription":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_allow_extension_operations_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_allow_extension_operations_disabled","org":"turbot","name":"compute_vm_allow_extension_operations_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'allow_extension_operations')::boolean or (attributes_std ->> 'allow_extension_operations') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'allow_extension_operations')::boolean or (attributes_std ->> 'allow_extension_operations') is null then ' allow extension operations'\n else ' disallow extension operations'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine', 'azurerm_windows_virtual_machine');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":313,"endLineNumber":332,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_allow_extension_operations_disabled","org":"turbot","name":"compute_vm_allow_extension_operations_disabled","mod":"Terraform Azure Compliance","title":"Virtual machines should not allow extension operations","description":"Virtual machines should not allow extension operations to prevent unauthorized users from adding extensions to virtual machines.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should not allow extension operations","controlDescription":"Virtual machines should not allow extension operations to prevent unauthorized users from adding extensions to virtual machines.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_and_scale_set_agent_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_agent_installed","org":"turbot","name":"compute_vm_and_scale_set_agent_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'provision_vm_agent') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'provision_vm_agent') = 'false' then ' agent not installed'\n else ' agent installed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set', 'azurerm_windows_virtual_machine', 'azurerm_linux_virtual_machine');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_agent_installed","org":"turbot","name":"compute_vm_and_scale_set_agent_installed","mod":"Terraform Azure Compliance","title":"Virtual machines and scale sets should have agent installed","description":"This control checks whether windows virtual machine and scale sets have agent installed.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines and scale sets should have agent installed","controlDescription":"This control checks whether windows virtual machine and scale sets have agent installed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_group_name') is not null then ' uses azure resource manager'\n else ' uses azure resource manager'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":227,"endLineNumber":246,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","mod":"Terraform Azure Compliance","title":"Virtual machines should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_malware_agent_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","sql":"$90","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":248,"endLineNumber":290,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","mod":"Terraform Azure Compliance","title":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the anti-malware extension.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","controlDescription":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the anti-malware extension.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_disable_password_authentication_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_disable_password_authentication_linux","org":"turbot","name":"compute_vm_disable_password_authentication_linux","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disable_password_authentication')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disable_password_authentication')::boolean then ' disable password authentication'\n else ' enable password authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_linux_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":334,"endLineNumber":353,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_disable_password_authentication_linux","org":"turbot","name":"compute_vm_disable_password_authentication_linux","mod":"Terraform Azure Compliance","title":"Linux virtual machines should disable password authentication","description":"Linux virtual machines should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux virtual machines should disable password authentication","controlDescription":"Linux virtual machines should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_scale_set_automatic_os_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_scale_set_automatic_os_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_os_upgrade_enabled","sql":" select\n address as resource,\n case\n when (attributes_std -> 'automatic_os_upgrade_policy' ->> 'enable_automatic_os_upgrade') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automatic_os_upgrade_policy' ->> 'enable_automatic_os_upgrade') = 'true' then ' automatic OS upgrade enabled'\n else ' automatic OS upgrade disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":418,"endLineNumber":437,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_scale_set_automatic_os_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_os_upgrade_enabled","mod":"Terraform Azure Compliance","title":"Compute virtual machine scale sets should have automatic OS image patching enabled","description":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Compute virtual machine scale sets should have automatic OS image patching enabled","controlDescription":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_windows":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","sql":"$91","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":22,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","mod":"Terraform Azure Compliance","title":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","description":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","controlDescription":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_scale_set_disable_password_authentication_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_scale_set_disable_password_authentication_linux","org":"turbot","name":"compute_vm_scale_set_disable_password_authentication_linux","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disable_password_authentication') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disable_password_authentication') = 'false' then ' password authentication enabled'\n else ' password authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_linux_virtual_machine_scale_set';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":376,"endLineNumber":395,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_scale_set_disable_password_authentication_linux","org":"turbot","name":"compute_vm_scale_set_disable_password_authentication_linux","mod":"Terraform Azure Compliance","title":"Linux virtual machines scale sets should disable password authentication","description":"Linux virtual machines scale sets should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux virtual machines scale sets should disable password authentication","controlDescription":"Linux virtual machines scale sets should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","sql":"with all_vm as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_virtual_machine'\n), vm_extensions as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_virtual_machine_extension'\n),\nvm_guest_configuration as (\n select\n split_part((b.attributes_std ->> 'virtual_machine_id'), '.', 2) as vm_name\n from\n all_vm as a\n left join vm_extensions as b on (split_part((b.attributes_std ->> 'virtual_machine_id'), '.', 2)) = a.name\n where\n (b.attributes_std ->> 'publisher') = 'Microsoft.GuestConfiguration'\n)\nselect\n address as resource,\n case\n when d.vm_name is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when d.vm_name is null then ' have guest configuration extension not installed'\n else ' have guest configuration extension installed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_vm as c\n left join vm_guest_configuration as d on c.name = d.vm_name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":67,"endLineNumber":109,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","mod":"Terraform Azure Compliance","title":"Guest Configuration extension should be installed on your machines","description":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Guest Configuration extension should be installed on your machines","controlDescription":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_disable_password_authentication":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_disable_password_authentication","org":"turbot","name":"compute_vm_disable_password_authentication","sql":"select\n address as resource,\n case\n when (attributes_std -> 'os_profile_linux_config' ->> 'disable_password_authentication')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'os_profile_linux_config' ->> 'disable_password_authentication')::boolean then ' disable password authentication'\n else ' enable password authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":355,"endLineNumber":374,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_disable_password_authentication","org":"turbot","name":"compute_vm_disable_password_authentication","mod":"Terraform Azure Compliance","title":"Virtual machines should disable password authentication","description":"Virtual machines should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should disable password authentication","controlDescription":"Virtual machines should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_and_scale_set_ssh_key_enabled_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_ssh_key_enabled_linux","org":"turbot","name":"compute_vm_and_scale_set_ssh_key_enabled_linux","sql":"select\n address as resource,\n case\n when (attributes_std -> 'admin_ssh_key') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'admin_ssh_key') is not null then ' SSH key enabled'\n else ' SSH key disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":397,"endLineNumber":416,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_ssh_key_enabled_linux","org":"turbot","name":"compute_vm_and_scale_set_ssh_key_enabled_linux","mod":"Terraform Azure Compliance","title":"Linux Virtual machines and scale sets should enable SSH key authentication","description":"Ensure linux VM enables SSH with keys for secure communication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux Virtual machines and scale sets should enable SSH key authentication","controlDescription":"Ensure linux VM enables SSH with keys for secure communication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","sql":"$92","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":134,"endLineNumber":177,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","mod":"Terraform Azure Compliance","title":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","description":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","controlDescription":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_system_updates_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'os_profile_windows_config' ->> 'enable_automatic_upgrades')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'os_profile_windows_config' ->> 'enable_automatic_upgrades')::boolean then ' automatic system updates enabled'\n else ' automatic system updates disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","mod":"Terraform Azure Compliance","title":"System updates should be installed on your machines","description":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"System updates should be installed on your machines","controlDescription":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_automatic_updates_enabled_windows":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_automatic_updates_enabled_windows","org":"turbot","name":"compute_vm_automatic_updates_enabled_windows","sql":"select\n address as resource,\n case\n when not (attributes_std ->> 'enable_automatic_updates')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when not (attributes_std ->> 'enable_automatic_updates')::boolean then ' automatic updates disabled'\n else ' automatic updates enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_windows_virtual_machine', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":439,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_automatic_updates_enabled_windows","org":"turbot","name":"compute_vm_automatic_updates_enabled_windows","mod":"Terraform Azure Compliance","title":"Windows Virtual machines and scale sets should have automatic updates enabled","description":"This control checks whether windows virtual machine and scale sets have automatic updates enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Windows Virtual machines and scale sets should have automatic updates enabled","controlDescription":"This control checks whether windows virtual machine and scale sets have automatic updates enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_firewall_allow_ftp_port_21_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ftp_port_21_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_21_ingress","sql":"$93","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":506,"endLineNumber":560,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ftp_port_21_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_21_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted FTP port 21 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 21 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted FTP port 21 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 21 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_with_no_default_service_account_with_full_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_default_service_account_with_full_access","org":"turbot","name":"compute_instance_with_no_default_service_account_with_full_access","sql":"$94","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":55,"endLineNumber":78,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_with_no_default_service_account_with_full_access","org":"turbot","name":"compute_instance_with_no_default_service_account_with_full_access","mod":"Terraform GCP Compliance","title":"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","controlDescription":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_ftp_port_20_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ftp_port_20_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_20_ingress","sql":"$95","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":450,"endLineNumber":504,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ftp_port_20_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_20_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted FTP port 20 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 20 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted FTP port 20 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 20 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_shielded_vm_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_shielded_vm_enabled","org":"turbot","name":"compute_instance_shielded_vm_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'shielded_instance_config') is null then 'alarm'\n when (attributes_std -> 'shielded_instance_config' -> 'enable_integrity_monitoring')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'shielded_instance_config') is null then ' shielded VM disabled'\n when (attributes_std -> 'shielded_instance_config' -> 'enable_integrity_monitoring')::bool then ' shielded VM enabled'\n else ' shielded VM disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":234,"endLineNumber":255,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_shielded_vm_enabled","org":"turbot","name":"compute_instance_shielded_vm_enabled","mod":"Terraform GCP Compliance","title":"Ensure Compute instances are launched with Shielded VM enabled","description":"To defend against advanced threats and to ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure Compute instances are launched with Shielded VM enabled","controlDescription":"To defend against advanced threats and to ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_subnetwork_private_ip_google_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_private_ip_google_access","org":"turbot","name":"compute_subnetwork_private_ip_google_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_ip_google_access')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_ip_google_access') is null then ' ''private_ip_google_access'' is not defined'\n when (attributes_std ->> 'private_ip_google_access')::boolean then ' private Google Access is enabled'\n else ' private Google Access is disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":189,"endLineNumber":207,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_subnetwork_private_ip_google_access","org":"turbot","name":"compute_subnetwork_private_ip_google_access","mod":"Terraform GCP Compliance","title":"Ensure Private Google Access is enabled for all subnetworks in VPC","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure Private Google Access is enabled for all subnetworks in VPC","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_ip_forwarding_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_ip_forwarding_disabled","org":"turbot","name":"compute_instance_ip_forwarding_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'can_ip_forward') is null then 'alarm'\n when (attributes_std -> 'can_ip_forward')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'can_ip_forward') is null then ' IP forwarding disabled'\n when (attributes_std -> 'can_ip_forward')::bool then ' IP forwarding enabled'\n else ' IP forwarding disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":257,"endLineNumber":278,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_ip_forwarding_disabled","org":"turbot","name":"compute_instance_ip_forwarding_disabled","mod":"Terraform GCP Compliance","title":"Ensure that IP forwarding is not enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that IP forwarding is not enabled on Instances","controlDescription":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.6","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_serial_port_connection_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_serial_port_connection_disabled","org":"turbot","name":"compute_instance_serial_port_connection_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata') is null then 'alarm'\n when (attributes_std -> 'metadata' -> 'serial-port-enable') is null then 'alarm'\n when (attributes_std -> 'metadata' ->> 'serial-port-enable') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata') is null then ' ''metadata'' property is not defined'\n when (attributes_std -> 'metadata' -> 'serial-port-enable') is null then ' ''serial-port-enable'' property is not defined'\n when (attributes_std -> 'metadata' ->> 'serial-port-enable') = 'true' then ' has serial port connections enabled'\n else ' has serial port connections disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":209,"endLineNumber":232,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_serial_port_connection_disabled","org":"turbot","name":"compute_instance_serial_port_connection_disabled","mod":"Terraform GCP Compliance","title":"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","controlDescription":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_boot_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_boot_disk_encryption_enabled","org":"turbot","name":"compute_instance_boot_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'boot_disk' -> 'disk_encryption_key_raw') is not null or (attributes_std -> 'boot_disk' -> 'kms_key_self_link') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'boot_disk' -> 'disk_encryption_key_raw') is not null or (attributes_std -> 'boot_disk' -> 'kms_key_self_link') is not null then ' boot disk encryption enabled'\n else ' boot disk encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":301,"endLineNumber":320,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_boot_disk_encryption_enabled","org":"turbot","name":"compute_instance_boot_disk_encryption_enabled","mod":"Terraform GCP Compliance","title":"Compute instance boot disk encryption should be enabled","description":"This control checks whether Compute instance boot disk encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Compute instance boot disk encryption should be enabled","controlDescription":"This control checks whether Compute instance boot disk encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_oslogin_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_oslogin_enabled","org":"turbot","name":"compute_instance_oslogin_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata') is null then 'alarm'\n when (attributes_std -> 'metadata' -> 'enable-oslogin') is null then 'alarm'\n when (attributes_std -> 'metadata' ->> 'enable-oslogin') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata') is null then ' ''metadata'' property is not defined'\n when (attributes_std -> 'metadata' -> 'enable-oslogin') is null then ' ''enable-oslogin'' property is not defined'\n when (attributes_std -> 'metadata' ->> 'enable-oslogin') = 'true' then ' has OS login enabled'\n else ' has OS login disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_oslogin_enabled","org":"turbot","name":"compute_instance_oslogin_enabled","mod":"Terraform GCP Compliance","title":"Ensure OS login is enabled for a project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure OS login is enabled for a project","controlDescription":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.4","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_ssh_port_22_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ssh_port_22_ingress","org":"turbot","name":"compute_firewall_allow_ssh_port_22_ingress","sql":"$96","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":562,"endLineNumber":616,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ssh_port_22_ingress","org":"turbot","name":"compute_firewall_allow_ssh_port_22_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted SSH port 22 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted SSH port 22 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted SSH port 22 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted SSH port 22 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_confidential_computing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_confidential_computing_enabled","org":"turbot","name":"compute_instance_confidential_computing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'confidential_instance_config') is null then 'alarm'\n when (attributes_std -> 'confidential_instance_config' -> 'enable_confidential_compute')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'confidential_instance_config') is null then ' confidential computing disabled'\n when (attributes_std -> 'confidential_instance_config' -> 'enable_confidential_compute')::bool then ' confidential computing enabled'\n else ' confidential computing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":166,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_confidential_computing_enabled","org":"turbot","name":"compute_instance_confidential_computing_enabled","mod":"Terraform GCP Compliance","title":"Ensure that Compute instances have Confidential Computing enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that Compute instances have Confidential Computing enabled","controlDescription":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_with_no_public_ip_addresses":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_public_ip_addresses","org":"turbot","name":"compute_instance_with_no_public_ip_addresses","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_interface' -> 'access_config') is null or (attributes_std -> 'network_interface' ->> 'access_config') like '{}' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_interface' -> 'access_config') is null or (attributes_std -> 'network_interface' ->> 'access_config') like '{}' then ' not associated with public IP addresses'\n else ' associated with public IP addresses'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":280,"endLineNumber":299,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_with_no_public_ip_addresses","org":"turbot","name":"compute_instance_with_no_public_ip_addresses","mod":"Terraform GCP Compliance","title":"Ensure that Compute instances do not have public IP addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.9","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that Compute instances do not have public IP addresses","controlDescription":"Compute instances should not be configured to have external IP addresses.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.9","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_subnetwork_private_ipv6_google_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_private_ipv6_google_access","org":"turbot","name":"compute_subnetwork_private_ipv6_google_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_ipv6_google_access') in ('ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE', 'ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_ipv6_google_access') in ('ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE', 'ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE') then ' private IPv6 Google Access is enabled'\n else ' private IPv6 Google Access is disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":374,"endLineNumber":392,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_subnetwork_private_ipv6_google_access","org":"turbot","name":"compute_subnetwork_private_ipv6_google_access","mod":"Terraform GCP Compliance","title":"Compute Subnetworks should have Private IPv6 Google Access enabled","description":"This control checks if Compute Subnetworks have Private IPv6 Google Access enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Compute Subnetworks should have Private IPv6 Google Access enabled","controlDescription":"This control checks if Compute Subnetworks have Private IPv6 Google Access enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_security_policy_prevent_message_lookup":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_security_policy_prevent_message_lookup","org":"turbot","name":"compute_security_policy_prevent_message_lookup","sql":"$97","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":351,"endLineNumber":372,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_security_policy_prevent_message_lookup","org":"turbot","name":"compute_security_policy_prevent_message_lookup","mod":"Terraform GCP Compliance","title":"Cloud Armor prevents message lookup in Log4j2","description":"This control checks if Cloud Armor is configured to prevent message lookup in Log4j2. See CVE-2021-44228 aka log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Cloud Armor prevents message lookup in Log4j2","controlDescription":"This control checks if Cloud Armor is configured to prevent message lookup in Log4j2. See CVE-2021-44228 aka log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_mysql_port_3306_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_mysql_port_3306_ingress","org":"turbot","name":"compute_firewall_allow_mysql_port_3306_ingress","sql":"$98","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":674,"endLineNumber":728,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_mysql_port_3306_ingress","org":"turbot","name":"compute_firewall_allow_mysql_port_3306_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted MySQL port 3306 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted MySQL port 3306 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted MySQL port 3306 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted MySQL port 3306 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_network_contains_no_legacy_network":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_network_contains_no_legacy_network","org":"turbot","name":"compute_network_contains_no_legacy_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auto_create_subnetworks') is null then 'ok'\n when (attributes_std -> 'auto_create_subnetworks')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auto_create_subnetworks') is null then ' is not a legacy network'\n when (attributes_std -> 'auto_create_subnetworks')::bool then ' is not a legacy network'\n else ' is a legacy network'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":122,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_network_contains_no_legacy_network","org":"turbot","name":"compute_network_contains_no_legacy_network","mod":"Terraform GCP Compliance","title":"Ensure legacy networks do not exist for a project","description":"Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subjected to a single point of contention or failure.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure legacy networks do not exist for a project","controlDescription":"Legacy networks have a single network IPv4 prefix range and a single gateway IP address for the whole network. The network is global in scope and spans all cloud regions. Subnetworks cannot be created in a legacy network and are unable to switch from legacy to auto or custom subnet networks. Legacy networks can have an impact for high network traffic projects and are subjected to a single point of contention or failure.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.2","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_network_contains_no_default_network":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_network_contains_no_default_network","org":"turbot","name":"compute_network_contains_no_default_network","sql":"select\n address as resource,\n case\n when name not ilike 'default' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name not ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is not using default network'\n when name not ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is not using default network'\n when name ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is using default network'\n when name ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is using default network'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":80,"endLineNumber":100,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_network_contains_no_default_network","org":"turbot","name":"compute_network_contains_no_default_network","mod":"Terraform GCP Compliance","title":"Ensure that the default network does not exist in a project","description":"The default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it is not possible to use Cloud VPN or VPC Network Peering with the default network. The organization should create a new network based on the requirement and delete the default network.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that the default network does not exist in a project","controlDescription":"The default network is an auto mode network, which means that its subnets use the same predefined range of IP addresses, and as a result, it is not possible to use Cloud VPN or VPC Network Peering with the default network. The organization should create a new network based on the requirement and delete the default network.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_http_port_80_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_http_port_80_ingress","org":"turbot","name":"compute_firewall_allow_http_port_80_ingress","sql":"$99","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":394,"endLineNumber":448,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_http_port_80_ingress","org":"turbot","name":"compute_firewall_allow_http_port_80_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted HTTP port 80 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted HTTP port 80 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted HTTP port 80 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted HTTP port 80 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_block_project_wide_ssh_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_block_project_wide_ssh_enabled","org":"turbot","name":"compute_instance_block_project_wide_ssh_enabled","sql":"$9a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":322,"endLineNumber":349,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_block_project_wide_ssh_enabled","org":"turbot","name":"compute_instance_block_project_wide_ssh_enabled","mod":"Terraform GCP Compliance","title":"Ensure 'Block Project-wide SSH keys' is enabled for VM instances","description":"It is recommended to use instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access instances.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure 'Block Project-wide SSH keys' is enabled for VM instances","controlDescription":"It is recommended to use instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access instances.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_subnetwork_flow_log_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_flow_log_enabled","org":"turbot","name":"compute_subnetwork_flow_log_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purpose') in ('REGIONAL_MANAGED_PROXY', 'GLOBAL_MANAGED_PROXY') then 'skip'\n when (attributes_std -> 'log_config') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purpose') in ('REGIONAL_MANAGED_PROXY', 'GLOBAL_MANAGED_PROXY') then ' flow logging not supported'\n when (attributes_std -> 'log_config') is not null then ' flow logging enabled'\n else ' flow logging disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":144,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_subnetwork_flow_log_enabled","org":"turbot","name":"compute_subnetwork_flow_log_enabled","mod":"Terraform GCP Compliance","title":"Ensure VPC Flow logs is enabled for every subnet in VPC Network","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure VPC Flow logs is enabled for every subnet in VPC Network","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Compute"}},"compute_disk_encrypted_with_csk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_disk_encrypted_with_csk","org":"turbot","name":"compute_disk_encrypted_with_csk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_key') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_key') is null then 'not encrypted with Customer Supplied Key'\n else ' encrypted with Customer Supplied Key'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_disk';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":102,"endLineNumber":120,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_disk_encrypted_with_csk","org":"turbot","name":"compute_disk_encrypted_with_csk","mod":"Terraform GCP Compliance","title":"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","controlDescription":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_rdp_port_3389_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_rdp_port_3389_ingress","org":"turbot","name":"compute_firewall_allow_rdp_port_3389_ingress","sql":"$9b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":618,"endLineNumber":672,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_rdp_port_3389_ingress","org":"turbot","name":"compute_firewall_allow_rdp_port_3389_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted RDP port 3389 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted RDP port 3389 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted RDP port 3389 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted RDP port 3389 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_with_no_default_service_account":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_default_service_account","org":"turbot","name":"compute_instance_with_no_default_service_account","sql":"$9c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":26,"endLineNumber":53,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_with_no_default_service_account","org":"turbot","name":"compute_instance_with_no_default_service_account","mod":"Terraform GCP Compliance","title":"Ensure that instances are not configured to use the default service account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Ensure that instances are not configured to use the default service account","controlDescription":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_monitoring_enabled","org":"turbot","name":"compute_instance_monitoring_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'agent_config' -> 'is_monitoring_disabled') is null or\n not (attributes_std -> 'agent_config' -> 'is_monitoring_disabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std -> 'agent_config' -> 'is_monitoring_disabled') is null or\n not (attributes_std -> 'agent_config' -> 'is_monitoring_disabled')::boolean)\n then ' has monitoring enabled'\n else ' has monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_monitoring_enabled","org":"turbot","name":"compute_instance_monitoring_enabled","mod":"Terraform OCI Compliance","title":"Compute instance monitoring should be enabled","description":"Oracle Cloud Infrastructure Monitoring helps organizations optimize the resource utilization and uptime of their infrastructure and applications. This service provides fine-grained, out-of-the-box metrics and dashboards that equip DevOps, IT, and site reliability engineers (SREs) with the real-time insights to respond to anomalies as they occur. The Monitoring capabilities are concerning Service Metrics, Metrics Explorer, Alarm Status and Definition and Health Checks.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance monitoring should be enabled","controlDescription":"Oracle Cloud Infrastructure Monitoring helps organizations optimize the resource utilization and uptime of their infrastructure and applications. This service provides fine-grained, out-of-the-box metrics and dashboards that equip DevOps, IT, and site reliability engineers (SREs) with the real-time insights to respond to anomalies as they occur. The Monitoring capabilities are concerning Service Metrics, Metrics Explorer, Alarm Status and Definition and Health Checks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}},"compute_instance_boot_volume_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_boot_volume_encryption_in_transit_enabled","org":"turbot","name":"compute_instance_boot_volume_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'launch_options' -> 'is_pv_encryption_in_transit_enabled') is not null and\n (attributes_std -> 'launch_options' ->> 'is_pv_encryption_in_transit_enabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std -> 'launch_options' -> 'is_pv_encryption_in_transit_enabled') is not null and\n (attributes_std -> 'launch_options' ->> 'is_pv_encryption_in_transit_enabled')::boolean)\n then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":51,"endLineNumber":74,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_boot_volume_encryption_in_transit_enabled","org":"turbot","name":"compute_instance_boot_volume_encryption_in_transit_enabled","mod":"Terraform OCI Compliance","title":"Compute instance boot volume encryption in transit should be enabled","description":"This control checks whether the boot volume encryption in transit is enabled or not. The boot volume encryption in transit is a feature that enables you to encrypt the data on the boot volume when it is transferred between the boot volume and the instance.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance boot volume encryption in transit should be enabled","controlDescription":"This control checks whether the boot volume encryption in transit is enabled or not. The boot volume encryption in transit is a feature that enables you to encrypt the data on the boot volume when it is transferred between the boot volume and the instance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}},"compute_instance_metadata_service_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_metadata_service_disabled","org":"turbot","name":"compute_instance_metadata_service_disabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and\n (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and\n (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean)\n then ' legacy metadata service endpoint disabled'\n else ' legacy metadata service endpoint enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":26,"endLineNumber":49,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_metadata_service_disabled","org":"turbot","name":"compute_instance_metadata_service_disabled","mod":"Terraform OCI Compliance","title":"Compute instance legacy metadata service endpoint should be disabled","description":"The instance metadata service (IMDS) provides information about a running instance, including a variety of details about the instance, its attached virtual network interface cards (VNICs), its attached multipath-enabled volume attachments, and any custom metadata that you define. IMDS also provides information to cloud-init that you can use for various system initialization tasks. To increase the security of metadata requests, it is strongly recommended to update all applications to use the IMDS version 2 endpoint, if supported by the image. Then, disable requests to IMDS version 1.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance legacy metadata service endpoint should be disabled","controlDescription":"The instance metadata service (IMDS) provides information about a running instance, including a variety of details about the instance, its attached virtual network interface cards (VNICs), its attached multipath-enabled volume attachments, and any custom metadata that you define. IMDS also provides information to cloud-init that you can use for various system initialization tasks. To increase the security of metadata requests, it is strongly recommended to update all applications to use the IMDS version 2 endpoint, if supported by the image. Then, disable requests to IMDS version 1.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}},"dns":{"dns_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/dns_azure_defender_enabled","org":"turbot","name":"dns_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'Dns' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'Dns' and (attributes_std ->> 'tier') = 'Standard' then ' Dns azure defender enabled'\n else ' Dns azure defender disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.dns_azure_defender_enabled","org":"turbot","name":"dns_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for DNS should be enabled","description":"Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DNS"}}],"controlTitle":"Azure Defender for DNS should be enabled","controlDescription":"Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DNS"}},"dns_managed_zone_zone_signing_not_using_rsasha1":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dns_managed_zone_zone_signing_not_using_rsasha1","org":"turbot","name":"dns_managed_zone_zone_signing_not_using_rsasha1","sql":"$9d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":1,"endLineNumber":32,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dnssec_prevent_rsasha1_zsk","org":"turbot","name":"dnssec_prevent_rsasha1_zsk","mod":"Terraform GCP Compliance","title":"Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/DNS"}}],"controlTitle":"Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/DNS"}},"dns_managed_zone_key_signing_not_using_rsasha1":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dns_managed_zone_key_signing_not_using_rsasha1","org":"turbot","name":"dns_managed_zone_key_signing_not_using_rsasha1","sql":"$9e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":63,"endLineNumber":94,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dns_managed_zone_dnssec_enabled","org":"turbot","name":"dns_managed_zone_dnssec_enabled","mod":"Terraform GCP Compliance","title":"Ensure that DNSSEC is enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dnssec_prevent_rsasha1_ksk","org":"turbot","name":"dnssec_prevent_rsasha1_ksk","mod":"Terraform GCP Compliance","title":"Ensure that RSASHA1 is not used for key-signing key in Cloud DNS","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/DNS"}}],"controlTitle":"Ensure that DNSSEC is enabled for Cloud DNS","controlDescription":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/DNS","cft_scorecard_v1":"true"}}},"data_factory":{"data_factory_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_restrict_public_access","org":"turbot","name":"data_factory_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.data_factory_restrict_public_access","org":"turbot","name":"data_factory_restrict_public_access","mod":"Terraform Azure Compliance","title":"Data factories should have public network access disabled","description":"Disable public network access on your Data factory to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}}],"controlTitle":"Data factories should have public network access disabled","controlDescription":"Disable public network access on your Data factory to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}},"data_factory_uses_git_repository":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_uses_git_repository","org":"turbot","name":"data_factory_uses_git_repository","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'github_configuration') is not null) or ((attributes_std -> 'vsts_configuration') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'github_configuration') is not null) or ((attributes_std -> 'vsts_configuration') is not null) then ' uses git repository'\n else ' not use git repository'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.data_factory_uses_git_repository","org":"turbot","name":"data_factory_uses_git_repository","mod":"Terraform Azure Compliance","title":"Data factories should use GitHub repository","description":"Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}}],"controlTitle":"Data factories should use GitHub repository","controlDescription":"Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}},"data_factory_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_encrypted_with_cmk","org":"turbot","name":"data_factory_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'customer_managed_key_id') is null then 'alarm'\n when (attributes_std -> 'customer_managed_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'customer_managed_key_id') is null then ' ''customer_managed_key_id'' not defined'\n when (attributes_std ->> 'customer_managed_key_id' ) is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.data_factory_encrypted_with_cmk","org":"turbot","name":"data_factory_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Azure data factories should be encrypted with a customer-managed key","description":"Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataFactory"}}],"controlTitle":"Azure data factories should be encrypted with a customer-managed key","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DataFactory"}}},"cosmos_db":{"cosmodb_account_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_restrict_public_access","org":"turbot","name":"cosmodb_account_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then ' with restricted access'\n else ' without restricted access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":139,"endLineNumber":160,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_restrict_public_access","org":"turbot","name":"cosmodb_account_restrict_public_access","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have restricted access","description":"Ensure that Azure Cosmos DB accounts have restricted access.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have restricted access","controlDescription":"Ensure that Azure Cosmos DB accounts have restricted access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_public_network_access_disabled","org":"turbot","name":"cosmodb_account_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') is null then ' public network access enabled'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_public_network_access_disabled","org":"turbot","name":"cosmodb_account_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have public network access disabled","description":"Disable public network access on your Azure Cosmos DB accounts to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have public network access disabled","controlDescription":"Disable public network access on your Azure Cosmos DB accounts to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmosdb_account_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_account_encryption_at_rest_using_cmk","org":"turbot","name":"cosmosdb_account_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'key_vault_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'key_vault_key_id') is not null then ' encrypted at rest using CMK'\n else ' not encrypted at rest using CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":49,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmosdb_account_encryption_at_rest_using_cmk","org":"turbot","name":"cosmosdb_account_encryption_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_access_key_metadata_writes_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_access_key_metadata_writes_disabled","org":"turbot","name":"cosmodb_account_access_key_metadata_writes_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then 'alarm'\n when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then ' access key metadata writes enabled'\n when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then ' access key metadata writes enabled'\n else ' access key metadata writes disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":70,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_access_key_metadata_writes_disabled","org":"turbot","name":"cosmodb_account_access_key_metadata_writes_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have access key metadata writes disabled","description":"Disable access key metadata writes on your Azure Cosmos DB accounts to prevent the access key from being overwritten. This prevents the access key from being overwritten by a user or application.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have access key metadata writes disabled","controlDescription":"Disable access key metadata writes on your Azure Cosmos DB accounts to prevent the access key from being overwritten. This prevents the access key from being overwritten by a user or application.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_local_authentication_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_local_authentication_disabled","org":"turbot","name":"cosmodb_account_local_authentication_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then 'skip'\n when (attributes_std ->> 'local_authentication_disabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then ' not GlobalDocumentDB'\n when (attributes_std ->> 'local_authentication_disabled')::boolean then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":116,"endLineNumber":137,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_local_authentication_disabled","org":"turbot","name":"cosmodb_account_local_authentication_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have local authentication disabled","description":"Ensure that local authentication is disabled on CosmosDB accounts.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have local authentication disabled","controlDescription":"Ensure that local authentication is disabled on CosmosDB accounts.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmosdb_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_use_virtual_service_endpoint","org":"turbot","name":"cosmosdb_use_virtual_service_endpoint","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'virtual_network_rule') is null then 'alarm'\n when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'virtual_network_rule') is null then ' ''virtual_network_rule'' not defined'\n when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then ' configured with virtual network service endpointle'\n else ' not configured with virtual network service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmosdb_use_virtual_service_endpoint","org":"turbot","name":"cosmosdb_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"Cosmos DB should use a virtual network service endpoint","description":"This policy audits any Cosmos DB not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB should use a virtual network service endpoint","controlDescription":"This policy audits any Cosmos DB not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmosdb_account_with_firewall_rules":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_account_with_firewall_rules","org":"turbot","name":"cosmosdb_account_with_firewall_rules","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean\n and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'\n and (attributes_std ->> 'ip_range_filter') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean\n and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'\n and (attributes_std ->> 'ip_range_filter') is null then ' not have firewall rules'\n else ' have firewall rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":24,"endLineNumber":47,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmosdb_account_with_firewall_rules","org":"turbot","name":"cosmosdb_account_with_firewall_rules","mod":"Terraform Azure Compliance","title":"Azure Cosmos DB accounts should have firewall rules","description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Azure Cosmos DB accounts should have firewall rules","controlDescription":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CosmosDB"}}},"container_registry":{"container_registry_image_scan_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_image_scan_enabled","org":"turbot","name":"container_registry_image_scan_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') then ' image scan enabled'\n else ' image scan disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":145,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_image_scan_enabled","org":"turbot","name":"container_registry_image_scan_enabled","mod":"Terraform Azure Compliance","title":"Container registries image scan should be enabled","description":"This control checks whether image scan is enabled. This control is non-compliant if image scan is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries image scan should be enabled","controlDescription":"This control checks whether image scan is enabled. This control is non-compliant if image scan is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_restrict_public_access","org":"turbot","name":"container_registry_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rule_set') is null then 'alarm'\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rule_set') is null then ' ''network_rule_set'' not defined'\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text = 'Deny' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_restrict_public_access","org":"turbot","name":"container_registry_restrict_public_access","mod":"Terraform Azure Compliance","title":"Container registries should not allow unrestricted network access","description":"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should not allow unrestricted network access","controlDescription":"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_retention_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_retention_policy_enabled","org":"turbot","name":"container_registry_retention_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std -> 'retention_policy' ->> 'enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std -> 'retention_policy' ->> 'enabled')::bool then ' retention policy enabled'\n else ' retention policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":187,"endLineNumber":206,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_retention_policy_enabled","org":"turbot","name":"container_registry_retention_policy_enabled","mod":"Terraform Azure Compliance","title":"Container registries retention policy should be enabled","description":"Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries retention policy should be enabled","controlDescription":"Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_geo_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_geo_replication_enabled","org":"turbot","name":"container_registry_geo_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'georeplications') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'georeplications') is not null then ' geo-replication enabled'\n else ' geo-replication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":208,"endLineNumber":227,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_geo_replication_enabled","org":"turbot","name":"container_registry_geo_replication_enabled","mod":"Terraform Azure Compliance","title":"Container registries should be geo-replicated","description":"Ensure that container registries are geo-replicated to align with multi-region container deployments.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be geo-replicated","controlDescription":"Ensure that container registries are geo-replicated to align with multi-region container deployments.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_anonymous_pull_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_anonymous_pull_disabled","org":"turbot","name":"container_registry_anonymous_pull_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') and (attributes_std ->> 'anonymous_pull_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') and (attributes_std ->> 'anonymous_pull_enabled')::boolean then ' anonymous pull enabled'\n else ' anonymous pull disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":124,"endLineNumber":143,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_anonymous_pull_disabled","org":"turbot","name":"container_registry_anonymous_pull_disabled","mod":"Terraform Azure Compliance","title":"Container registries anonymous pull should be disabled","description":"This control checks whether anonymous pull is disabled. This control is non-compliant if anonymous pull is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries anonymous pull should be disabled","controlDescription":"This control checks whether anonymous pull is disabled. This control is non-compliant if anonymous pull is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_admin_user_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_admin_user_disabled","org":"turbot","name":"container_registry_admin_user_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'admin_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'admin_enabled')::boolean then ' admin user enabled'\n else ' admin user disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":103,"endLineNumber":122,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_admin_user_disabled","org":"turbot","name":"container_registry_admin_user_disabled","mod":"Terraform Azure Compliance","title":"Container registries admin user should be disabled","description":"Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries admin user should be disabled","controlDescription":"Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_encrypted_with_cmk","org":"turbot","name":"container_registry_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption' ) is null then 'alarm'\n when (attributes_std -> 'encryption' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption' ) is null then ' ''encryption'' not defined'\n when (attributes_std -> 'encryption' ->> 'enabled')::boolean then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_encrypted_with_cmk","org":"turbot","name":"container_registry_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Container registries should be encrypted with a customer-managed key","description":"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be encrypted with a customer-managed key","controlDescription":"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_zone_redundant_enabled","org":"turbot","name":"container_registry_zone_redundant_enabled","sql":"$9f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":271,"endLineNumber":306,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_zone_redundant_enabled","org":"turbot","name":"container_registry_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"Container registries should be zone redundant","description":"This control ensures that Container registry is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be zone redundant","controlDescription":"This control ensures that Container registry is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_quarantine_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_quarantine_policy_enabled","org":"turbot","name":"container_registry_quarantine_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'quarantine_policy_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'quarantine_policy_enabled')::bool then ' quarantine policy enabled'\n else ' quarantine policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":166,"endLineNumber":185,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_quarantine_policy_enabled","org":"turbot","name":"container_registry_quarantine_policy_enabled","mod":"Terraform Azure Compliance","title":"Container registries quarantine policy should be enabled","description":"Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries quarantine policy should be enabled","controlDescription":"Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_azure_defender_enabled","org":"turbot","name":"container_registry_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Container Registry'\n else ' Azure Defender off for Container Registry'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":24,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_azure_defender_enabled","org":"turbot","name":"container_registry_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for container registries should be enabled","description":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Azure Defender for container registries should be enabled","controlDescription":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_trust_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_trust_policy_enabled","org":"turbot","name":"container_registry_trust_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'trust_policy' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'trust_policy' ->> 'enabled')::boolean then ' trust policy enabled'\n else ' trust policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":250,"endLineNumber":269,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_trust_policy_enabled","org":"turbot","name":"container_registry_trust_policy_enabled","mod":"Terraform Azure Compliance","title":"Container registries trust policy should be enabled","description":"Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries trust policy should be enabled","controlDescription":"Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_use_virtual_service_endpoint","org":"turbot","name":"container_registry_use_virtual_service_endpoint","sql":"with container_registry as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_container_registry'\n), container_registry_subnet as (\n select\n distinct address\n from\n container_registry as a,\n jsonb_array_elements(attributes_std -> 'network_rule_set' -> 'virtual_network') as rule\n)\nselect\n a.address as resource,\n case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then 'alarm'\n when s.address is null then 'alarm'\n else 'ok'\n end as status,\n case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint'\n when s.address is null then ' not configured with virtual service endpoint'\n else ' configured with virtual service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n container_registry as a\n left join container_registry_subnet as s on a.address = s.address;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":67,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_use_virtual_service_endpoint","org":"turbot","name":"container_registry_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"Container Registry should use a virtual network service endpoint","description":"This policy audits any Container Registry not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container Registry should use a virtual network service endpoint","controlDescription":"This policy audits any Container Registry not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_public_network_access_disabled","org":"turbot","name":"container_registry_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::bool or (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::bool or (attributes_std ->> 'public_network_access_enabled') is null then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":229,"endLineNumber":248,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_public_network_access_disabled","org":"turbot","name":"container_registry_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Container registries public network access should be disabled","description":"Ensure that container registries public network access is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries public network access should be disabled","controlDescription":"Ensure that container registries public network access is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}},"databricks":{"databricks_workspace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/databricks_workspace_restrict_public_access","org":"turbot","name":"databricks_workspace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_databricks_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/databricks.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.databricks_workspace_restrict_public_access","org":"turbot","name":"databricks_workspace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Databricks should disable restric public network access","description":"Disabling public network access improves security by ensuring that your Databricks is not exposed on the public internet. Creating private endpoints can limit exposure of your Databricks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Databricks"}}],"controlTitle":"Databricks should disable restric public network access","controlDescription":"Disabling public network access improves security by ensuring that your Databricks is not exposed on the public internet. Creating private endpoints can limit exposure of your Databricks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Databricks"}}},"data_lake_storage":{"datalake_store_account_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/datalake_store_account_encryption_enabled","org":"turbot","name":"datalake_store_account_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encryption_state') = 'Enabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encryption_state') = 'Enabled' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_lake_store';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datalakestorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.datalake_store_account_encryption_enabled","org":"turbot","name":"datalake_store_account_encryption_enabled","mod":"Terraform Azure Compliance","title":"Require encryption on Data Lake Store accounts","description":"This policy ensures encryption is enabled on all Data Lake Store accounts.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/DataLakeStorage"}}],"controlTitle":"Require encryption on Data Lake Store accounts","controlDescription":"This policy ensures encryption is enabled on all Data Lake Store accounts.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/DataLakeStorage"}}},"logic":{"logic_app_workflow_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/logic_app_workflow_logging_enabled","org":"turbot","name":"logic_app_workflow_logging_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_logic_app_workflow')then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_logic_app_workflow')then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_logic_app_workflow';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/logicapp.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.logic_app_workflow_logging_enabled","org":"turbot","name":"logic_app_workflow_logging_enabled","mod":"Terraform Azure Compliance","title":"Resource logs in Logic Apps should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Logic"}}],"controlTitle":"Resource logs in Logic Apps should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Logic"}}},"cognitive_services":{"cognitive_account_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_acls') is null then 'alarm'\n when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_acls') is null then ' ''network_acls'' not defin'\n when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then ' publicly accessible.'\n else ' publicly not accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":78,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","mod":"Terraform Azure Compliance","title":"Cognitive Services accounts should restrict network access","description":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should restrict network access","controlDescription":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}},"cognitive_service_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_service_local_auth_disabled","org":"turbot","name":"cognitive_service_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled')::boolean then ' account local authentication enabled'\n else ' account local authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":57,"endLineNumber":76,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cognitive_service_local_auth_disabled","org":"turbot","name":"cognitive_service_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Cognitive Services accounts should have local authentication methods disabled","description":"Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should have local authentication methods disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}},"cognitive_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","sql":"with all_cognitive_account as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_cognitive_account'\n), cognitive_account_cmk as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_cognitive_account_customer_managed_key'\n)\nselect\n c.address as resource,\n case\n when (b.attributes_std ->> 'cognitive_account_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(c.address, '.', 2) || case\n when (b.attributes_std ->> 'cognitive_account_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , c.path || ':' || c.start_line\nfrom\n all_cognitive_account as c\n left join cognitive_account_cmk as b on c.name = (split_part((b.attributes_std ->> 'cognitive_account_id'), '.', 2))\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":22,"endLineNumber":55,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Cognitive Services accounts should enable data encryption with a customer-managed key","description":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should enable data encryption with a customer-managed key","controlDescription":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}},"cognitive_account_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Cognitive Services accounts should disable public network access","description":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/CognitiveServices"}}},"app_service":{"appservice_web_app_use_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'https_only')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'https_only')::boolean then ' redirects all HTTP traffic to HTTPS'\n else ' does not redirect all HTTP traffic to HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":550,"endLineNumber":569,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","mod":"Terraform Azure Compliance","title":"Web Application should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web Application should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_slot_use_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'https_only') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'https_only') ='true' then ' accessible over HTTPS'\n else ' not accessible over HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":871,"endLineNumber":890,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","mod":"Terraform Azure Compliance","title":"Web app slots should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web app slots should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_dotnet_framework_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') is null then 'skip'\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') = 'v6.0' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') is null then ' not using dotnet framework'\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') = 'v6.0' then ' using latest dotnet framework version'\n else ' not using latest dotnet framework version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":723,"endLineNumber":744,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","mod":"Terraform Azure Compliance","title":"Web apps should use the latest 'Net Framework' version","description":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should use the latest 'Net Framework' version","controlDescription":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_plan_minimum_sku":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","sql":"select\n address as resource,\n case\n when (attributes_std ->>'sku_name') in ('F1', 'D1', 'B1', 'B2', 'B3') then 'alarm'\n else 'ok'\n end status,\n name || ' is of ' || (attributes_std ->>'sku_name') || ' SKU family.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":832,"endLineNumber":848,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","mod":"Terraform Azure Compliance","title":"App Service plans should not use free, shared or basic SKU","description":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service plans should not use free, shared or basic SKU","controlDescription":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_uses_azure_file":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_uses_azure_file","org":"turbot","name":"appservice_web_app_uses_azure_file","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_account' ->> 'type') = 'AzureFiles' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_account' ->> 'type') = 'AzureFiles' then ' uses Azure files'\n else ' not uses Azure files'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":913,"endLineNumber":932,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_uses_azure_file","org":"turbot","name":"appservice_web_app_uses_azure_file","mod":"Terraform Azure Compliance","title":"Web apps should use Azure files","description":"Ensure that the application services are configured to utilize Azure Files.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should use Azure files","controlDescription":"Ensure that the application services are configured to utilize Azure Files.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then' not using JAVA version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text like '%11' then ' using the latest JAVA version'\n else ' not using latest JAVA version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":656,"endLineNumber":679,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","mod":"Terraform Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then ' CORS allow all domains to access the application'\n else ' CORS does not all domains to access the application'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":255,"endLineNumber":276,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","mod":"Terraform Azure Compliance","title":"CORS should not allow every resource to access your Web Applications","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"CORS should not allow every resource to access your Web Applications","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then' not using python version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then ' using the latest python version'\n else ' not using latest python version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":594,"endLineNumber":617,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","mod":"Terraform Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_health_check_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' -> 'health_check_path') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' -> 'health_check_path') is not null then ' health check enabled'\n else ' health check disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":811,"endLineNumber":830,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","mod":"Terraform Azure Compliance","title":"Web apps should have health check enabled","description":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should have health check enabled","controlDescription":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_worker_more_than_one":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'worker_count')::int >= 2 then 'ok'\n when (attributes_std ->> 'worker_count')::int < 2 then 'alarm'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'worker_count')::int >= 2 then ' has ' || (attributes_std ->> 'worker_count') || ' number of workers'\n when (attributes_std ->> 'worker_count')::int < 2 then ' has ' || (attributes_std ->> 'worker_count') || ' number of workers'\n else ' worker count is not set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":788,"endLineNumber":809,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","mod":"Terraform Azure Compliance","title":"Web apps should have more than one worker","description":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should have more than one worker","controlDescription":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_only_https_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'https_only')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'https_only')::boolean then ' https-only accessible enabled'\n else ' https-only accessible disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":180,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","mod":"Terraform Azure Compliance","title":"Function App should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function App should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_diagnostic_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs') is null then 'alarm'\n when\n (attributes_std -> 'logs' ->> 'detailed_error_messages_enabled')::boolean\n and (attributes_std -> 'logs' ->> 'failed_request_tracing_enabled')::boolean\n and (attributes_std -> 'logs' -> 'http_logs') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs') is null then ' ''logs'' not defined'\n when\n (attributes_std -> 'logs' ->> 'detailed_error_messages_enabled')::boolean\n and (attributes_std -> 'logs' ->> 'failed_request_tracing_enabled')::boolean\n and (attributes_std -> 'logs' -> 'http_logs' -> 'file_system') is not null then ' diagnostic logs enabled'\n else ' diagnostic logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":201,"endLineNumber":228,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","mod":"Terraform Azure Compliance","title":"Diagnostic logs in App Services should be enabled","description":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Diagnostic logs in App Services should be enabled","controlDescription":"Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_incoming_client_cert_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'client_cert_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'client_cert_enabled')::boolean then ' incoming client certificates set to on'\n else ' incoming client certificates set to off'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","mod":"Terraform Azure Compliance","title":"Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_builtin_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_builtin_logging_enabled","org":"turbot","name":"appservice_function_app_builtin_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_builtin_logging') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_builtin_logging') = 'false' then ' builtin logging disabled'\n else ' builtin logging enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_function_app', 'azurerm_function_app_slot');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":934,"endLineNumber":953,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_builtin_logging_enabled","org":"turbot","name":"appservice_function_app_builtin_logging_enabled","mod":"Terraform Azure Compliance","title":"Function Apps builtin logging should be enabled","description":"Ensure that builtin logging is enabled for Function Apps.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function Apps builtin logging should be enabled","controlDescription":"Ensure that builtin logging is enabled for Function Apps.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_public_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_public_access_disabled","org":"turbot","name":"appservice_function_app_public_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_function_app', 'azurerm_linux_function_app_slot', 'azurerm_windows_function_app', 'azurerm_windows_function_app_slot');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":1022,"endLineNumber":1041,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_public_access_disabled","org":"turbot","name":"appservice_function_app_public_access_disabled","mod":"Terraform Azure Compliance","title":"Function apps should restrict public network access","description":"This control checks whether Function apps are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function apps should restrict public network access","controlDescription":"This control checks whether Function apps are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_azure_defender_enabled","org":"turbot","name":"appservice_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for AppServices'\n else ' Azure Defender off for AppServices'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":110,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_azure_defender_enabled","org":"turbot","name":"appservice_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for App Service should be enabled","description":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Azure Defender for App Service should be enabled","controlDescription":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_slot_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_slot_remote_debugging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then ' remote debugging enabled'\n else ' remote debugging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":850,"endLineNumber":869,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_slot_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_slot_remote_debugging_disabled","mod":"Terraform Azure Compliance","title":"Web app slots remote debugging should be disabled","description":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web app slots remote debugging should be disabled","controlDescription":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled'\n else ' FTPS disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":571,"endLineNumber":592,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","mod":"Terraform Azure Compliance","title":"FTPS should be required in your Web App","description":"Enable FTPS enforcement for enhanced security. For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"FTPS should be required in your Web App","controlDescription":"Enable FTPS enforcement for enhanced security. For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then' not using JAVA version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text like '%11' then ' using the latest JAVA version'\n else ' not using latest JAVA version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":368,"endLineNumber":391,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","mod":"Terraform Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_detailed_error_messages_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_detailed_error_messages_enabled","org":"turbot","name":"appservice_web_app_detailed_error_messages_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' ->> 'detailed_error_messages_enabled') = 'true') or ((attributes_std -> 'logs' ->> 'detailed_error_messages') = 'true') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' ->> 'detailed_error_messages_enabled') = 'true') or ((attributes_std -> 'logs' ->> 'detailed_error_messages') = 'true') then ' detailed error messages enabled'\n else ' detailed error messages disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":702,"endLineNumber":721,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_detailed_error_messages_enabled","org":"turbot","name":"appservice_web_app_detailed_error_messages_enabled","mod":"Terraform Azure Compliance","title":"Web apps detailed error messages should be enabled","description":"This control ensures that a web app detailed error message is enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps detailed error messages should be enabled","controlDescription":"This control ensures that a web app detailed error message is enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_slot_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_latest_tls_version","org":"turbot","name":"appservice_web_app_slot_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":892,"endLineNumber":911,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_slot_latest_tls_version","org":"turbot","name":"appservice_web_app_slot_latest_tls_version","mod":"Terraform Azure Compliance","title":"Web app slots should use the latest TLS version","description":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web app slots should use the latest TLS version","controlDescription":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","sql":"with app_service as (\n select\n '${azurerm_app_service.' || name || '.id}' as id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_app_service'\n), app_service_vnet as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_app_service_slot_virtual_network_swift_connection'\n and (attributes_std ->> 'subnet_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'app_service_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'app_service_id') is null then ' not configured with virtual network service endpoint'\n else ' configured with virtual network service endpoint'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n app_service as a\n left join app_service_vnet as s on a.id = (s.attributes_std ->> 'app_service_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":619,"endLineNumber":654,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","mod":"Terraform Azure Compliance","title":"App Service should use a virtual network service endpoint","description":"This policy audits any App Service not configured to use a virtual network service endpoint.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service should use a virtual network service endpoint","controlDescription":"This policy audits any App Service not configured to use a virtual network service endpoint.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_plan_zone_redundant":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_plan_zone_redundant","org":"turbot","name":"appservice_plan_zone_redundant","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_balancing_enabled') is null then 'alarm'\n when (attributes_std ->> 'zone_balancing_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_balancing_enabled') is null then ' ''zone_balancing_enabled'' is not set'\n when (attributes_std ->> 'zone_balancing_enabled')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":955,"endLineNumber":976,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_plan_zone_redundant","org":"turbot","name":"appservice_plan_zone_redundant","mod":"Terraform Azure Compliance","title":"App Service plans should be zone redundant","description":"This control ensures that App Service plans are zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service plans should be zone redundant","controlDescription":"This control ensures that App Service plans are zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_register_with_active_directory_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' not defined'\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then ' register with azure active directory enabled'\n else ' register with azure active directory disabled.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":130,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","mod":"Terraform Azure Compliance","title":"Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that Register with Azure Active Directory is enabled on App Service","controlDescription":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_always_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'always_on') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'always_on') = 'false' then ' alwaysOn disabled'\n else ' alwaysOn enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":681,"endLineNumber":700,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","mod":"Terraform Azure Compliance","title":"Web apps should be configured to always be on","description":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should be configured to always be on","controlDescription":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auth_settings') is null then 'alarm'\n when (attributes_std -> 'auth_settings' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auth_settings') is null then ' ''auth_settings'' not defined'\n when (attributes_std -> 'auth_settings' ->> 'enabled')::boolean then ' authentication set'\n else ' authentication not set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","mod":"Terraform Azure Compliance","title":"Ensure App Service Authentication is set on Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure App Service Authentication is set on Azure App Service","controlDescription":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''min_tls_version'' not defined'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":414,"endLineNumber":435,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","mod":"Terraform Azure Compliance","title":"Latest TLS version should be used in your Web App","description":"App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Latest TLS version should be used in your Web App","controlDescription":"App service currently allows the web app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for web app secure connections.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' HTTP version not defined'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then ' HTTP version is latest'\n else ' HTTP version not latest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":437,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","mod":"Terraform Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'client_cert_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'client_cert_enabled')::boolean then ' client certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","mod":"Terraform Azure Compliance","title":"Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''min_tls_version'' not defined'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":87,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","mod":"Terraform Azure Compliance","title":"Latest TLS version should be used in your Function App","description":"App service currently allows the function app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for function app secure connections.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Latest TLS version should be used in your Function App","controlDescription":"App service currently allows the function app to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for function app secure connections.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then ' CORS allow all domains to access the application'\n else ' CORS does not all domains to access the application'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":502,"endLineNumber":523,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","mod":"Terraform Azure Compliance","title":"CORS should not allow every resource to access your Function Apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"CORS should not allow every resource to access your Function Apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' HTTP version not defined'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then ' HTTP version is latest'\n else ' HTTP version not latest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":301,"endLineNumber":322,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","mod":"Terraform Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_environment_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_environment_zone_redundant_enabled","org":"turbot","name":"appservice_environment_zone_redundant_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_redundant') is null then 'alarm'\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_redundant') is null then ' ''zone_redundant'' is not set'\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_environment_v3';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":999,"endLineNumber":1020,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_environment_zone_redundant_enabled","org":"turbot","name":"appservice_environment_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"App Service environment should be zone redundant","description":"This control ensures that App Service environment is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service environment should be zone redundant","controlDescription":"This control ensures that App Service environment is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then' not using python version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then ' using the latest python version'\n else ' not using latest python version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":525,"endLineNumber":548,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","mod":"Terraform Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Managed identity should be used in your Web App","description":"Use a managed identity for enhanced authentication security.A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Managed identity should be used in your Web App","controlDescription":"Use a managed identity for enhanced authentication security.A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_http_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' -> 'http_logs') is not null) or ((attributes_std -> 'logs' -> 'dynamic' -> 'http_logs') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' -> 'http_logs') is not null) or ((attributes_std -> 'logs' -> 'dynamic' -> 'http_logs') is not null) then ' HTTP logs enabled'\n else ' HTTP logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":767,"endLineNumber":786,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","mod":"Terraform Azure Compliance","title":"Web apps HTTP logs should be enabled","description":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps HTTP logs should be enabled","controlDescription":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","sql":"select\n address as resource,\n case\n when (attributes_std -> 'client_cert_mode') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'client_cert_mode') is not null then ' cilient certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":393,"endLineNumber":412,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","mod":"Terraform Azure Compliance","title":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_environment_internal_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_environment_internal_encryption_enabled","org":"turbot","name":"appservice_environment_internal_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_setting') is null then 'alarm'\n when\n (attributes_std -> 'cluster_setting' ->> 'name')::text = 'InternalEncryption'\n and (attributes_std -> 'cluster_setting' ->> 'value')::text = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_setting') is null then ' ''cluster_setting'' not defined'\n when\n (attributes_std -> 'cluster_setting' ->> 'name')::text = 'InternalEncryption'\n and (attributes_std -> 'cluster_setting' ->> 'value')::text = 'true' then ' internal encryption enabled'\n else ' internal encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":153,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_environment_internal_encryption_enabled","org":"turbot","name":"appservice_environment_internal_encryption_enabled","mod":"Terraform Azure Compliance","title":"App Service Environment should enable internal encryption","description":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service Environment should enable internal encryption","controlDescription":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_ftp_deployment_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","sql":"$a0","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":324,"endLineNumber":366,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","mod":"Terraform Azure Compliance","title":"Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure FTP deployments are disabled","controlDescription":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then ' remote debugging enabled'\n else ' remote debugging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","mod":"Terraform Azure Compliance","title":"Remote debugging should be turned off for Web Applications","description":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Remote debugging should be turned off for Web Applications","controlDescription":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_failed_request_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' ->> 'failed_request_tracing') = 'true') or ((attributes_std -> 'logs' ->> 'failed_request_tracing_enabled') = 'true') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' ->> 'failed_request_tracing') = 'true') or ((attributes_std -> 'logs' ->> 'failed_request_tracing_enabled') = 'true') then ' failed request tracing enabled'\n else ' failed request tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":746,"endLineNumber":765,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","mod":"Terraform Azure Compliance","title":"Web apps failed request tracing should be enabled","description":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps failed request tracing should be enabled","controlDescription":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_public_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_public_access_disabled","org":"turbot","name":"appservice_web_app_public_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":978,"endLineNumber":997,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_public_access_disabled","org":"turbot","name":"appservice_web_app_public_access_disabled","mod":"Terraform Azure Compliance","title":"Web apps should restrict public network access","description":"This control checks whether Web apps are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should restrict public network access","controlDescription":"This control checks whether Web apps are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_latest_php_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PHP%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PHP%' then' not using php version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PHP|8.0' then ' using the latest php version'\n else ' not using latest php version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":230,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","mod":"Terraform Azure Compliance","title":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","controlDescription":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":481,"endLineNumber":500,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Managed identity should be used in your Function App","description":"Use a managed identity for enhanced authentication security.A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Managed identity should be used in your Function App","controlDescription":"Use a managed identity for enhanced authentication security.A managed identity from Azure Active Directory (Azure AD) allows your app to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled'\n else ' FTPS disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":278,"endLineNumber":299,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","mod":"Terraform Azure Compliance","title":"FTPS only should be required in your Function App","description":"Enable FTPS enforcement for enhanced security. For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"FTPS only should be required in your Function App","controlDescription":"Enable FTPS enforcement for enhanced security. For enhanced security, you should allow FTP over TLS/SSL only. You can also disable both FTP and FTPS if you don't use FTP deployment","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}},"content_delivery_network":{"cdn_endpoint_http_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_http_disabled","org":"turbot","name":"cdn_endpoint_http_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'is_http_allowed') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'is_http_allowed') = 'false' then ' HTTP not allowed'\n else ' HTTP allowed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_http_disabled","org":"turbot","name":"cdn_endpoint_http_disabled","mod":"Terraform Azure Compliance","title":"Content Delivery Networks HTTP endpoint should be disabled","description":"This control checks whether Content Delivery Network HTTP endpoint is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}],"controlTitle":"Content Delivery Networks HTTP endpoint should be disabled","controlDescription":"This control checks whether Content Delivery Network HTTP endpoint is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}},"cdn_endpoint_https_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_https_enabled","org":"turbot","name":"cdn_endpoint_https_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'is_https_allowed') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'is_https_allowed') = 'false' then ' HTTPS not allowed'\n else ' HTTPS allowed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_https_enabled","org":"turbot","name":"cdn_endpoint_https_enabled","mod":"Terraform Azure Compliance","title":"Content Delivery Networks HTTPS endpoint should be enabled","description":"This control checks whether Content Delivery Network HTTPS endpoint is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}],"controlTitle":"Content Delivery Networks HTTPS endpoint should be enabled","controlDescription":"This control checks whether Content Delivery Network HTTPS endpoint is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}},"automation":{"automation_account_variables_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/automation_account_variables_encryption_enabled","org":"turbot","name":"automation_account_variables_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encrypted') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encrypted') = 'true' then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_automation_variable_bool', 'azurerm_automation_variable_string', 'azurerm_automation_variable_int', 'azurerm_automation_variable_datetime');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/automation.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.automation_account_variables_encryption_enabled","org":"turbot","name":"automation_account_variables_encryption_enabled","mod":"Terraform Azure Compliance","title":"Automation account variables encryption should be enabled","description":"Enabling Automation account variables encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Automation"}}],"controlTitle":"Automation account variables encryption should be enabled","controlDescription":"Enabling Automation account variables encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Automation"}}},"api_management":{"cdn_endpoint_custom_domain_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_custom_domain_uses_latest_tls_version","org":"turbot","name":"cdn_endpoint_custom_domain_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cdn_managed_https' ->> 'tls_version') in ('None', 'TLS10') then 'alarm'\n when (attributes_std -> 'user_managed_https' ->> 'tls_version') in ('None', 'TLS10') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cdn_managed_https' ->> 'tls_version') in ('None', 'TLS10') then ' not using the latest version of TLS encryption'\n when (attributes_std -> 'user_managed_https' ->> 'tls_version') in ('None', 'TLS10') then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint_custom_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_custom_domain_uses_latest_tls_version","org":"turbot","name":"cdn_endpoint_custom_domain_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"Content Delivery Network custom domains should use at least TLS 1.2 version","description":"This control checks that the Content Delivery Network custom domains uses at least TLS 1.2 version. This control is non-compliant if Content Delivery Network custom domains uses older TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"Content Delivery Network custom domains should use at least TLS 1.2 version","controlDescription":"This control checks that the Content Delivery Network custom domains uses at least TLS 1.2 version. This control is non-compliant if Content Delivery Network custom domains uses older TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_service_with_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'virtual_network_type') is null then 'alarm'\n when (attributes_std ->> 'virtual_network_type')::text <> 'None' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'virtual_network_type') is null then ' ''virtual_network_type'' is not set'\n else ' virtual network is set to ' || (attributes_std ->> 'virtual_network_type')\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","mod":"Terraform Azure Compliance","title":"API Management services should use a virtual network","description":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should use a virtual network","controlDescription":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_service_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_uses_latest_tls_version","org":"turbot","name":"apimanagement_service_uses_latest_tls_version","sql":"$a1","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":65,"endLineNumber":92,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_uses_latest_tls_version","org":"turbot","name":"apimanagement_service_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"API Management services should use at least TLS 1.2 version","description":"This control checks that the API Management service uses at least TLS 1.2 version. This control is non-compliant if API Management service uses older TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should use at least TLS 1.2 version","controlDescription":"This control checks that the API Management service uses at least TLS 1.2 version. This control is non-compliant if API Management service uses older TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_service_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_restrict_public_access","org":"turbot","name":"apimanagement_service_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean or (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean or (attributes_std ->> 'public_network_access_enabled') is null then ' publicy accessible'\n else ' not publicy accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":94,"endLineNumber":113,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_restrict_public_access","org":"turbot","name":"apimanagement_service_restrict_public_access","mod":"Terraform Azure Compliance","title":"API Management services should restrict public network access","description":"This control checks that the API Management service is not publicly accessible. This control is non-compliant if API Management service is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should restrict public network access","controlDescription":"This control checks that the API Management service is not publicly accessible. This control is non-compliant if API Management service is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_service_client_certificate_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_name') like 'Consumption%' and (attributes_std ->> 'client_certificate_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_name') like 'Consumption%' and (attributes_std ->> 'client_certificate_enabled')::boolean then ' client certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","mod":"Terraform Azure Compliance","title":"API Management services client certificate should be enabled","description":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services client certificate should be enabled","controlDescription":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_backend_uses_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_backend_uses_https","org":"turbot","name":"apimanagement_backend_uses_https","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'url') like 'https%' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'url') like 'https%' then ' backend uses HTTPS'\n else ' backend does not use HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management_backend';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_backend_uses_https","org":"turbot","name":"apimanagement_backend_uses_https","mod":"Terraform Azure Compliance","title":"API Management backends should use HTTPS","description":"This control checks that the API Management backend is configured to use HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management backends should use HTTPS","controlDescription":"This control checks that the API Management backend is configured to use HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}},"batch":{"batch_account_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","sql":"$a2","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/batch.pp","startLineNumber":22,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","mod":"Terraform Azure Compliance","title":"Resource logs in Batch accounts should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Batch"}}],"controlTitle":"Resource logs in Batch accounts should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Batch"}},"batch_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_reference') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_reference') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_batch_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/batch.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Azure Batch account should use customer-managed keys to encrypt data","description":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Batch"}}],"controlTitle":"Azure Batch account should use customer-managed keys to encrypt data","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Batch"}}},"application_gateway":{"application_gateway_use_secure_ssl_cipher":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_use_secure_ssl_cipher","org":"turbot","name":"application_gateway_use_secure_ssl_cipher","sql":"$a3","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":43,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_use_secure_ssl_cipher","org":"turbot","name":"application_gateway_use_secure_ssl_cipher","mod":"Terraform Azure Compliance","title":"Application Gateway should use secure SSL cipher","description":"This control checks whether Application Gateway uses secure SSL cipher.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should use secure SSL cipher","controlDescription":"This control checks whether Application Gateway uses secure SSL cipher.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}},"application_gateway_restrict_message_lookup_log4j2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_restrict_message_lookup_log4j2","org":"turbot","name":"application_gateway_restrict_message_lookup_log4j2","sql":"$a4","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":90,"endLineNumber":152,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_restrict_message_lookup_log4j2","org":"turbot","name":"application_gateway_restrict_message_lookup_log4j2","mod":"Terraform Azure Compliance","title":"Application Gateway should restrict message lookup in Log4j2","description":"This control checks that Application Gateway restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should restrict message lookup in Log4j2","controlDescription":"This control checks that Application Gateway restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}},"application_gateway_uses_https_listener":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_uses_https_listener","org":"turbot","name":"application_gateway_uses_https_listener","sql":"select\n address as resource,\n case\n when (attributes_std -> 'http_listener' ->> 'protocol') = 'Https' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'http_listener' ->> 'protocol') = 'Https' then ' uses HTTPS listener'\n else ' does not use HTTPS listener'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_application_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_uses_https_listener","org":"turbot","name":"application_gateway_uses_https_listener","mod":"Terraform Azure Compliance","title":"Application Gateway should use HTTPS Listener","description":"This control checks whether Application Gateway uses HTTPS Listener.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should use HTTPS Listener","controlDescription":"This control checks whether Application Gateway uses HTTPS Listener.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}},"app_configuration":{"app_configuration_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_purge_protection_enabled","org":"turbot","name":"app_configuration_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_purge_protection_enabled","org":"turbot","name":"app_configuration_purge_protection_enabled","mod":"Terraform Azure Compliance","title":"App Configurations purge protection should be enabled","description":"This control checks whether App Configuration purge protection is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations purge protection should be enabled","controlDescription":"This control checks whether App Configuration purge protection is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_restrict_public_access","org":"turbot","name":"app_configuration_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access') = 'Enabled' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access') = 'Enabled' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_restrict_public_access","org":"turbot","name":"app_configuration_restrict_public_access","mod":"Terraform Azure Compliance","title":"App Configurations should restrict public network access","description":"This control checks whether App Configuration is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations should restrict public network access","controlDescription":"This control checks whether App Configuration is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption' ->> 'key_vault_key_identifier') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption' ->> 'key_vault_key_identifier') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","mod":"Terraform Azure Compliance","title":"App Configurations encryption should be enabled","description":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations encryption should be enabled","controlDescription":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_local_auth_disabled","org":"turbot","name":"app_configuration_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') is null or (attributes_std ->> 'local_auth_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') is null or (attributes_std ->> 'local_auth_enabled')::boolean then ' local authentication enabled'\n else ' local authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_local_auth_disabled","org":"turbot","name":"app_configuration_local_auth_disabled","mod":"Terraform Azure Compliance","title":"App Configurations local authentication should be disabled","description":"This control checks whether App Configuration local authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations local authentication should be disabled","controlDescription":"This control checks whether App Configuration local authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_sku_standard":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'standard' then ' use Standard SKU'\n else ' does not use Standard SKU'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","mod":"Terraform Azure Compliance","title":"App Configurations should use standard SKU","description":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations should use standard SKU","controlDescription":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppConfiguration"}}},"container_instance":{"container_instance_container_group_secure_environment_variable":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_instance_container_group_secure_environment_variable","org":"turbot","name":"container_instance_container_group_secure_environment_variable","sql":"with container_group_no_secure_environment as (\n select\n distinct name\n from\n terraform_resource,\n jsonb_array_elements(attributes_std -> 'container') as c\n where\n type = 'azurerm_container_group'\n and c -> 'environment_variables' is not null\n)\nselect\n address as resource,\n case\n when e.name is not null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when e.name is not null then ' uses environment variables'\n else ' does not use environment variables'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource as r\n left join container_group_no_secure_environment as e on e.name = r.name\nwhere\n type = 'azurerm_container_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerinstance.pp","startLineNumber":22,"endLineNumber":52,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_instance_container_group_secure_environment_variable","org":"turbot","name":"container_instance_container_group_secure_environment_variable","mod":"Terraform Azure Compliance","title":"Container instance container groups should use secure environment variable","description":"This control ensures that the container group uses secure environment variable.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}}],"controlTitle":"Container instance container groups should use secure environment variable","controlDescription":"This control ensures that the container group uses secure environment variable.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}},"container_instance_container_group_in_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_instance_container_group_in_virtual_network","org":"turbot","name":"container_instance_container_group_in_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'subnet_ids') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'subnet_ids') is null then ' in virtual network.'\n else ' not in virtual network.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerinstance.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_instance_container_group_in_virtual_network","org":"turbot","name":"container_instance_container_group_in_virtual_network","mod":"Terraform Azure Compliance","title":"Container instance container groups should be in virtual network","description":"This control ensures that the container group is deployed into a virtual network.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}}],"controlTitle":"Container instance container groups should be in virtual network","controlDescription":"This control ensures that the container group is deployed into a virtual network.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}}},"kubernetes":{"kubernetes_cluster_metadata_server_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_metadata_server_enabled","org":"turbot","name":"kubernetes_cluster_metadata_server_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config') is null then 'alarm'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config') is null then 'alarm'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config' ->> 'mode') = 'GKE_METADATA' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' node config not defined'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config') is null then ' workload metadata config not defined'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config' ->> 'mode') = 'GKE_METADATA' then ' GKE metadata server enabled'\n else ' GKE metadata server disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":218,"endLineNumber":241,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_metadata_server_enabled","org":"turbot","name":"kubernetes_cluster_metadata_server_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters GKE metadata server should be enabled","description":"This control checks that GKE clusters GKE metadata server is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters GKE metadata server should be enabled","controlDescription":"This control checks that GKE clusters GKE metadata server is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_stackdriver_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_stackdriver_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'monitoring_service') = 'none' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'monitoring_service') = 'none' then ' stackdriver monitoring disabled'\n else ' stackdriver monitoring enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":197,"endLineNumber":216,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_stackdriver_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_monitoring_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters stackdriver monitoring should be enabled","description":"This control checks that GKE clusters stackdriver monitoring is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters stackdriver monitoring should be enabled","controlDescription":"This control checks that GKE clusters stackdriver monitoring is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_release_channel_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_release_channel_configured","org":"turbot","name":"kubernetes_cluster_release_channel_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'release_channel') is null then 'alarm'\n when (attributes_std -> 'release_channel' ->> 'channel') = 'UNSPECIFIED' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'release_channel') is null then ' release channel not defined'\n when (attributes_std -> 'release_channel' ->> 'channel') = 'UNSPECIFIED' then ' release channel not set'\n else ' release channel set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":356,"endLineNumber":377,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_release_channel_configured","org":"turbot","name":"kubernetes_cluster_release_channel_configured","mod":"Terraform GCP Compliance","title":"GKE clusters release channel should be configured","description":"This control checks that GKE clusters release channel is configured.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters release channel should be configured","controlDescription":"This control checks that GKE clusters release channel is configured.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_resource_label_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_resource_label_configured","org":"turbot","name":"kubernetes_cluster_resource_label_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'resource_labels' -> 'key') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'resource_labels' -> 'key') is not null then ' labels configured'\n else ' labels not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":287,"endLineNumber":306,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_resource_label_configured","org":"turbot","name":"kubernetes_cluster_resource_label_configured","mod":"Terraform GCP Compliance","title":"GKE clusters resource labels should be configured","description":"This control checks that GKE clusters resource labels are configured.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters resource labels should be configured","controlDescription":"This control checks that GKE clusters resource labels are configured.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_network_policy_installed":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_network_policy_installed","org":"turbot","name":"kubernetes_cluster_network_policy_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_policy') is not null then 'ok' else 'alarm'\n end as status,\n name || case\n when (attributes_std -> 'network_policy') is not null then ' network policy defined'\n else ' network policy not defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":89,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_network_policy_installed","org":"turbot","name":"kubernetes_cluster_network_policy_installed","mod":"Terraform GCP Compliance","title":"Check that GKE clusters have a Network Policy installed","description":"This control checks that GKE clusters have a Network Policy installed.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Check that GKE clusters have a Network Policy installed","controlDescription":"This control checks that GKE clusters have a Network Policy installed.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_legacy_endpoints_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_legacy_endpoints_disabled","org":"turbot","name":"kubernetes_cluster_legacy_endpoints_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints') = 'true' then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' ''node_config'' is not defined'\n when (attributes_std -> 'node_config' -> 'metadata') is null then ' ''node_config.metadata'' is not defined'\n when coalesce(trim((attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints')), '') = ''\n then ' ''node_config.metadata.disable-legacy-endpoints'' is not defined'\n when (attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints') = 'true' then ' legacy endpoints disabled'\n else ' legacy endpoints enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":43,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_legacy_endpoints_disabled","org":"turbot","name":"kubernetes_cluster_legacy_endpoints_disabled","mod":"Terraform GCP Compliance","title":"Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)","description":"This control checks that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+).","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)","controlDescription":"This control checks that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+).","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_control_plane_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_control_plane_restrict_public_access","org":"turbot","name":"kubernetes_cluster_control_plane_restrict_public_access","sql":"$a5","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":421,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_control_plane_restrict_public_access","org":"turbot","name":"kubernetes_cluster_control_plane_restrict_public_access","mod":"Terraform GCP Compliance","title":"GKE clusters control plane should restrict public access","description":"This control checks that GKE clusters control plane restricts public access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters control plane should restrict public access","controlDescription":"This control checks that GKE clusters control plane restricts public access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_intranodal_visibility_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_intranodal_visibility_enabled","org":"turbot","name":"kubernetes_cluster_intranodal_visibility_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_intranode_visibility') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_intranode_visibility') = 'true' then ' intranodal visibility enabled'\n else ' intranodal visibility disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":400,"endLineNumber":419,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_intranodal_visibility_enabled","org":"turbot","name":"kubernetes_cluster_intranodal_visibility_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters intranodal visibility should be enabled","description":"This control checks that GKE clusters intranodal visibility is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters intranodal visibility should be enabled","controlDescription":"This control checks that GKE clusters intranodal visibility is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_auto_repair_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_auto_repair_enabled","org":"turbot","name":"kubernetes_cluster_auto_repair_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'management' ->> 'auto_repair')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'management') is null then ' ''management'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_repair') is null then ' ''management.auto_repair'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_repair')::boolean then ' node pool auto repair enabled'\n else ' node pool auto repair disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_node_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":109,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_auto_repair_enabled","org":"turbot","name":"kubernetes_cluster_auto_repair_enabled","mod":"Terraform GCP Compliance","title":"Ensure automatic node repair is enabled on all node pools in a GKE cluster","description":"This control checks that automatic node repair is enabled on all node pools in a GKE cluster.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Ensure automatic node repair is enabled on all node pools in a GKE cluster","controlDescription":"This control checks that automatic node repair is enabled on all node pools in a GKE cluster.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_shielded_nodes_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_nodes_enabled","org":"turbot","name":"kubernetes_cluster_shielded_nodes_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_shielded_nodes') = 'false' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_shielded_nodes') = 'false' then ' shielded nodes disabled'\n else ' shielded nodes enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":176,"endLineNumber":195,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_nodes_enabled","org":"turbot","name":"kubernetes_cluster_shielded_nodes_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters shielded nodes should be enabled","description":"This control checks that GKE clusters shielded nodes is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters shielded nodes should be enabled","controlDescription":"This control checks that GKE clusters shielded nodes is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_legacy_abac_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_legacy_abac_enabled","org":"turbot","name":"kubernetes_cluster_legacy_abac_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_legacy_abac')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_legacy_abac') is null then ' ''enable_legacy_abac'' is not defined'\n when (attributes_std ->> 'enable_legacy_abac')::boolean then ' legacy authorization enabled'\n else ' legacy authorization disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_legacy_abac_enabled","org":"turbot","name":"kubernetes_cluster_legacy_abac_enabled","mod":"Terraform GCP Compliance","title":"Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters","description":"This control checks that Legacy Authorization is disabled on Kubernetes Engine Clusters.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Ensure Legacy Authorization is disabled on Kubernetes Engine Clusters","controlDescription":"This control checks that Legacy Authorization is disabled on Kubernetes Engine Clusters.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_authenticator_group_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_authenticator_group_configured","org":"turbot","name":"kubernetes_cluster_authenticator_group_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'authenticator_groups_config' -> 'security_group') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'authenticator_groups_config' -> 'security_group') is not null then ' authenticator group configured'\n else ' authenticator group not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":266,"endLineNumber":285,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_authenticator_group_configured","org":"turbot","name":"kubernetes_cluster_authenticator_group_configured","mod":"Terraform GCP Compliance","title":"GKE clusters authenticator group should be configured to manage RBAC users","description":"This control checks that GKE clusters authenticator group is configured to manage RBAC users.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters authenticator group should be configured to manage RBAC users","controlDescription":"This control checks that GKE clusters authenticator group is configured to manage RBAC users.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_auto_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_auto_upgrade_enabled","org":"turbot","name":"kubernetes_cluster_auto_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'management' ->> 'auto_upgrade')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'management') is null then ' ''management'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_upgrade') is null then ' ''management.auto_upgrade'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_upgrade')::boolean then ' node pool auto upgrade enabled'\n else ' node pool auto upgrade disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_node_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_auto_upgrade_enabled","org":"turbot","name":"kubernetes_cluster_auto_upgrade_enabled","mod":"Terraform GCP Compliance","title":"Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes","description":"This control checks that Engine Clusters nodes have automatic node upgrades enabled.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes","controlDescription":"This control checks that Engine Clusters nodes have automatic node upgrades enabled.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_node_config_image_cos_containerd":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_node_config_image_cos_containerd","org":"turbot","name":"kubernetes_cluster_node_config_image_cos_containerd","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' ->> 'image_type') = 'COS_CONTAINERD' then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' ''node_config'' is not defined'\n when coalesce(trim((attributes_std -> 'node_config' ->> 'image_type')), '') = '' then ' ''node_config.image_type'' is not defined'\n when (attributes_std -> 'node_config' ->> 'image_type') = 'COS_CONTAINERD' then ' Container-Optimized OS(COS) is used'\n else ' Container-Optimized OS(COS) not used'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_node_config_image_cos_containerd","org":"turbot","name":"kubernetes_cluster_node_config_image_cos_containerd","mod":"Terraform GCP Compliance","title":"Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters","description":"This control checks that GKE clusters use Container-Optimized OS (cos) for Kubernetes engine clusters.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters","controlDescription":"This control checks that GKE clusters use Container-Optimized OS (cos) for Kubernetes engine clusters.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_no_cluster_level_node_pool":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_no_cluster_level_node_pool","org":"turbot","name":"kubernetes_cluster_no_cluster_level_node_pool","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_pool') is not null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_pool') is not null then ' node pool defined in cluster configuration'\n else ' node pool not defined in cluster configuration'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":525,"endLineNumber":544,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_no_cluster_level_node_pool","org":"turbot","name":"kubernetes_cluster_no_cluster_level_node_pool","mod":"Terraform GCP Compliance","title":"GKE clusters should not use cluster level node pool","description":"This control checks if GKE clusters use separate node pool resources since node pools defined in cluster configuration cannot be added or removed without recreating the cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters should not use cluster level node pool","controlDescription":"This control checks if GKE clusters use separate node pool resources since node pools defined in cluster configuration cannot be added or removed without recreating the cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_client_certificate_authentication_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_client_certificate_authentication_disabled","org":"turbot","name":"kubernetes_cluster_client_certificate_authentication_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' -> 'issue_client_certificate') is null then 'alarm'\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' ->> 'issue_client_certificate') = 'false' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' -> 'issue_client_certificate') is null then ' client certificate authentication not defined'\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' ->> 'issue_client_certificate') = 'false' then ' client certificate authentication disabled'\n else ' client certificate authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":308,"endLineNumber":329,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_client_certificate_authentication_disabled","org":"turbot","name":"kubernetes_cluster_client_certificate_authentication_disabled","mod":"Terraform GCP Compliance","title":"GKE clusters client certificate authentication should be disabled","description":"This control checks that GKE clusters client certificate authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters client certificate authentication should be disabled","controlDescription":"This control checks that GKE clusters client certificate authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_cos_node_image":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_cos_node_image","org":"turbot","name":"kubernetes_cluster_cos_node_image","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'image_type') is null then 'alarm'\n when (attributes_std -> 'node_config' ->> 'image_type') ilike 'COS_%' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'image_type') is null then ' node image type not defined'\n when (attributes_std -> 'node_config' ->> 'image_type') ilike 'COS_%' then ' COS node image type used'\n else ' COS node image type not used'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":502,"endLineNumber":523,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_cos_node_image","org":"turbot","name":"kubernetes_cluster_cos_node_image","mod":"Terraform GCP Compliance","title":"GKE clusters should use Container-Optimized OS(cos) node image","description":"This control checks that GKE clusters use Container-Optimized OS(cos) node image.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters should use Container-Optimized OS(cos) node image","controlDescription":"This control checks that GKE clusters use Container-Optimized OS(cos) node image.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_stackdriver_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_stackdriver_logging_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'logging_service') = 'none' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'logging_service') = 'none' then ' stackdriver logging disabled'\n else ' stackdriver logging enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":155,"endLineNumber":174,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_stackdriver_logging_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_logging_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters stackdriver logging should be enabled","description":"This control checks that GKE clusters stackdriver logging is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters stackdriver logging should be enabled","controlDescription":"This control checks that GKE clusters stackdriver logging is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_binary_auth_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_binary_auth_enabled","org":"turbot","name":"kubernetes_cluster_binary_auth_enabled","sql":"$a6","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":331,"endLineNumber":354,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_binary_auth_enabled","org":"turbot","name":"kubernetes_cluster_binary_auth_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters client binary authorizationn should be enabled","description":"This control checks that GKE clusters client binary authorization is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters client binary authorizationn should be enabled","controlDescription":"This control checks that GKE clusters client binary authorization is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_shielded_node_secure_boot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_node_secure_boot_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_secure_boot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_secure_boot') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_secure_boot') = 'true' then ' secure boot enabled for shielded nodes'\n else ' secure boot disabled for shielded nodes'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_node_secure_boot_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_secure_boot_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters secure boot should be enabled for shielded nodes","description":"This control checks that GKE clusters secure boot is enabled for shielded nodes.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters secure boot should be enabled for shielded nodes","controlDescription":"This control checks that GKE clusters secure boot is enabled for shielded nodes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_shielded_node_integrity_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_node_integrity_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_integrity_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_integrity_monitoring') = 'false' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_integrity_monitoring') = 'false' then ' integrity monitoring disabled for shielded nodes'\n else ' integrity monitoring enabled for shielded nodes'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":481,"endLineNumber":500,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_node_integrity_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_integrity_monitoring_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters integrity monitoring should be enabled for shielded nodes","description":"This control checks that GKE clusters integrity monitoring is enabled for shielded nodes.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters integrity monitoring should be enabled for shielded nodes","controlDescription":"This control checks that GKE clusters integrity monitoring is enabled for shielded nodes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_private_cluster_config_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_private_cluster_config_enabled","org":"turbot","name":"kubernetes_cluster_private_cluster_config_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'private_cluster_config') is null then 'alarm'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes') is null then 'alarm'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_cluster_config') is null then ' private cluster config disabled'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes') is null then ' ''enable_private_nodes'' not defined'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes')::bool then ' private cluster config enabled'\n else ' private cluster config disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":130,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_private_cluster_config_enabled","org":"turbot","name":"kubernetes_cluster_private_cluster_config_enabled","mod":"Terraform GCP Compliance","title":"Verify all GKE clusters are Private Clusters","description":"This control checks that all GKE clusters are Private Clusters.","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"Verify all GKE clusters are Private Clusters","controlDescription":"This control checks that all GKE clusters are Private Clusters.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_master_authorized_network_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_master_authorized_network_enabled","org":"turbot","name":"kubernetes_cluster_master_authorized_network_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'master_authorized_networks_config') = '{}' then 'alarm'\n when (attributes_std -> 'master_authorized_networks_config') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'master_authorized_networks_config') = '{}' then ' master authorized network not defined'\n when (attributes_std -> 'master_authorized_networks_config') is not null then ' master authorized network enabled'\n else ' master authorized network disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":243,"endLineNumber":264,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_master_authorized_network_enabled","org":"turbot","name":"kubernetes_cluster_master_authorized_network_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters master authorized networks should be enabled","description":"This control checks that GKE clusters master authorized networks is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters master authorized networks should be enabled","controlDescription":"This control checks that GKE clusters master authorized networks is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_alias_ip_range_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_alias_ip_range_enabled","org":"turbot","name":"kubernetes_cluster_alias_ip_range_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'ip_allocation_policy') is not null) and ((attributes_std ->> 'ip_allocation_policy') <> '{}') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ip_allocation_policy') is not null and ((attributes_std ->> 'ip_allocation_policy') <> '{}') then ' alias IP range enabled'\n else ' alias IP range disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":379,"endLineNumber":398,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_alias_ip_range_enabled","org":"turbot","name":"kubernetes_cluster_alias_ip_range_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters alias IP ranges should be enabled","description":"This control checks that GKE clusters alias IP ranges is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters alias IP ranges should be enabled","controlDescription":"This control checks that GKE clusters alias IP ranges is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}},"logging":{"logging_bucket_retention_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/logging_bucket_retention_policy_enabled","org":"turbot","name":"logging_bucket_retention_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_policy' ->> 'is_locked')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_policy') is null then ' ''retention_policy'' is not defined'\n when (attributes_std -> 'retention_policy' ->> 'is_locked') is null then ' ''retention_policy.is_locked'' is not defined'\n when (attributes_std -> 'retention_policy' ->> 'is_locked')::boolean then ' has retention policies configured'\n else ' does not have retention policies configured.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/logging.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.logging_bucket_retention_policy_enabled","org":"turbot","name":"logging_bucket_retention_policy_enabled","mod":"Terraform GCP Compliance","title":"Ensure that retention policies on log buckets are configured using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Logging"}}],"controlTitle":"Ensure that retention policies on log buckets are configured using Bucket Lock","controlDescription":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"GCP/Logging"}}},"spanner":{"spanner_database_drop_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_drop_protection_enabled","org":"turbot","name":"spanner_database_drop_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_drop_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_drop_protection')::boolean then ' drop protection enabled'\n else ' drop protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_drop_protection_enabled","org":"turbot","name":"spanner_database_drop_protection_enabled","mod":"Terraform GCP Compliance","title":"Spanner databases drop protection should be enabled","description":"This rule ensures that Spanner database has drop protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases drop protection should be enabled","controlDescription":"This rule ensures that Spanner database has drop protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}},"spanner_database_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_encrypted_with_kms_cmk","org":"turbot","name":"spanner_database_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_config' ->> 'kms_key_name') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_config' ->> 'kms_key_name') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_encrypted_with_kms_cmk","org":"turbot","name":"spanner_database_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Spanner databases should be encrypted with a KMS CMK","description":"This control checks whether Spanner databases are encrypted with a KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases should be encrypted with a KMS CMK","controlDescription":"This control checks whether Spanner databases are encrypted with a KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}},"spanner_database_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_deletion_protection_enabled","org":"turbot","name":"spanner_database_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_deletion_protection_enabled","org":"turbot","name":"spanner_database_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Spanner databases deletion protection should be enabled","description":"This rule ensures that Spanner database has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases deletion protection should be enabled","controlDescription":"This rule ensures that Spanner database has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}},"pub_sub":{"pubsub_topic_repository_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/pubsub_topic_repository_not_publicly_accessible","org":"turbot","name":"pubsub_topic_repository_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_pubsub_topic_iam_member', 'google_pubsub_topic_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/pubsub.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.pubsub_topic_repository_not_publicly_accessible","org":"turbot","name":"pubsub_topic_repository_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"PubSub Topic Repository not publicly accessible","description":"This control checks whether PubSub topics are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}],"controlTitle":"PubSub Topic Repository not publicly accessible","controlDescription":"This control checks whether PubSub topics are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}},"pubsub_topic_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/pubsub_topic_encrypted_with_kms_cmk","org":"turbot","name":"pubsub_topic_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_pubsub_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/pubsub.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.pubsub_topic_encrypted_with_kms_cmk","org":"turbot","name":"pubsub_topic_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"PubSub Topic encrypted with KMS CMK","description":"This control checks whether PubSub topics are encrypted with a KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}],"controlTitle":"PubSub Topic encrypted with KMS CMK","controlDescription":"This control checks whether PubSub topics are encrypted with a KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}},"dataproc":{"dataproc_cluster_public_ip_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_public_ip_disabled","org":"turbot","name":"dataproc_cluster_public_ip_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'gce_cluster_config' ->> 'internal_ip_only') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'gce_cluster_config' ->> 'internal_ip_only') = 'true' then ' is not accessible from the public internet'\n else ' is accessible from the public internet'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataproc_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_public_ip_disabled","org":"turbot","name":"dataproc_cluster_public_ip_disabled","mod":"Terraform GCP Compliance","title":"Dataproc cluster should not have public IP","description":"This control checks whether Dataproc cluster has public IP.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should not have public IP","controlDescription":"This control checks whether Dataproc cluster has public IP.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}},"dataproc_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_encrypted_with_kms_cmk","org":"turbot","name":"dataproc_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'encryption_config' ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'encryption_config' ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataproc_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_encrypted_with_kms_cmk","org":"turbot","name":"dataproc_cluster_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Dataproc cluster should be encrypted with KMS CMK","description":"This control checks whether Dataproc cluster is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should be encrypted with KMS CMK","controlDescription":"This control checks whether Dataproc cluster is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}},"dataproc_cluster_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_not_publicly_accessible","org":"turbot","name":"dataproc_cluster_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_dataproc_cluster_iam_binding', 'google_dataproc_cluster_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_not_publicly_accessible","org":"turbot","name":"dataproc_cluster_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Dataproc cluster should not be publicly accessible","description":"This control checks whether Dataproc cluster is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should not be publicly accessible","controlDescription":"This control checks whether Dataproc cluster is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}},"data_fusion":{"datafusion_instance_stackdriver_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_stackdriver_monitoring_enabled","org":"turbot","name":"datafusion_instance_stackdriver_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_stackdriver_monitoring')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_stackdriver_monitoring')::boolean then ' has stackdriver monitoring enabled'\n else ' has stackdriver monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_stackdriver_monitoring_enabled","org":"turbot","name":"datafusion_instance_stackdriver_monitoring_enabled","mod":"Terraform GCP Compliance","title":"Data Fusion instance should have Stackdriver Monitoring enabled","description":"This control checks whether Data Fusion instance has Stackdriver Monitoring enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should have Stackdriver Monitoring enabled","controlDescription":"This control checks whether Data Fusion instance has Stackdriver Monitoring enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}},"datafusion_instance_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_not_publicly_accessible","org":"turbot","name":"datafusion_instance_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_instance')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_instance')::boolean then ' is not publicly accessible'\n else ' is publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_not_publicly_accessible","org":"turbot","name":"datafusion_instance_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Data Fusion instance should not be publicly accessible","description":"This control checks whether Data Fusion instance is not public.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should not be publicly accessible","controlDescription":"This control checks whether Data Fusion instance is not public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}},"datafusion_instance_stackdriver_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_stackdriver_logging_enabled","org":"turbot","name":"datafusion_instance_stackdriver_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_stackdriver_logging')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_stackdriver_logging')::boolean then ' has stackdriver logging enabled'\n else ' has stackdriver logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_stackdriver_logging_enabled","org":"turbot","name":"datafusion_instance_stackdriver_logging_enabled","mod":"Terraform GCP Compliance","title":"Data Fusion instance should have Stackdriver Logging enabled","description":"This control checks whether Data Fusion instance has Stackdriver Logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should have Stackdriver Logging enabled","controlDescription":"This control checks whether Data Fusion instance has Stackdriver Logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}},"dataflow":{"dataflow_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataflow_encrypted_with_kms_cmk","org":"turbot","name":"dataflow_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataflow_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataflow.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataflow_encrypted_with_kms_cmk","org":"turbot","name":"dataflow_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Dataflow should be encrypted with KMS CMK","description":"This control checks whether Dataflow is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}],"controlTitle":"Dataflow should be encrypted with KMS CMK","controlDescription":"This control checks whether Dataflow is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}},"dataflow_job_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataflow_job_not_publicly_accessible","org":"turbot","name":"dataflow_job_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ip_configuration') = 'WORKER_IP_PRIVATE' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ip_configuration') = 'WORKER_IP_PRIVATE' then ' is private'\n else ' is public'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataflow_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataflow.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataflow_job_not_publicly_accessible","org":"turbot","name":"dataflow_job_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Dataflow job should not be publicly accessible","description":"This control checks whether Dataflow job is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}],"controlTitle":"Dataflow job should not be publicly accessible","controlDescription":"This control checks whether Dataflow job is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}},"cloud_run":{"cloudrun_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudrun_not_publicly_accessible","org":"turbot","name":"cloudrun_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers', 'allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers', 'allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_cloud_run_service_iam_member','google_cloud_run_service_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudrun.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudrun_not_publicly_accessible","org":"turbot","name":"cloudrun_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Cloud Run services should not be publicly accessible","description":"This control checks whether Cloud Run services are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudRun"}}],"controlTitle":"Cloud Run services should not be publicly accessible","controlDescription":"This control checks whether Cloud Run services are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudRun"}}},"vertex_ai":{"vertex_ai_notebook_instance_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/vertex_ai_notebook_instance_restrict_public_access","org":"turbot","name":"vertex_ai_notebook_instance_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'no_public_ip') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'no_public_ip') = 'true' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_notebooks_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vertexai.pp","startLineNumber":21,"endLineNumber":40,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.vertex_ai_notebook_instance_restrict_public_access","org":"turbot","name":"vertex_ai_notebook_instance_restrict_public_access","mod":"Terraform GCP Compliance","title":"Vertex AI notebook instances should restrict public access","description":"This control checks whether Vertex AI notebook instances are public.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}],"controlTitle":"Vertex AI notebook instances should restrict public access","controlDescription":"This control checks whether Vertex AI notebook instances are public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}},"vertex_ai_dataset_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/vertex_ai_dataset_encrypted_with_cmk","org":"turbot","name":"vertex_ai_dataset_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_spec' -> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_spec' -> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_vertex_ai_dataset';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vertexai.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.vertex_ai_dataset_encrypted_with_cmk","org":"turbot","name":"vertex_ai_dataset_encrypted_with_cmk","mod":"Terraform GCP Compliance","title":"Vertex AI datasets should be encrypted with KMS CMK","description":"This control checks whether a Vertex AI dataset is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}],"controlTitle":"Vertex AI datasets should be encrypted with KMS CMK","controlDescription":"This control checks whether a Vertex AI dataset is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}},"bigtable":{"bigtable_instance_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigtable_instance_deletion_protection_enabled","org":"turbot","name":"bigtable_instance_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigtable_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigtable.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigtable_instance_deletion_protection_enabled","org":"turbot","name":"bigtable_instance_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Bigtable Instance deletion protection should be enabled","description":"This rule ensures that Big Table Instance has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Bigtable"}}],"controlTitle":"Bigtable Instance deletion protection should be enabled","controlDescription":"This rule ensures that Big Table Instance has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Bigtable"}}},"big_query":{"bigtable_instance_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigtable_instance_encrypted_with_kms_cmk","org":"turbot","name":"bigtable_instance_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster' ->> 'kms_key_name') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster' ->> 'kms_key_name') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigtable_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigtable.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigtable_instance_encrypted_with_kms_cmk","org":"turbot","name":"bigtable_instance_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Big Query Instance should be encrypted with KMS CMK","description":"This control checks whether the Big Query Instance is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Instance should be encrypted with KMS CMK","controlDescription":"This control checks whether the Big Query Instance is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_dataset_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_dataset_encrypted_with_cmk","org":"turbot","name":"bigquery_dataset_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_encryption_configuration') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_encryption_configuration') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_dataset';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_dataset_encrypted_with_cmk","org":"turbot","name":"bigquery_dataset_encrypted_with_cmk","mod":"Terraform GCP Compliance","title":"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","controlDescription":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.3","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_table_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_not_publicly_accessible","org":"turbot","name":"bigquery_table_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_bigquery_table_iam_binding','google_bigquery_table_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_table_not_publicly_accessible","org":"turbot","name":"bigquery_table_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Big Query Table should not be publicly accessible","description":"This control checks whether the Big Query Table is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Table should not be publicly accessible","controlDescription":"This control checks whether the Big Query Table is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_dataset_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_dataset_not_publicly_accessible","org":"turbot","name":"bigquery_dataset_not_publicly_accessible","sql":"$a7","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":64,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_dataset_not_publicly_accessible","org":"turbot","name":"bigquery_dataset_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Ensure that BigQuery datasets are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","tags":{"category":"Compliance","cft_scorecard_v1":"true","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_type":"automated","forseti_security_v226":"true","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Ensure that BigQuery datasets are not anonymously or publicly accessible","controlDescription":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_type":"automated","forseti_security_v226":"true","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_table_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_encrypted_with_cmk","org":"turbot","name":"bigquery_table_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration') is null then ' not encrypted with customer-managed encryption keys'\n else ' encrypted with customer-managed encryption keys'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_table_encrypted_with_cmk","org":"turbot","name":"bigquery_table_encrypted_with_cmk","mod":"Terraform GCP Compliance","title":"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","controlDescription":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery tables. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"2","cis_type":"automated","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_table_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_deletion_protection_enabled","org":"turbot","name":"bigquery_table_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":110,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_table_deletion_protection_enabled","org":"turbot","name":"bigquery_table_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Big Query Table deletion protection should be enabled","description":"This rule ensures that Big Query Table has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Table deletion protection should be enabled","controlDescription":"This rule ensures that Big Query Table has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}},"vcn":{"vcn_network_security_group_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_network_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_ssh_all","sql":"$a8","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":54,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_network_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_ssh_all","mod":"Terraform OCI Compliance","title":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22","description":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22","controlDescription":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_default_security_group_allow_icmp_only":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_default_security_group_allow_icmp_only","org":"turbot","name":"vcn_default_security_group_allow_icmp_only","sql":"with all_security_rules as (\n select\n *\n from\n terraform_resource\n where\n type = 'oci_core_security_list'\n), non_complaint as (\n select\n name,\n count(name) as count\n from\n all_security_rules,\n jsonb_array_elements(\n case jsonb_typeof(attributes_std -> 'ingress_security_rules')\n when 'array' then (attributes_std -> 'ingress_security_rules')\n else null end\n ) as p\n where\n p ->> 'protocol' != '1'\n group by name\n)\nselect\n a.address as resource,\n case\n when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then ' configured with non ICMP ports'\n else ' configured with ICMP ports only'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_security_rules as a\n left join non_complaint as b on a.name = b.name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":274,"endLineNumber":314,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_default_security_group_allow_icmp_only","org":"turbot","name":"vcn_default_security_group_allow_icmp_only","mod":"Terraform OCI Compliance","title":"Ensure the Network default security list of every VCN restricts all traffic except ICMP","description":"A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure the Network default security list of every VCN restricts all traffic except ICMP","controlDescription":"A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_has_inbound_security_list_configured":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_has_inbound_security_list_configured","org":"turbot","name":"vcn_has_inbound_security_list_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'ingress_security_rules' ->> 'protocol') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ingress_security_rules' ->> 'protocol') is not null then ' has inbound security list configured'\n else ' has no inbound security list configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_security_list';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":316,"endLineNumber":335,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_has_inbound_security_list_configured","org":"turbot","name":"vcn_has_inbound_security_list_configured","mod":"Terraform OCI Compliance","title":"Ensure VCN has at least one inbound security list configured","description":"This control checks if a VCN has at least one inbound security list configured.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure VCN has at least one inbound security list configured","controlDescription":"This control checks if a VCN has at least one inbound security list configured.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_subnet_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_subnet_public_access_blocked","org":"turbot","name":"vcn_subnet_public_access_blocked","sql":"select\n type || ' ' || name as resource,\n case\n when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and\n (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and\n (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)\n then ' is not publicly accessible'\n else ' is publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_subnet';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":249,"endLineNumber":272,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_subnet_public_access_blocked","org":"turbot","name":"vcn_subnet_public_access_blocked","mod":"Terraform OCI Compliance","title":"Ensure subnets are not publicly accessible","description":"Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure subnets are not publicly accessible","controlDescription":"Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_list_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_list_restrict_ingress_ssh_all","org":"turbot","name":"vcn_security_list_restrict_ingress_ssh_all","sql":"$a9","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":107,"endLineNumber":176,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_list_restrict_ingress_ssh_all","org":"turbot","name":"vcn_security_list_restrict_ingress_ssh_all","mod":"Terraform OCI Compliance","title":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 22","description":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 22","controlDescription":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_group_has_stateless_ingress_security_rules":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_group_has_stateless_ingress_security_rules","org":"turbot","name":"vcn_security_group_has_stateless_ingress_security_rules","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'direction' = 'INGRESS') and (attributes_std ->> 'stateless' is null or (attributes_std ->> 'stateless')::bool is not true) then 'alarm'\n when (attributes_std ->> 'direction' is null) or (attributes_std ->> 'direction' <> 'INGRESS') then 'info'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'direction' = 'INGRESS') and (attributes_std ->> 'stateless' is null or (attributes_std ->> 'stateless')::bool is not true) then ' does not have stateless ingress security rules'\n when (attributes_std ->> 'direction' is null) or (attributes_std ->> 'direction' <> 'INGRESS') then ' has no ingress security rules'\n else ' has stateless ingress security rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_network_security_group_security_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":337,"endLineNumber":358,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_group_has_stateless_ingress_security_rules","org":"turbot","name":"vcn_security_group_has_stateless_ingress_security_rules","mod":"Terraform OCI Compliance","title":"Ensure Network Security Group has stateless ingress security rules","description":"This control checks if a Network Security Group has stateless ingress security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure Network Security Group has stateless ingress security rules","controlDescription":"This control checks if a Network Security Group has stateless ingress security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_inbound_security_lists_are_stateless":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_inbound_security_lists_are_stateless","org":"turbot","name":"vcn_inbound_security_lists_are_stateless","sql":"$aa","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":360,"endLineNumber":402,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_inbound_security_lists_are_stateless","org":"turbot","name":"vcn_inbound_security_lists_are_stateless","mod":"Terraform OCI Compliance","title":"Ensure VCN inbound security lists are stateless","description":"This control checks if a VCN has inbound security lists that are stateless.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure VCN inbound security lists are stateless","controlDescription":"This control checks if a VCN has inbound security lists that are stateless.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_network_security_group_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_network_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_rdp_all","sql":"$ab","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":1,"endLineNumber":52,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_network_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_rdp_all","mod":"Terraform OCI Compliance","title":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389","description":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_list_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_list_restrict_ingress_rdp_all","org":"turbot","name":"vcn_security_list_restrict_ingress_rdp_all","sql":"$ac","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":178,"endLineNumber":247,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_list_restrict_ingress_rdp_all","org":"turbot","name":"vcn_security_list_restrict_ingress_rdp_all","mod":"Terraform OCI Compliance","title":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389","description":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}},"artifact_registry_repository":{"artifact_registry_repository_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/artifact_registry_repository_encrypted_with_kms_cmk","org":"turbot","name":"artifact_registry_repository_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is null then 'alarm' \n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is null then ' not encrypted with KMS CMK' \n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_artifact_registry_repository';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/artificaterepository.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.artifact_registry_repository_encrypted_with_kms_cmk","org":"turbot","name":"artifact_registry_repository_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Artifact Registry Repository should be encrypted with KMS CMK","description":"This control checks whether Artifact Registry Repository is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}],"controlTitle":"Artifact Registry Repository should be encrypted with KMS CMK","controlDescription":"This control checks whether Artifact Registry Repository is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}},"artifact_registry_repository_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/artifact_registry_repository_not_publicly_accessible","org":"turbot","name":"artifact_registry_repository_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm' \n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_artifact_registry_repository_iam_member','google_artifact_registry_repository_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/artificaterepository.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.artifact_registry_repository_not_publicly_accessible","org":"turbot","name":"artifact_registry_repository_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Artifact Registry Repository should not be publicly accessible","description":"This control checks whether Artifact Registry Repository is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}],"controlTitle":"Artifact Registry Repository should not be publicly accessible","controlDescription":"This control checks whether Artifact Registry Repository is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}},"cloud_build":{"cloudbuild_workers_use_private_ip":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudbuild_workers_use_private_ip","org":"turbot","name":"cloudbuild_workers_use_private_ip","sql":"select\n address as resource,\n case\n when (attributes_std -> 'worker_config' ->> 'no_external_ip') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'worker_config' ->> 'no_external_ip') = 'true' then ' no external IP configured'\n else ' external IP configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_cloudbuild_worker_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudbuild.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudbuild_workers_use_private_ip","org":"turbot","name":"cloudbuild_workers_use_private_ip","mod":"Terraform GCP Compliance","title":"Cloud Build workers should use private IP addresses","description":"This control checks whether Cloud Build workers are configured to use private IP addresses.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudBuild"}}],"controlTitle":"Cloud Build workers should use private IP addresses","controlDescription":"This control checks whether Cloud Build workers are configured to use private IP addresses.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudBuild"}}},"cloud_function":{"cloudfunction_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudfunction_not_publicly_accessible","org":"turbot","name":"cloudfunction_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') = 'allUsers' or (attributes_std -> 'members') @> '[\"allUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') = 'allUsers' or (attributes_std -> 'members') @> '[\"allUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_cloudfunctions_function_iam_member', 'google_cloudfunctions_function_iam_binding', 'google_cloudfunctions2_function_iam_member', 'google_cloudfunctions2_function_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfunction.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudfunction_not_publicly_accessible","org":"turbot","name":"cloudfunction_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Cloud Function should not be publicly accessible","description":"This control checks whether Cloud Function is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudFunction"}}],"controlTitle":"Cloud Function should not be publicly accessible","controlDescription":"This control checks whether Cloud Function is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudFunction"}}},"database":{"database_db_home_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_home_encryption_enabled","org":"turbot","name":"database_db_home_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_db_home';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_home_encryption_enabled","org":"turbot","name":"database_db_home_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database home encryption should be enabled","description":"Ensure database homes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database home encryption should be enabled","controlDescription":"Ensure database homes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}},"database_db_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_encryption_enabled","org":"turbot","name":"database_db_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_encryption_enabled","org":"turbot","name":"database_db_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database encryption should be enabled","description":"Ensure databases are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database encryption should be enabled","controlDescription":"Ensure databases are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}},"database_db_system_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_system_encryption_enabled","org":"turbot","name":"database_db_system_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_db_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_system_encryption_enabled","org":"turbot","name":"database_db_system_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database system encryption should be enabled","description":"Ensure database systems are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database system encryption should be enabled","controlDescription":"Ensure database systems are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}},"block_storage":{"blockstorage_boot_volume_backup_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_boot_volume_backup_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_backup_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'source_details') is null then 'alarm'\n when (attributes_std -> 'source_details' -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'source_details') is null then ' encryption disabled'\n when (attributes_std -> 'source_details' -> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_boot_volume_backup';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_boot_volume_backup_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_backup_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage boot volume backup encryption should be enabled","description":"Ensure Block Storage boot volume backups are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage boot volume backup encryption should be enabled","controlDescription":"Ensure Block Storage boot volume backups are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_block_volume_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_block_volume_backup_enabled","org":"turbot","name":"blockstorage_block_volume_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'backup_policy_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'backup_policy_id') is null then ' backup disabled'\n else ' backup enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_block_volume_backup_enabled","org":"turbot","name":"blockstorage_block_volume_backup_enabled","mod":"Terraform OCI Compliance","title":"Block Storage block volume backup should be enabled","description":"This control checks whether block volume backups are enabled. Block volume backups are used to create point-in-time copies of block volumes that can be used to create new block volumes or overwrite existing block volumes.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage block volume backup should be enabled","controlDescription":"This control checks whether block volume backups are enabled. Block volume backups are used to create point-in-time copies of block volumes that can be used to create new block volumes or overwrite existing block volumes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_boot_volume_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_boot_volume_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_boot_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_boot_volume_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage boot volume encryption should be enabled","description":"Ensure Block Storage boot volumes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage boot volume encryption should be enabled","controlDescription":"Ensure Block Storage boot volumes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_block_volume_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_block_volume_encryption_enabled","org":"turbot","name":"blockstorage_block_volume_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_block_volume_encryption_enabled","org":"turbot","name":"blockstorage_block_volume_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage block volume encryption should be enabled","description":"Ensure Block Storage block volumes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage block volume encryption should be enabled","controlDescription":"Ensure Block Storage block volumes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}},"file_storage":{"file_storage_file_system_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/file_storage_file_system_encryption_enabled","org":"turbot","name":"file_storage_file_system_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_file_storage_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/filestorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.file_storage_file_system_encryption_enabled","org":"turbot","name":"file_storage_file_system_encryption_enabled","mod":"Terraform OCI Compliance","title":"File Storage file system encryption should be enabled","description":"Ensure File Storage file systems are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/FileStorage"}}],"controlTitle":"File Storage file system encryption should be enabled","controlDescription":"Ensure File Storage file systems are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/FileStorage"}}}},"examples":{"terraform":{"example_list_aws_ec2_amis":{"org":"turbot","tables":["terraform.terraform_data_source"],"plugins":["turbot/terraform"],"sourcePath":"terraform_data_source.md","title":"List AWS EC2 AMIs","titleLine":35,"name":"example_list_aws_ec2_amis","id":"example_list_aws_ec2_amis","description":"Determine the areas in which specific AWS EC2 AMIs are used, by analyzing the data source. This can help in understanding the distribution and application of different AMIs within your infrastructure.Explore which Amazon Machine Images (AMIs) are available in your AWS EC2 environment using this query. It helps in assessing the elements within your infrastructure and aids in making informed decisions for resource allocation and management.","descriptionStartLine":36,"queries":[{"lang":"sql+postgres","code":"select\n name,\n type,\n arguments,\n path\nfrom\n terraform_data_source\nwhere\n type = 'aws_ami';","startLine":38,"endLine":48},{"lang":"sql+sqlite","code":"select\n name,\n type,\n arguments,\n path\nfrom\n terraform_data_source\nwhere\n type = 'aws_ami';","startLine":50,"endLine":60}],"isExampleQuery":true},"example_get_filters_for_each_aws_ec2_ami":{"org":"turbot","tables":["terraform.terraform_data_source"],"plugins":["turbot/terraform"],"sourcePath":"terraform_data_source.md","title":"Get filters for each AWS EC2 AMI","titleLine":62,"name":"example_get_filters_for_each_aws_ec2_ami","id":"example_get_filters_for_each_aws_ec2_ami","description":"Discover the segments that help to identify the specific filters applied to each AWS EC2 AMI. This is beneficial for understanding the configuration and management of your EC2 AMIs, aiding in resource optimization and security.Explore which AWS EC2 AMIs have specific filters applied to them. This is useful for understanding your AMI configurations and ensuring they align with your security and operational requirements.","descriptionStartLine":63,"queries":[{"lang":"sql+postgres","code":"with filters as (\nselect\n name,\n type,\n jsonb_array_elements(arguments -> 'filter') as filter,\n path\nfrom\n terraform_data_source\nwhere\n type = 'aws_ami'\n)\nselect\n name,\n type,\n filter -> 'name' as name,\n filter -> 'values' as values,\n path\nfrom\n filters;","startLine":66,"endLine":86},{"lang":"sql+sqlite","code":"with filters as (\nselect\n name,\n type,\n json_each(arguments, '$.filter') as filter,\n path\nfrom\n terraform_data_source\nwhere\n type = 'aws_ami'\n)\nselect\n name,\n type,\n json_extract(filter.value, '$.name') as name,\n json_extract(filter.value, '$.values') as values,\n path\nfrom\n filters;","startLine":88,"endLine":108}],"isExampleQuery":true},"example_list_owner_locals_case_insensitive_":{"org":"turbot","tables":["terraform.terraform_local"],"plugins":["turbot/terraform"],"sourcePath":"terraform_local.md","title":"List 'Owner' locals (case insensitive)","titleLine":34,"name":"example_list_owner_locals_case_insensitive_","id":"example_list_owner_locals_case_insensitive_","description":"Analyze the settings to understand who the owners are across various paths in a case-insensitive manner. This can be beneficial in managing access rights and maintaining security protocols.Identify instances where the 'owner' locals are used in the Terraform configuration to understand the ownership details in the system. This can be particularly useful in managing and organizing resources effectively.","descriptionStartLine":35,"queries":[{"lang":"sql+postgres","code":"select\n name,\n value,\n path\nfrom\n terraform_local\nwhere\n name ilike 'owner';","startLine":38,"endLine":47},{"lang":"sql+sqlite","code":"select\n name,\n value,\n path\nfrom\n terraform_local\nwhere\n name like 'owner';","startLine":49,"endLine":58}],"isExampleQuery":true},"example_list_all_modules_that_reference_a_source_on_gitlab_com_but_don_t_use_a_version_number_as_reference":{"org":"turbot","tables":["terraform.terraform_module"],"plugins":["turbot/terraform"],"sourcePath":"terraform_module.md","title":"List all modules that reference a source on 'gitlab.com' but don't use a version number as reference","titleLine":41,"name":"example_list_all_modules_that_reference_a_source_on_gitlab_com_but_don_t_use_a_version_number_as_reference","id":"example_list_all_modules_that_reference_a_source_on_gitlab_com_but_don_t_use_a_version_number_as_reference","description":"This example highlights the identification of Terraform modules that reference sources on 'gitlab.com' but do not utilize a version number for referencing. This is useful for ensuring proper version control and avoiding potential inconsistencies or conflicts in your infrastructure setup.Explore modules that link to 'gitlab.com' but lack a specified version number. This is useful for identifying potential areas of instability in your infrastructure, as modules without version numbers can introduce unpredictability.","descriptionStartLine":42,"queries":[{"lang":"sql+postgres","code":"select\n name,\n split_part(module_source,'=',-1) as ref\nfrom\n terraform_module\nwhere\n module_source like '%gitlab.com%'\n and not split_part(module_source,'=',-1) ~ '^[0-9]';","startLine":45,"endLine":54},{"lang":"sql+sqlite","code":"Error: SQLite does not support split_part function and regular expression matching like '~'.","startLine":56,"endLine":58}],"isExampleQuery":true},"example_list_sensitive_outputs":{"org":"turbot","tables":["terraform.terraform_output"],"plugins":["turbot/terraform"],"sourcePath":"terraform_output.md","title":"List sensitive outputs","titleLine":42,"name":"example_list_sensitive_outputs","id":"example_list_sensitive_outputs","description":"Discover the segments that contain sensitive information within your Terraform outputs. This can help in identifying potential security risks and take necessary precautions to protect your data.Explore which outputs in your Terraform configuration are marked as sensitive. This is useful for maintaining data security and confidentiality.","descriptionStartLine":43,"queries":[{"lang":"sql+postgres","code":"select\n name,\n description,\n path\nfrom\n terraform_output\nwhere\n sensitive;","startLine":46,"endLine":55},{"lang":"sql+sqlite","code":"select\n name,\n description,\n path\nfrom\n terraform_output\nwhere\n sensitive = 1;","startLine":57,"endLine":66}],"isExampleQuery":true},"example_list_outputs_referring_to_aws_s3_bucket_arn_attributes":{"org":"turbot","tables":["terraform.terraform_output"],"plugins":["turbot/terraform"],"sourcePath":"terraform_output.md","title":"List outputs referring to AWS S3 bucket ARN attributes","titleLine":68,"name":"example_list_outputs_referring_to_aws_s3_bucket_arn_attributes","id":"example_list_outputs_referring_to_aws_s3_bucket_arn_attributes","description":"Explore which Terraform outputs reference AWS S3 bucket ARN attributes. This can be useful for identifying dependencies or potential configuration issues.Analyze the settings to understand the connections between your Terraform outputs and AWS S3 bucket ARN attributes. This is useful to identify potential dependencies or configurations that may impact your S3 bucket usage.","descriptionStartLine":69,"queries":[{"lang":"sql+postgres","code":"select\n name,\n description,\n value,\n path\nfrom\n terraform_output\nwhere\n value::text like '%aws_s3_bucket.%.arn%';","startLine":72,"endLine":82},{"lang":"sql+sqlite","code":"select\n name,\n description,\n value,\n path\nfrom\n terraform_output\nwhere\n value like '%aws_s3_bucket.%.arn%';","startLine":84,"endLine":94}],"isExampleQuery":true},"example_list_providers_using_deprecated_version_argument":{"org":"turbot","tables":["terraform.terraform_provider"],"plugins":["turbot/terraform"],"sourcePath":"terraform_provider.md","title":"List providers using deprecated 'version' argument","titleLine":35,"name":"example_list_providers_using_deprecated_version_argument","id":"example_list_providers_using_deprecated_version_argument","description":"This example helps you identify the instances where deprecated 'version' arguments are still being used in your Terraform providers. This can aid in ensuring your configuration is up-to-date and compliant with current best practices.Discover the segments that are utilizing outdated 'version' arguments in their configuration. This aids in identifying areas for potential updates and improvements.","descriptionStartLine":36,"queries":[{"lang":"sql+postgres","code":"select\n name,\n alias,\n version,\n path\nfrom\n terraform_provider\nwhere\n version is not null;","startLine":38,"endLine":48},{"lang":"sql+sqlite","code":"select\n name,\n alias,\n version,\n path\nfrom\n terraform_provider\nwhere\n version is not null;","startLine":50,"endLine":60}],"isExampleQuery":true},"example_list_aws_providers_with_their_regions":{"org":"turbot","tables":["terraform.terraform_provider"],"plugins":["turbot/terraform"],"sourcePath":"terraform_provider.md","title":"List AWS providers with their regions","titleLine":62,"name":"example_list_aws_providers_with_their_regions","id":"example_list_aws_providers_with_their_regions","description":"Explore the configuration of your AWS providers to understand the specific regions in which they operate. This can be beneficial in managing and optimizing your resource allocation across different geographical locations.Explore which AWS providers are configured across different regions. This can assist in managing resources and ensuring efficient distribution across various geographical locations.","descriptionStartLine":63,"queries":[{"lang":"sql+postgres","code":"select\n name,\n alias,\n arguments ->> 'region' as region,\n path\nfrom\n terraform_provider\nwhere\n name = 'aws';","startLine":66,"endLine":76},{"lang":"sql+sqlite","code":"select\n name,\n alias,\n json_extract(arguments, '$.region') as region,\n path\nfrom\n terraform_provider\nwhere\n name = 'aws';","startLine":78,"endLine":88}],"isExampleQuery":true},"example_list_aws_iam_roles":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List AWS IAM roles","titleLine":38,"name":"example_list_aws_iam_roles","id":"example_list_aws_iam_roles","description":"Explore the configuration of your AWS infrastructure by identifying the roles assigned within it. This can help in understanding the access and permissions structure, aiding in security audits and compliance checks.Explore the various roles within your AWS IAM setup to understand their configurations and attributes. This could help in managing access control and ensuring security protocols are being followed.","descriptionStartLine":39,"queries":[{"lang":"sql+postgres","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_role';","startLine":42,"endLine":53},{"lang":"sql+sqlite","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_role';","startLine":55,"endLine":66}],"isExampleQuery":true},"example_list_aws_iam_assume_role_policy_statements":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List AWS IAM assume_role_policy Statements","titleLine":68,"name":"example_list_aws_iam_assume_role_policy_statements","id":"example_list_aws_iam_assume_role_policy_statements","description":"Explore which AWS Identity and Access Management (IAM) roles have specific permissions. This is particularly useful for auditing security and compliance purposes, as it allows you to identify potential vulnerabilities in your IAM roles' permissions.Analyze the settings to understand the policies associated with AWS IAM roles. This can be useful to identify instances where specific roles have been granted certain permissions, ensuring secure and appropriate access control within your AWS environment.","descriptionStartLine":69,"queries":[{"lang":"sql+postgres","code":"select\n path,\n name,\n address,\n (attributes_std ->> 'assume_role_policy')::jsonb -> 'Statement' as statement\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_role'","startLine":72,"endLine":82},{"lang":"sql+sqlite","code":"select\n path,\n name,\n address,\n json_extract(attributes_std, '$.assume_role_policy.Statement') as statement\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_role'","startLine":84,"endLine":94}],"isExampleQuery":true},"example_get_ami_for_each_aws_ec2_instance":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"Get AMI for each AWS EC2 instance","titleLine":96,"name":"example_get_ami_for_each_aws_ec2_instance","id":"example_get_ami_for_each_aws_ec2_instance","description":"Explore which AWS EC2 instances are associated with each Amazon Machine Image (AMI). This can help identify instances that may be using outdated or unsecured AMIs, supporting better security and compliance management.Explore which Amazon Machine Images (AMIs) are used for each Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance. This is useful for understanding the software configurations of your EC2 instances.","descriptionStartLine":97,"queries":[{"lang":"sql+postgres","code":"select\n address,\n name,\n attributes_std ->> 'ami' as ami,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';","startLine":100,"endLine":110},{"lang":"sql+sqlite","code":"select\n address,\n name,\n json_extract(attributes_std, '$.ami') as ami,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_instance';","startLine":112,"endLine":122}],"isExampleQuery":true},"example_list_aws_cloudtrail_trails_that_are_not_encrypted":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List AWS CloudTrail trails that are not encrypted","titleLine":124,"name":"example_list_aws_cloudtrail_trails_that_are_not_encrypted","id":"example_list_aws_cloudtrail_trails_that_are_not_encrypted","description":"Analyze the settings to understand which AWS CloudTrail trails are not encrypted, helping to identify potential security risks in your AWS environment.Determine the areas in which AWS CloudTrail trails are not encrypted to ensure data security and compliance. This is crucial for identifying potential security vulnerabilities in your AWS environment.","descriptionStartLine":125,"queries":[{"lang":"sql+postgres","code":"select\n address,\n name,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail'\n and attributes_std -> 'kms_key_id' is null;","startLine":128,"endLine":138},{"lang":"sql+sqlite","code":"select\n address,\n name,\n path\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudtrail'\n and json_extract(attributes_std, '$.kms_key_id') is null;","startLine":140,"endLine":150}],"isExampleQuery":true},"example_list_azure_storage_accounts_that_allow_public_blob_access":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List Azure storage accounts that allow public blob access","titleLine":152,"name":"example_list_azure_storage_accounts_that_allow_public_blob_access","id":"example_list_azure_storage_accounts_that_allow_public_blob_access","description":"Explore which Azure storage accounts permit public access to their blobs. This is useful in identifying potential security vulnerabilities where sensitive data might be exposed.Explore which Azure storage accounts permit public blob access. This can be useful in identifying potential security risks and ensuring that sensitive data is not inadvertently exposed to the public.","descriptionStartLine":153,"queries":[{"lang":"sql+postgres","code":"select\n address,\n name,\n case\n when attributes_std -> 'allow_blob_public_access' is null then false\n else (attributes_std -> 'allow_blob_public_access')::boolean\n end as allow_blob_public_access,\n path\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account'\n -- Optional arg that defaults to false\n and (attributes_std -> 'allow_blob_public_access')::boolean;","startLine":156,"endLine":171},{"lang":"sql+sqlite","code":"select\n address,\n name,\n case\n when json_extract(attributes_std, '$.allow_blob_public_access') is null then 0\n else json_extract(attributes_std, '$.allow_blob_public_access')\n end as allow_blob_public_access,\n path\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account'\n and json_extract(attributes_std, '$.allow_blob_public_access');","startLine":173,"endLine":187}],"isExampleQuery":true},"example_list_azure_mysql_servers_that_don_t_enforce_ssl":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List Azure MySQL servers that don't enforce SSL","titleLine":189,"name":"example_list_azure_mysql_servers_that_don_t_enforce_ssl","id":"example_list_azure_mysql_servers_that_don_t_enforce_ssl","description":"Explore which Azure MySQL servers are potentially vulnerable by identifying those that do not enforce SSL. This can help enhance security by pinpointing areas to strengthen encryption measures.Determine the areas in which Azure MySQL servers are not enforcing SSL. This is useful to identify potential security vulnerabilities and ensure all servers are adhering to best practices for secure connections.","descriptionStartLine":190,"queries":[{"lang":"sql+postgres","code":"select\n address,\n name,\n attributes_std -> 'ssl_enforcement_enabled' as ssl_enforcement_enabled,\n path\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server'\n and not (attributes_std -> 'ssl_enforcement_enabled')::boolean;","startLine":193,"endLine":204},{"lang":"sql+sqlite","code":"select\n address,\n name,\n json_extract(attributes_std, '$.ssl_enforcement_enabled') as ssl_enforcement_enabled,\n path\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server'\n and not json_extract(attributes_std, '$.ssl_enforcement_enabled');","startLine":206,"endLine":217}],"isExampleQuery":true},"example_list_azure_mysql_servers_with_public_network_access_enabled":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List Azure MySQL servers with public network access enabled","titleLine":219,"name":"example_list_azure_mysql_servers_with_public_network_access_enabled","id":"example_list_azure_mysql_servers_with_public_network_access_enabled","description":"Determine the Azure MySQL servers that have public network access enabled. This can be useful for identifying potential security risks and ensuring that your servers are configured according to your organization's security policies.Determine the Azure MySQL servers that have public network access enabled. This helps in identifying potential security risks by highlighting servers that are exposed to the public internet.","descriptionStartLine":220,"queries":[{"lang":"sql+postgres","code":"select\n address,\n name,\n case\n when attributes_std -> 'public_network_access_enabled' is null then true\n else (attributes_std -> 'public_network_access_enabled')::boolean\n end as public_network_access_enabled,\n path\nfrom\n terraform_resource\nwhere\n type in ('azurerm_mssql_server', 'azurerm_mysql_server')\n -- Optional arg that defaults to true\n and (attributes_std -> 'public_network_access_enabled' is null or (attributes_std -> 'public_network_access_enabled')::boolean);","startLine":223,"endLine":238},{"lang":"sql+sqlite","code":"select\n address,\n name,\n case\n when json_extract(attributes_std, '$.public_network_access_enabled') is null then 1\n else json_extract(attributes_std, '$.public_network_access_enabled')\n end as public_network_access_enabled,\n path\nfrom\n terraform_resource\nwhere\n type in ('azurerm_mssql_server', 'azurerm_mysql_server')\n and (json_extract(attributes_std, '$.public_network_access_enabled') is null or json_extract(attributes_std, '$.public_network_access_enabled'));","startLine":240,"endLine":254}],"isExampleQuery":true},"example_list_resources_from_a_plan_file":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List resources from a plan file","titleLine":256,"name":"example_list_resources_from_a_plan_file","id":"example_list_resources_from_a_plan_file","description":"This query allows you to analyze the resources outlined in a specific Terraform plan file. It helps in gaining insights into the different elements like name, type, and address, which can be beneficial for understanding the structure and configuration of your infrastructure.Explore which resources are included in a specific plan file. This can help identify instances where certain resources may need to be added, removed, or modified, providing insights into the overall configuration of your project.","descriptionStartLine":257,"queries":[{"lang":"sql+postgres","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n path = '/path/to/tfplan.json';","startLine":259,"endLine":270},{"lang":"sql+sqlite","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n path = '/path/to/tfplan.json';","startLine":272,"endLine":283}],"isExampleQuery":true},"example_list_resources_from_a_state_file":{"org":"turbot","tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourcePath":"terraform_resource.md","title":"List resources from a state file","titleLine":285,"name":"example_list_resources_from_a_state_file","id":"example_list_resources_from_a_state_file","description":"Explore which resources are contained within a specific state file. This is useful for understanding the structure and content of your Terraform infrastructure without needing to navigate through multiple files or directories.Determine the resources within a specific state file in Terraform. This is useful for understanding the components of your infrastructure and their attributes, especially when managing large-scale deployments.","descriptionStartLine":286,"queries":[{"lang":"sql+postgres","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n path = '/path/to/terraform.tfstate';","startLine":289,"endLine":300},{"lang":"sql+sqlite","code":"select\n name,\n type,\n address,\n attributes_std,\n path\nfrom\n terraform_resource\nwhere\n path = '/path/to/terraform.tfstate';","startLine":302,"endLine":313}],"isExampleQuery":true},"example_list_variables_with_validation_rules":{"org":"turbot","tables":["terraform.terraform_variable"],"plugins":["turbot/terraform"],"sourcePath":"terraform_variable.md","title":"List Variables with Validation Rules","titleLine":37,"name":"example_list_variables_with_validation_rules","id":"example_list_variables_with_validation_rules","description":"Identify the variables that have validation rules applied. This is useful for ensuring that the constraints on variable values are properly understood and managed.","descriptionStartLine":38,"queries":[{"lang":"sql+postgres","code":"select\n name,\n validation,\n type\nfrom\n terraform_variable\nwhere\n validation is not null;","startLine":40,"endLine":49},{"lang":"sql+sqlite","code":"select\n name,\n validation,\n type\nfrom\n terraform_variable\nwhere\n validation is not null;","startLine":51,"endLine":60}],"isExampleQuery":true},"example_sensitive_variables":{"org":"turbot","tables":["terraform.terraform_variable"],"plugins":["turbot/terraform"],"sourcePath":"terraform_variable.md","title":"Sensitive Variables","titleLine":62,"name":"example_sensitive_variables","id":"example_sensitive_variables","description":"Discover which variables in your Terraform configuration are marked as sensitive. This is useful for maintaining data security and confidentiality.","descriptionStartLine":63,"queries":[{"lang":"sql+postgres","code":"select\n name,\n description,\n sensitive\nfrom\n terraform_variable\nwhere\n sensitive;","startLine":65,"endLine":74},{"lang":"sql+sqlite","code":"select\n name,\n description,\n sensitive\nfrom\n terraform_variable\nwhere\n sensitive = 1;","startLine":76,"endLine":85}],"isExampleQuery":true}}},"nameWithTag":"terraform","tag":"latest","allowIndex":true},"sidebarData":{"org":"turbot","name":"terraform","type":"queries","searchPlaceholder":"Search queries...","algoliaIndex":"production_HUB_STEAMPIPE_PLUGIN_EXAMPLES"},"children":["$","$L8",null,{"parallelRouterKey":"children","segmentPath":["children","plugins","children","$9","children","$a","children","queries","children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$Ld",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":"$undefined","notFoundStyles":"$undefined"}]}]

Query: Elasticsearch domain should send logs to cloudWatch

Description

Query

SQL