e:["$","$L15",null,{"pluginData":{"readme":"$16","sourceInfo":"$17","engines":["steampipe","sqlite","postgres","export"],"organization":"Turbot","category":["software development"],"iconUrl":"/images/plugins/turbot/terraform.svg","brandColor":"#844FBA","displayName":"Terraform","shortName":"terraform","description":"Steampipe plugin to query data from Terraform files.","ogDescription":"Query Terraform files with SQL! Open source CLI. No DB required.","ogImage":"/images/plugins/turbot/terraform-social-graphic.png","org":"turbot","name":"terraform","version":"1.0.1","latestImageId":"sha256:391a9ebeb9677e6543796a30fec5aed1d8df70f876a469651d4c2a7824bc1d4c","latestVersion":"1.0.1","mods":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance","org":"turbot","name":"steampipe-mod-terraform-aws-compliance","title":"Terraform AWS Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-aws-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform AWS resources deviating from security best practices prior to deployment in your AWS accounts using Powerpipe and Steampipe.."},{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance","org":"turbot","name":"steampipe-mod-terraform-azure-compliance","title":"Terraform Azure Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-azure-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform Azure resources deviating from security best practices prior to deployment in your Azure subscriptions using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance","org":"turbot","name":"steampipe-mod-terraform-gcp-compliance","title":"Terraform GCP Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-gcp-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform GCP resources deviating from security best practices prior to deployment in your GCP projects using Powerpipe and Steampipe."},{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance","org":"turbot","name":"steampipe-mod-terraform-oci-compliance","title":"Terraform OCI Compliance","version":"v1.0.1","iconUrl":"/images/mods/turbot/terraform-oci-compliance.svg","brandColor":"#844FBA","description":"Run compliance and security controls to detect Terraform OCI resources deviating from security best practices prior to deployment in your OCI accounts using Powerpipe and Steampipe."}],"tables":[{"name":"terraform_data_source","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"arguments","type":"jsonb","description":"Data source arguments.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden data source or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"name","type":"text","description":"Data source name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a data source, overriding Terraform's default behavior of selecting one based on the data source type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"Data source type.","operators":[]}],"description":"Terraform data source information.","queriesCount":1,"examplesCount":2,"readme":"$19"},{"name":"terraform_local","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Local name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"value","type":"jsonb","description":"Local value.","operators":[]}],"description":"Terraform local information.","queriesCount":0,"examplesCount":1,"readme":"$1a"},{"name":"terraform_module","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"arguments","type":"jsonb","description":"Input arguments passed to this module.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden data source or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"module_source","type":"text","description":"Module source","operators":[]},{"name":"name","type":"text","description":"Module name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a data source, overriding Terraform's default behavior of selecting one based on the data source type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"version","type":"text","description":"Module version","operators":[]}],"description":"Terraform module information.","queriesCount":0,"examplesCount":1,"readme":"$1b"},{"name":"terraform_output","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden output or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"description","type":"text","description":"Because the output values of a module are part of its user interface, you can briefly describe the purpose of each value using the optional description argument.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Output name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"sensitive","type":"boolean","description":"An output can be marked as containing sensitive material using the optional sensitive argument.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"value","type":"jsonb","description":"The value argument takes an expression whose result is to be returned to the user.","operators":[]}],"description":"Terraform output information.","queriesCount":0,"examplesCount":2,"readme":"$1c"},{"name":"terraform_provider","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"alias","type":"text","description":"The alias meta-argument to provide an extra name segment.","operators":[]},{"name":"arguments","type":"jsonb","description":"Provider arguments.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"Provider name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"version","type":"text","description":"The version meta-argument specifies a version constraint for a provider, and works the same way as the version argument in a required_providers block.","operators":[]}],"description":"Terraform provider information.","queriesCount":0,"examplesCount":2,"readme":"$1d"},{"name":"terraform_resource","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"address","type":"text","description":"The absolute resource address.","operators":[]},{"name":"arguments","type":"jsonb","description":"Resource arguments.","operators":[]},{"name":"attributes","type":"jsonb","description":"Resource attributes. The value will populate only for the resources that come from a state file.","operators":[]},{"name":"attributes_std","type":"jsonb","description":"Resource attributes. Contains the value from either the arguments or the attributes property.","operators":[]},{"name":"count","type":"bigint","description":"The integer value for the count meta-argument if it's set as a number in a literal expression.","operators":[]},{"name":"count_src","type":"jsonb","description":"The count meta-argument accepts a whole number, and creates that many instances of the resource or module.","operators":[]},{"name":"depends_on","type":"jsonb","description":"Use the depends_on meta-argument to handle hidden resource or module dependencies that Terraform can't automatically infer.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"for_each","type":"jsonb","description":"The for_each meta-argument accepts a map or a set of strings, and creates an instance for each item in that map or set.","operators":[]},{"name":"lifecycle","type":"jsonb","description":"The lifecycle meta-argument is a nested block that can appear within a resource block.","operators":[]},{"name":"mode","type":"text","description":"The type of resource Terraform creates, either a resource (managed) or data source (data).","operators":[]},{"name":"name","type":"text","description":"Resource name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"provider","type":"text","description":"The provider meta-argument specifies which provider configuration to use for a resource, overriding Terraform's default behavior of selecting one based on the resource type name.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"Resource type.","operators":[]}],"description":"Terraform resource information.","queriesCount":809,"examplesCount":9,"readme":"$1e"},{"name":"terraform_variable","columns":[{"name":"_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"default_value","type":"jsonb","description":"The default value for the variable.","operators":[]},{"name":"description","type":"text","description":"Because the variable values of a module are part of its user interface, you can briefly describe the purpose of each value using the optional description argument.","operators":[]},{"name":"end_line","type":"bigint","description":"Ending line number.","operators":[]},{"name":"name","type":"text","description":"The variable name.","operators":[]},{"name":"path","type":"text","description":"Path to the file.","operators":["="]},{"name":"sensitive","type":"boolean","description":"An variable can be marked as containing sensitive material using the optional sensitive argument.","operators":[]},{"name":"source","type":"text","description":"The block source code.","operators":[]},{"name":"sp_connection_name","type":"text","description":"Steampipe connection name.","operators":["=","!=","~~","~~*","!~~","!~~*"]},{"name":"sp_ctx","type":"jsonb","description":"Steampipe context in JSON form.","operators":[]},{"name":"start_line","type":"bigint","description":"Starting line number.","operators":[]},{"name":"type","type":"text","description":"The variable type.","operators":[]},{"name":"validation","type":"text","description":"The validation applied on the variable.","operators":[]}],"description":"Terraform variable information.","queriesCount":0,"examplesCount":2,"readme":"$1f"}],"queries":{"cloud_watch":{"cloudwatch_destination_policy_wildcards":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_destination_policy_wildcards","org":"turbot","name":"cloudwatch_destination_policy_wildcards","sql":"with access_policy as (\n select\n name\n from\n terraform_data_source\n where\n type = 'aws_iam_policy_document'\n and (arguments -> 'statement' ->> 'actions') like '%*%'\n), cloudwatch_log_destination_policy as (\n select\n name,\n type,\n address,\n path,\n start_line,\n _ctx,\n split_part((attributes_std ->> 'access_policy')::text, '.', 3) as ap\n from\n terraform_resource\n where\n type = 'aws_cloudwatch_log_destination_policy'\n)\nselect\n a.address as resource,\n case\n when e.name is null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when e.name is null then ' policy is ok'\n else ' policy is not ok'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n cloudwatch_log_destination_policy as a\n left join access_policy as e on a.ap = e.name;\n","tags":{},"tables":["terraform.terraform_data_source","terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":29,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_destination_policy_wildcards","org":"turbot","name":"cloudwatch_destination_policy_wildcards","mod":"Terraform AWS Compliance","title":"Ensure CloudWatch Logs destination policy has no wildcards","description":"Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}}],"controlTitle":"Ensure CloudWatch Logs destination policy has no wildcards","controlDescription":"Amazon CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}},"log_group_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/log_group_encryption_at_rest_enabled","org":"turbot","name":"log_group_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is not null then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.log_group_encryption_at_rest_enabled","org":"turbot","name":"log_group_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Log group encryption at rest should be enabled","description":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"Log group encryption at rest should be enabled","controlDescription":"To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Group.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}},"cloudwatch_log_group_retention_period_365":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_log_group_retention_period_365","org":"turbot","name":"cloudwatch_log_group_retention_period_365","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_in_days') is null or (attributes_std -> 'retention_in_days')::int < 365 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_in_days') is null then ' retention period not set'\n when (attributes_std -> 'retention_in_days')::int < 365 then ' retention period less than 365 days'\n else ' retention period 365 days or above'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":70,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_log_group_retention_period_365","org":"turbot","name":"cloudwatch_log_group_retention_period_365","mod":"Terraform AWS Compliance","title":"Log group retention period should be at least 365 days","description":"Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"Log group retention period should be at least 365 days","controlDescription":"Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/CloudWatch","soc_2":"true"}},"cloudwatch_log_group_retention":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_log_group_retention","org":"turbot","name":"cloudwatch_log_group_retention","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_in_days') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_in_days') is null then ' retention period not set'\n else ' retention period set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_log_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":113,"endLineNumber":132,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_log_group_retention","org":"turbot","name":"cloudwatch_log_group_retention","mod":"Terraform AWS Compliance","title":"Log group retention period should be set","description":"Ensure that CloudWatch Log Group specifies retention days.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}}],"controlTitle":"Log group retention period should be set","controlDescription":"Ensure that CloudWatch Log Group specifies retention days.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/CloudWatch"}},"cloudwatch_alarm_action_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/cloudwatch_alarm_action_enabled","org":"turbot","name":"cloudwatch_alarm_action_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alarm_actions') is null\n and (attributes_std -> 'insufficient_data_actions') is null\n and (attributes_std -> 'ok_actions') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alarm_actions') is null\n and (attributes_std -> 'insufficient_data_actions') is null\n and (attributes_std -> 'ok_actions') is null then ' no action enabled'\n when (attributes_std -> 'alarm_actions') is not null then ' alarm action enabled'\n when (attributes_std -> 'insufficient_data_actions') is not null then ' insufficient data action enabled.'\n when (attributes_std -> 'ok_actions') is not null then ' ok action enabled.'\n else ' action enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_cloudwatch_metric_alarm';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudwatch.pp","startLineNumber":1,"endLineNumber":27,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.cloudwatch_alarm_action_enabled","org":"turbot","name":"cloudwatch_alarm_action_enabled","mod":"Terraform AWS Compliance","title":"CloudWatch alarm action should be enabled","description":"Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CloudWatch","soc_2":"true"}}],"controlTitle":"CloudWatch alarm action should be enabled","controlDescription":"Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/CloudWatch","soc_2":"true"}}},"object_storage":{"objectstorage_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_versioning_enabled","org":"turbot","name":"objectstorage_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'versioning') = 'Enabled'\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'versioning') = 'Enabled'\n then ' has versioning enabled'\n else ' has versioning disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":45,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_4_1_3","org":"turbot","name":"cis_v120_4_1_3","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1.3 Ensure Versioning is Enabled for Object Storage Buckets","description":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.3","cis_level":"1","cis_section_id":"4.1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_5_1_3","org":"turbot","name":"cis_v200_5_1_3","mod":"Oracle Cloud Infrastructure Compliance","title":"5.1.3 Ensure Versioning is Enabled for Object Storage Buckets","description":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}}],"controlTitle":"4.1.3 Ensure Versioning is Enabled for Object Storage Buckets","controlDescription":"A bucket is a logical container for storing objects. Object versioning is enabled at the bucket level and is disabled by default upon creation. Versioning directs Object Storage to automatically create an object version each time a new object is uploaded, an existing object is overwritten, or when an object is deleted. You can enable object versioning at bucket creation time or later.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"2","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}},"objectstorage_bucket_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_public_access_blocked","org":"turbot","name":"objectstorage_bucket_public_access_blocked","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'access_type') in ('ObjectRead', 'ObjectReadWithoutList')\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'access_type') in ('ObjectRead', 'ObjectReadWithoutList')\n then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_4_1","org":"turbot","name":"cis_v110_4_1","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_4_1_1","org":"turbot","name":"cis_v120_4_1_1","mod":"Oracle Cloud Infrastructure Compliance","title":"4.1.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.1","cis_level":"1","cis_section_id":"4.1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/ObjectStorage"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_5_1_1","org":"turbot","name":"cis_v200_5_1_1","mod":"Oracle Cloud Infrastructure Compliance","title":"5.1.1 Ensure no Object Storage buckets are publicly visible","description":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. By Default a newly created bucket is private. It is recommended that no bucket be publicly accessible..","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.1","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}}],"controlTitle":"4.1 Ensure no Object Storage buckets are publicly visible","controlDescription":"A bucket is a logical container for storing objects. It is associated with a single compartment that has policies that determine what action a user can perform on a bucket and on all the objects in the bucket. It is recommended that no bucket be publicly accessible.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.1","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/ObjectStorage"}},"objectstorage_bucket_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_encryption_enabled","org":"turbot","name":"objectstorage_bucket_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.objectstorage_bucket_encryption_enabled","org":"turbot","name":"objectstorage_bucket_encryption_enabled","mod":"Terraform OCI Compliance","title":"Object Storage bucket encryption should be enabled","description":"Ensure that the Object storage buckets are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}],"controlTitle":"Object Storage bucket encryption should be enabled","controlDescription":"Ensure that the Object storage buckets are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}},"objectstorage_bucket_object_events_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/objectstorage_bucket_object_events_enabled","org":"turbot","name":"objectstorage_bucket_object_events_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'object_events_enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'object_events_enabled')::bool then ' object events enabled'\n else ' object events disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_objectstorage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/objectstorage.pp","startLineNumber":68,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.objectstorage_bucket_object_events_enabled","org":"turbot","name":"objectstorage_bucket_object_events_enabled","mod":"Terraform OCI Compliance","title":"Object Storage bucket object events should be enabled","description":"This control checks whether the Object Storage bucket object events are enabled. Object events are used to track object state changes.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}],"controlTitle":"Object Storage bucket object events should be enabled","controlDescription":"This control checks whether the Object Storage bucket object events are enabled. Object events are used to track object state changes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/ObjectStorage"}}},"identity":{"identity_authentication_password_policy_strong_min_length_14":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_strong_min_length_14","org":"turbot","name":"identity_authentication_password_policy_strong_min_length_14","sql":"$20","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":1,"endLineNumber":28,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_1_4","org":"turbot","name":"cis_v200_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/Identity"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_1_4","org":"turbot","name":"cis_v120_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/Identity"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_1_4","org":"turbot","name":"cis_v110_1_4","mod":"Oracle Cloud Infrastructure Compliance","title":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","description":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/Identity"}}],"controlTitle":"1.4 Ensure IAM password policy requires minimum length of 14 or greater","controlDescription":"Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters. It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or 'Special Character').","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_special_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_special_characters","org":"turbot","name":"identity_authentication_password_policy_contains_special_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_special_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_special_characters_required')::boolean then ' contains special characters'\n else ' does not contain special characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":90,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_special_characters","org":"turbot","name":"identity_authentication_password_policy_contains_special_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one special character","description":"This control checks whether the IAM password policy contains at least one special character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one special character","controlDescription":"This control checks whether the IAM password policy contains at least one special character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_uppercase_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_uppercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_uppercase_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_uppercase_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_uppercase_characters_required')::boolean then ' contains uppercase characters'\n else ' does not contain uppercase characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":50,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_uppercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_uppercase_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one uppercase character","description":"This control checks whether the IAM password policy contains at least one uppercase character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one uppercase character","controlDescription":"This control checks whether the IAM password policy contains at least one uppercase character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_lowercase_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_lowercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_lowercase_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_lowercase_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_lowercase_characters_required')::boolean then ' contains lowercase characters'\n else ' does not contain lowercase characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":30,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_lowercase_characters","org":"turbot","name":"identity_authentication_password_policy_contains_lowercase_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one lowercase character","description":"This control checks whether the IAM password policy contains at least one lowercase character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one lowercase character","controlDescription":"This control checks whether the IAM password policy contains at least one lowercase character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}},"identity_authentication_password_policy_contains_numeric_characters":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/identity_authentication_password_policy_contains_numeric_characters","org":"turbot","name":"identity_authentication_password_policy_contains_numeric_characters","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_policy' ->> 'is_numeric_characters_required')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_policy' ->> 'is_numeric_characters_required')::boolean then ' contains numeric characters'\n else ' does not contain numeric characters'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_identity_authentication_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/identity.pp","startLineNumber":70,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.identity_authentication_password_policy_contains_numeric_characters","org":"turbot","name":"identity_authentication_password_policy_contains_numeric_characters","mod":"Terraform OCI Compliance","title":"IAM password policy should contain at least one numeric character","description":"This control checks whether the IAM password policy contains at least one numeric character.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}],"controlTitle":"IAM password policy should contain at least one numeric character","controlDescription":"This control checks whether the IAM password policy contains at least one numeric character.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Identity"}}},"cloud_guard":{"cloudguard_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/cloudguard_enabled","org":"turbot","name":"cloudguard_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'status') = 'ENABLED' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'status'), '') = '' then ' ''status'' is not defined'\n when (attributes_std ->> 'status') = 'ENABLED' then ' CloudGuard enabled'\n else ' CloudGuard disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_cloud_guard_cloud_guard_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudguard.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v120_3_15","org":"turbot","name":"cis_v120_3_15","mod":"Oracle Cloud Infrastructure Compliance","title":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0","plugin":"oci","service":"OCI/CloudGuard"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v110_3_15","org":"turbot","name":"cis_v110_3_15","mod":"Oracle Cloud Infrastructure Compliance","title":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.15","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.1.0","plugin":"oci","service":"OCI/CloudGuard"}},{"path":"/mods/turbot/steampipe-mod-oci-compliance/benchmarks/control.cis_v200_4_14","org":"turbot","name":"cis_v200_4_14","mod":"Oracle Cloud Infrastructure Compliance","title":"4.14 Ensure Cloud Guard is enabled in the root compartment of the tenancy","description":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.14","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/CloudGuard"}}],"controlTitle":"3.15 Ensure Cloud Guard is enabled in the root compartment of the tenancy","controlDescription":"Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors and responders.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.14","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"oci","service":"OCI/CloudGuard"}}},"storage":{"storage_bucket_uniform_access_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_uniform_access_enabled","org":"turbot","name":"storage_bucket_uniform_access_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'uniform_bucket_level_access')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'uniform_bucket_level_access') is null then ' ''uniform_bucket_level_access'' is not defined'\n when (attributes_std ->> 'uniform_bucket_level_access')::boolean then ' uniform bucket-level access enabled'\n else ' uniform bucket-level access not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_5_2","org":"turbot","name":"cis_v300_5_2","mod":"GCP Compliance","title":"5.2 Ensure That Cloud Storage Buckets Have Uniform BucketLevel Access Enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.2","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_5_2","org":"turbot","name":"cis_v200_5_2","mod":"GCP Compliance","title":"5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.2","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_5_2","org":"turbot","name":"cis_v130_5_2","mod":"GCP Compliance","title":"5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.2","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_5_2","org":"turbot","name":"cis_v120_5_2","mod":"GCP Compliance","title":"5.2 Ensure that Cloud Storage buckets have uniform bucket-level access enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.2","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.storage_bucket_uniform_access_enabled","org":"turbot","name":"storage_bucket_uniform_access_enabled","mod":"GCP Compliance","title":"Ensure that Cloud Storage buckets have uniform bucket-level access enabled","description":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Storage"}}],"controlTitle":"Ensure that Cloud Storage buckets have uniform bucket-level access enabled","controlDescription":"It is recommended that uniform bucket-level access is enabled on Cloud Storage buckets.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.2","cis_level":"2","cis_section_id":"5","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Storage"}},"storage_bucket_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_not_publicly_accessible","org":"turbot","name":"storage_bucket_not_publicly_accessible","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'entity')), '') like any (array ['', '%allAuthenticatedUsers%','%allUsers%'])\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'entity')), '') = '' then ' ''entity'' is not defined'\n when (attributes_std ->> 'entity') like any (array ['%allAuthenticatedUsers%','%allUsers%']) then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket_access_control';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_5_1","org":"turbot","name":"cis_v300_5_1","mod":"GCP Compliance","title":"5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible","description":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.1","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_5_1","org":"turbot","name":"cis_v200_5_1","mod":"GCP Compliance","title":"5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible","description":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.1","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_5_1","org":"turbot","name":"cis_v130_5_1","mod":"GCP Compliance","title":"5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible","description":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.1","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_5_1","org":"turbot","name":"cis_v120_5_1","mod":"GCP Compliance","title":"5.1 Ensure that Cloud Storage bucket is not anonymously or publicly accessible","description":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.1","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Storage"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.storage_bucket_not_publicly_accessible","org":"turbot","name":"storage_bucket_not_publicly_accessible","mod":"GCP Compliance","title":"Ensure that Cloud Storage bucket is not anonymously or publicly accessible","description":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Storage","soc_2_2017":"true"}}],"controlTitle":"Ensure that Cloud Storage bucket is not anonymously or publicly accessible","controlDescription":"It is recommended that IAM policy on Cloud Storage bucket does not allows anonymous or public access.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"5.1","cis_level":"1","cis_section_id":"5","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Storage","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","soc_2_2017":"true"}},"storage_account_uses_private_link":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_private_link","org":"turbot","name":"storage_account_uses_private_link","sql":"select\n address as resource,\n case\n when (attributes_std -> 'private_link_access') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_link_access') is null then ' does not use private link'\n else ' uses private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":272,"endLineNumber":291,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_10","org":"turbot","name":"cis_v210_3_10","mod":"Azure Compliance","title":"3.10 Ensure Private Endpoints are used to access Storage Accounts","description":"Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_10","org":"turbot","name":"cis_v200_3_10","mod":"Azure Compliance","title":"3.10 Ensure Private Endpoints are used to access Storage Accounts","description":"Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_10","org":"turbot","name":"cis_v150_3_10","mod":"Azure Compliance","title":"3.10 Ensure Private Endpoints are used to access Storage Accounts","description":"Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_9","org":"turbot","name":"cis_v300_4_9","mod":"Azure Compliance","title":"4.9 Ensure Private Endpoints are used to access Storage Accounts","description":"Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.9","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_uses_private_link","org":"turbot","name":"storage_account_uses_private_link","mod":"Azure Compliance","title":"Storage accounts should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.9","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"storage_account_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","sql":"select\n address as resource,\n case\n when (attributes_std -> 'resource_group_name') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'resource_group_name') is null then ' does not use azure resource group manager'\n else ' uses azure resource group manager'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":360,"endLineNumber":379,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_uses_azure_resource_manager","org":"turbot","name":"storage_account_uses_azure_resource_manager","mod":"Azure Compliance","title":"Storage accounts should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}},"storage_account_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","sql":"with storage_account_network_rules as (\n select\n name,\n address,\n type,\n path,\n start_line,\n split_part((attributes_std ->> 'storage_account_name'), '.',2) as storage_account_name\n from\n terraform_resource\n where\n type = 'azurerm_storage_account_network_rules'\n and (attributes_std ->> 'default_action') = 'Deny'\n), storage_account_name as (\n select\n name,\n address,\n type,\n path,\n _ctx,\n start_line\n from\n terraform_resource\n where\n type = 'azurerm_storage_account'\n)\nselect\n san.address as resource,\n case\n when sanr.address is null then 'alarm'\n else 'ok'\n end status,\n split_part(san.address, '.', 2) || case\n when sanr.address is null then ' does not use virtual service endpoint'\n else ' uses virtual service endpoint'\n end || '.' reason\n \n , san.path || ':' || san.start_line\nfrom\n storage_account_name as san\n left join storage_account_network_rules as sanr on sanr.storage_account_name = san.name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":67,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_use_virtual_service_endpoint","org":"turbot","name":"storage_account_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Storage Accounts should use a virtual network service endpoint","description":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Storage"}}],"controlTitle":"Storage Accounts should use a virtual network service endpoint","controlDescription":"This policy audits any Storage Account not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Storage"}},"storage_account_trusted_microsoft_services_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","sql":"$21","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":203,"endLineNumber":247,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_7","org":"turbot","name":"cis_v140_3_7","mod":"Azure Compliance","title":"3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","description":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_7","org":"turbot","name":"cis_v130_3_7","mod":"Azure Compliance","title":"3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access","description":"Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_9","org":"turbot","name":"cis_v210_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_9","org":"turbot","name":"cis_v200_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_9","org":"turbot","name":"cis_v150_3_9","mod":"Azure Compliance","title":"3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription).","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_8","org":"turbot","name":"cis_v300_4_8","mod":"Azure Compliance","title":"4.8 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_trusted_microsoft_services_enabled","org":"turbot","name":"storage_account_trusted_microsoft_services_enabled","mod":"Azure Compliance","title":"Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","description":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access","controlDescription":"Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_secure_transfer_required_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_https_traffic_only') is null then 'ok'\n when (attributes_std -> 'enable_https_traffic_only')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_https_traffic_only') is null then ' encryption in transit enabled'\n when (attributes_std -> 'enable_https_traffic_only')::bool then ' encryption in transit enabled'\n else ' encryption in transit not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":337,"endLineNumber":358,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_1","org":"turbot","name":"cis_v210_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_1","org":"turbot","name":"cis_v200_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_1","org":"turbot","name":"cis_v150_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_1","org":"turbot","name":"cis_v140_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_1","org":"turbot","name":"cis_v130_3_1","mod":"Azure Compliance","title":"3.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_1","org":"turbot","name":"cis_v300_4_1","mod":"Azure Compliance","title":"4.1 Ensure that 'Secure transfer required' is set to 'Enabled'","description":"Enable data encryption in transit.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_secure_transfer_required_enabled","org":"turbot","name":"storage_account_secure_transfer_required_enabled","mod":"Azure Compliance","title":"Secure transfer to storage accounts should be enabled","description":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Secure transfer to storage accounts should be enabled","controlDescription":"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true"}},"storage_account_restrict_network_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rules') is null then 'alarm'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rules') is null then ' allows network access'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Deny' then ' restricts network access'\n else ' allows network access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":314,"endLineNumber":335,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_restrict_network_access","org":"turbot","name":"storage_account_restrict_network_access","mod":"Azure Compliance","title":"Storage accounts should restrict network access using virtual network rules","description":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access using virtual network rules","controlDescription":"Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}},"storage_account_queue_services_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_queue_services_logging_enabled","org":"turbot","name":"storage_account_queue_services_logging_enabled","sql":"$22","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_3","org":"turbot","name":"cis_v140_3_3","mod":"Azure Compliance","title":"3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_3","org":"turbot","name":"cis_v130_3_3","mod":"Azure Compliance","title":"3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.3","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_5","org":"turbot","name":"cis_v210_3_5","mod":"Azure Compliance","title":"3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_5","org":"turbot","name":"cis_v200_3_5","mod":"Azure Compliance","title":"3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_5","org":"turbot","name":"cis_v150_3_5","mod":"Azure Compliance","title":"3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' request","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_12","org":"turbot","name":"cis_v300_4_12","mod":"Azure Compliance","title":"4.12 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.12","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_queue_services_logging_enabled","org":"turbot","name":"storage_account_queue_services_logging_enabled","mod":"Azure Compliance","title":"Ensure Storage logging is enabled for Queue service for read, write, and delete requests","description":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure Storage logging is enabled for Queue service for read, write, and delete requests","controlDescription":"The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.12","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_infrastructure_encryption_enabled","org":"turbot","name":"storage_account_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'infrastructure_encryption_enabled') is null then 'alarm'\n when (attributes_std -> 'infrastructure_encryption_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'infrastructure_encryption_enabled') is null then ' ''infrastructure_encryption_enabled'' parameter not defined'\n when (attributes_std -> 'infrastructure_encryption_enabled')::bool then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":134,"endLineNumber":155,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_2","org":"turbot","name":"cis_v210_3_2","mod":"Azure Compliance","title":"3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'","description":"Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.2","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_2","org":"turbot","name":"cis_v200_3_2","mod":"Azure Compliance","title":"3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'","description":"Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.2","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_2","org":"turbot","name":"cis_v150_3_2","mod":"Azure Compliance","title":"3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled’","description":"Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.2","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_2","org":"turbot","name":"cis_v300_4_2","mod":"Azure Compliance","title":"4.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'","description":"Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_infrastructure_encryption_enabled","org":"turbot","name":"storage_account_infrastructure_encryption_enabled","mod":"Azure Compliance","title":"Storage accounts should have infrastructure encryption","description":"Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should have infrastructure encryption","controlDescription":"Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.2","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"storage_account_encryption_scopes_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_encryption_scopes_encrypted_at_rest_with_cmk","org":"turbot","name":"storage_account_encryption_scopes_encrypted_at_rest_with_cmk","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_encryption_scope' and (attributes_std ->> 'source') = 'Microsoft.KeyVault') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_encryption_scope' and (attributes_std ->> 'source') = 'Microsoft.KeyVault') then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":293,"endLineNumber":312,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_encryption_scopes_encrypted_at_rest_with_cmk","org":"turbot","name":"storage_account_encryption_scopes_encrypted_at_rest_with_cmk","mod":"Azure Compliance","title":"Storage account encryption scopes should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Storage account encryption scopes should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}},"storage_account_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_account_customer_managed_key') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'storage_account_id'), '.', 2) from terraform_resource where type = 'azurerm_storage_account_customer_managed_key') then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":113,"endLineNumber":132,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_12","org":"turbot","name":"cis_v210_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_12","org":"turbot","name":"cis_v200_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_12","org":"turbot","name":"cis_v150_3_12","mod":"Azure Compliance","title":"3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.12","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_9","org":"turbot","name":"cis_v140_3_9","mod":"Azure Compliance","title":"3.9 Ensure storage for critical data are encrypted with Customer Managed Key","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_9","org":"turbot","name":"cis_v130_3_9","mod":"Azure Compliance","title":"3.9 Ensure storage for critical data are encrypted with Customer Managed Key","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.9","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_11","org":"turbot","name":"cis_v300_4_11","mod":"Azure Compliance","title":"4.11 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys","description":"Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_encryption_at_rest_using_cmk","org":"turbot","name":"storage_account_encryption_at_rest_using_cmk","mod":"Azure Compliance","title":"Storage accounts should use customer-managed key for encryption","description":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should use customer-managed key for encryption","controlDescription":"Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"storage_account_default_network_access_rule_denied":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rules') is null then 'alarm'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Allow' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rules') is null then ' has no network rules defined'\n when (attributes_std -> 'network_rules' ->> 'default_action') = 'Allow' then ' allows traffic from specific networks'\n else ' allows network access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":180,"endLineNumber":201,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_6","org":"turbot","name":"cis_v140_3_6","mod":"Azure Compliance","title":"3.6 Ensure default network access rule for Storage Accounts is set to deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.6","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_6","org":"turbot","name":"cis_v130_3_6","mod":"Azure Compliance","title":"3.6 Ensure default network access rule for Storage Accounts is set to deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.6","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_8","org":"turbot","name":"cis_v210_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_8","org":"turbot","name":"cis_v200_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_8","org":"turbot","name":"cis_v150_3_8","mod":"Azure Compliance","title":"3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_7","org":"turbot","name":"cis_v300_4_7","mod":"Azure Compliance","title":"4.7 Ensure Default Network Access Rule for Storage Accounts is Set to Deny","description":"Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_default_network_access_rule_denied","org":"turbot","name":"storage_account_default_network_access_rule_denied","mod":"Azure Compliance","title":"Storage accounts should restrict network access","description":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Storage"}}],"controlTitle":"Storage accounts should restrict network access","controlDescription":"Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.7","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true"}},"storage_account_block_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_block_public_access","org":"turbot","name":"storage_account_block_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_blob_public_access') is null then 'ok'\n when (attributes_std -> 'allow_blob_public_access')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_blob_public_access') is null then ' does not allow public access to the blobs or containers'\n when (attributes_std -> 'allow_blob_public_access')::bool then ' allows public access to all the blobs or containers'\n else ' does not allow public access to the blobs or containers'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":21,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_7","org":"turbot","name":"cis_v210_3_7","mod":"Azure Compliance","title":"3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts","description":"Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_6","org":"turbot","name":"cis_v300_4_6","mod":"Azure Compliance","title":"4.6 Ensure that 'Public Network Access' is `Disabled' for storage accounts","description":"Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_block_public_access","org":"turbot","name":"storage_account_block_public_access","mod":"Azure Compliance","title":"Storage account public access should be disallowed","description":"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Storage"}}],"controlTitle":"Storage account public access should be disallowed","controlDescription":"Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"storage_account_blob_service_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","sql":"$23","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":249,"endLineNumber":270,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_10","org":"turbot","name":"cis_v140_3_10","mod":"Azure Compliance","title":"3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_10","org":"turbot","name":"cis_v130_3_10","mod":"Azure Compliance","title":"3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.10","cis_level":"2","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_13","org":"turbot","name":"cis_v210_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_13","org":"turbot","name":"cis_v200_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_13","org":"turbot","name":"cis_v150_3_13","mod":"Azure Compliance","title":"3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.13","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_13","org":"turbot","name":"cis_v300_4_13","mod":"Azure Compliance","title":"4.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests","description":"The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.13","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_blob_service_logging_enabled","org":"turbot","name":"storage_account_blob_service_logging_enabled","mod":"Azure Compliance","title":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","description":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure Storage logging is enabled for Blob service for read, write, and delete requests","controlDescription":"The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.13","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_account_blob_containers_public_access_private":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_blob_public_access') is null then 'ok'\n when (attributes_std -> 'allow_blob_public_access')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_blob_public_access') is null then ' does not allow public access to the blobs'\n when (attributes_std -> 'allow_blob_public_access')::bool then ' allows public access to all the blobs'\n else ' does not allow public access to the blobs'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":157,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_3_17","org":"turbot","name":"cis_v210_3_17","mod":"Azure Compliance","title":"3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`","description":"The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.17","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_3_5","org":"turbot","name":"cis_v140_3_5","mod":"Azure Compliance","title":"3.5 Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_3_5","org":"turbot","name":"cis_v130_3_5","mod":"Azure Compliance","title":"3.5 Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_3_7","org":"turbot","name":"cis_v200_3_7","mod":"Azure Compliance","title":"3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers","description":"Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_3_7","org":"turbot","name":"cis_v150_3_7","mod":"Azure Compliance","title":"3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers","description":"Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.7","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_4_17","org":"turbot","name":"cis_v300_4_17","mod":"Azure Compliance","title":"4.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`","description":"The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.17","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_account_blob_containers_public_access_private","org":"turbot","name":"storage_account_blob_containers_public_access_private","mod":"Azure Compliance","title":"Ensure that 'Public access level' is set to Private for blob containers","description":"Disable anonymous access to blob containers and disallow blob public access on storage account.","tags":{"service":"Azure/Storage"}}],"controlTitle":"Ensure that 'Public access level' is set to Private for blob containers","controlDescription":"Disable anonymous access to blob containers and disallow blob public access on storage account.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.17","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Storage"}},"storage_bucket_self_logging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_self_logging_disabled","org":"turbot","name":"storage_bucket_self_logging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging') is null then 'skip'\n when (attributes_std -> 'logging' ->> 'log_bucket') = (attributes_std ->> 'name') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging') is null then ' logging is undefined'\n when (attributes_std -> 'logging' ->> 'log_bucket') = (attributes_std ->> 'name') then ' self logging enabled'\n else ' self logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":87,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_self_logging_disabled","org":"turbot","name":"storage_bucket_self_logging_disabled","mod":"Terraform GCP Compliance","title":"Storage buckets self logging should be disabled","description":"It is recommended that self logging should be disabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets self logging should be disabled","controlDescription":"It is recommended that self logging should be disabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_logging_enabled","org":"turbot","name":"storage_bucket_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging' ->> 'log_bucket') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging' ->> 'log_bucket') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":110,"endLineNumber":129,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_logging_enabled","org":"turbot","name":"storage_bucket_logging_enabled","mod":"Terraform GCP Compliance","title":"Storage buckets logging should be enabled","description":"It is recommended that logging should be enabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets logging should be enabled","controlDescription":"It is recommended that logging should be enabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_public_access_prevention_enforced":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_public_access_prevention_enforced","org":"turbot","name":"storage_bucket_public_access_prevention_enforced","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_access_prevention') = 'enforced' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_access_prevention') = 'enforced' then ' public access prevention enforced'\n else ' public access prevention not enforced'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_public_access_prevention_enforced","org":"turbot","name":"storage_bucket_public_access_prevention_enforced","mod":"Terraform GCP Compliance","title":"Storage buckets public access prevention should be enforced","description":"It is recommended that public access prevention should be enforced for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets public access prevention should be enforced","controlDescription":"It is recommended that public access prevention should be enforced for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/storage_bucket_versioning_enabled","org":"turbot","name":"storage_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'versioning' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'versioning' ->> 'enabled') = 'true' then ' versioning enabled'\n else ' versioning disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.storage_bucket_versioning_enabled","org":"turbot","name":"storage_bucket_versioning_enabled","mod":"Terraform GCP Compliance","title":"Storage buckets versioning should be enabled","description":"It is recommended that versioning should be enabled for storage buckets.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}}],"controlTitle":"Storage buckets versioning should be enabled","controlDescription":"It is recommended that versioning should be enabled for storage buckets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Storage"}},"storage_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_azure_defender_enabled","org":"turbot","name":"storage_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'StorageAccounts' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'StorageAccounts' then ' Azure defender enabled for StorageAccount(s)'\n else ' Azure defender enabled for ' || (attributes_std ->> 'resource_type') || ''\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_azure_defender_enabled","org":"turbot","name":"storage_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Storage should be enabled","description":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}],"controlTitle":"Azure Defender for Storage should be enabled","controlDescription":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Storage"}}},"sql":{"sql_instance_sql_user_options_database_flag_not_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_user_options_database_flag_not_configured","org":"turbot","name":"sql_instance_sql_user_options_database_flag_not_configured","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'database_version')), '') = '' then 'alarm'\n when (attributes_std ->> 'database_version') not like 'SQLSERVER%' then 'skip'\n when (attributes_std -> 'settings' -> 'database_flags' ->> 'name') = 'user options'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'database_version')), '') = ''\n then ' ''database_version'' is not defined'\n when (attributes_std ->> 'database_version') not like 'SQLSERVER%'\n then ' not a SQL Server database'\n when (attributes_std -> 'settings' -> 'database_flags' ->> 'name') = 'user options'\n then ' ''user options'' database flag set'\n else ' ''user options'' database flag not set'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":153,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_3_4","org":"turbot","name":"cis_v300_6_3_4","mod":"GCP Compliance","title":"6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.4","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_3_4","org":"turbot","name":"cis_v200_6_3_4","mod":"GCP Compliance","title":"6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.4","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_4","org":"turbot","name":"cis_v130_6_3_4","mod":"GCP Compliance","title":"6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.4","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_4","org":"turbot","name":"cis_v120_6_3_4","mod":"GCP Compliance","title":"6.3.4 Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.4","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_user_options_database_flag_not_configured","org":"turbot","name":"sql_instance_sql_user_options_database_flag_not_configured","mod":"GCP Compliance","title":"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","description":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured","controlDescription":"It is recommended that, user options database flag for Cloud SQL SQL Server instance should not be configured.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.4","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_sql_remote_access_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_remote_access_database_flag_off","org":"turbot","name":"sql_instance_sql_remote_access_database_flag_off","sql":"$24","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":371,"endLineNumber":407,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_3_5","org":"turbot","name":"cis_v300_6_3_5","mod":"GCP Compliance","title":"6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.5","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_3_5","org":"turbot","name":"cis_v200_6_3_5","mod":"GCP Compliance","title":"6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.5","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_5","org":"turbot","name":"cis_v130_6_3_5","mod":"GCP Compliance","title":"6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.5","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_5","org":"turbot","name":"cis_v120_6_3_5","mod":"GCP Compliance","title":"6.3.5 Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.5","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_remote_access_database_flag_off","org":"turbot","name":"sql_instance_sql_remote_access_database_flag_off","mod":"GCP Compliance","title":"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set remote access database flag for Cloud SQL SQL Server instance to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.5","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","soc_2_2017":"true"}},"sql_instance_sql_external_scripts_enabled_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_external_scripts_enabled_database_flag_off","org":"turbot","name":"sql_instance_sql_external_scripts_enabled_database_flag_off","sql":"$25","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":181,"endLineNumber":217,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_3_1","org":"turbot","name":"cis_v300_6_3_1","mod":"GCP Compliance","title":"6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.1","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_3_1","org":"turbot","name":"cis_v200_6_3_1","mod":"GCP Compliance","title":"6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.1","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_1","org":"turbot","name":"cis_v130_6_3_1","mod":"GCP Compliance","title":"6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.1","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_1","org":"turbot","name":"cis_v120_6_3_1","mod":"GCP Compliance","title":"6.3.1 Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.1","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_external_scripts_enabled_database_flag_off","org":"turbot","name":"sql_instance_sql_external_scripts_enabled_database_flag_off","mod":"GCP Compliance","title":"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set external scripts enabled database flag for Cloud SQL SQL Server instance to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.1","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_sql_cross_db_ownership_chaining_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_cross_db_ownership_chaining_database_flag_off","org":"turbot","name":"sql_instance_sql_cross_db_ownership_chaining_database_flag_off","sql":"$26","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":39,"endLineNumber":75,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_3_2","org":"turbot","name":"cis_v300_6_3_2","mod":"GCP Compliance","title":"6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.2","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_3_2","org":"turbot","name":"cis_v200_6_3_2","mod":"GCP Compliance","title":"6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.2","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_2","org":"turbot","name":"cis_v130_6_3_2","mod":"GCP Compliance","title":"6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.2","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_2","org":"turbot","name":"cis_v120_6_3_2","mod":"GCP Compliance","title":"6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.2","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_cross_db_ownership_chaining_database_flag_off","org":"turbot","name":"sql_instance_sql_cross_db_ownership_chaining_database_flag_off","mod":"GCP Compliance","title":"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set cross db ownership chaining database flag for Cloud SQL SQL Server instance to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.2","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_sql_contained_database_authentication_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_contained_database_authentication_database_flag_off","org":"turbot","name":"sql_instance_sql_contained_database_authentication_database_flag_off","sql":"$27","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":660,"endLineNumber":696,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_3_7","org":"turbot","name":"cis_v300_6_3_7","mod":"GCP Compliance","title":"6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is not set to 'on'","description":"It is recommended not to set contained database authentication database flag for Cloud SQL on the SQL Server instance to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.7","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_3_7","org":"turbot","name":"cis_v200_6_3_7","mod":"GCP Compliance","title":"6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","description":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.7","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_7","org":"turbot","name":"cis_v130_6_3_7","mod":"GCP Compliance","title":"6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","description":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.7","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_7","org":"turbot","name":"cis_v120_6_3_7","mod":"GCP Compliance","title":"6.3.7 Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","description":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.7","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_contained_database_authentication_database_flag_off","org":"turbot","name":"sql_instance_sql_contained_database_authentication_database_flag_off","mod":"GCP Compliance","title":"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","description":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set to 'off'","controlDescription":"It is recommended to set contained database authentication database flag for Cloud SQL on the SQL Server instance is set to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.7","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_sql_3625_trace_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_3625_trace_database_flag_off","org":"turbot","name":"sql_instance_sql_3625_trace_database_flag_off","sql":"$28","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":295,"endLineNumber":331,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_3_6","org":"turbot","name":"cis_v130_6_3_6","mod":"GCP Compliance","title":"6.3.6 Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.6","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_3_6","org":"turbot","name":"cis_v120_6_3_6","mod":"GCP Compliance","title":"6.3.6 Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.6","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_sql_3625_trace_database_flag_off","org":"turbot","name":"sql_instance_sql_3625_trace_database_flag_off","mod":"GCP Compliance","title":"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","description":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'","controlDescription":"It is recommended to set 3625 (trace flag) database flag for Cloud SQL SQL Server instance to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.3.6","cis_level":"1","cis_section_id":"6.3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}},"sql_instance_require_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_require_ssl_enabled","org":"turbot","name":"sql_instance_require_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings') is null then ' ''settings'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration') is null then ' ''settings.ip_configuration'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl') is null\n then ' ''settings.ip_configuration.require_ssl'' is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'require_ssl')::boolean then ' enforces SSL connections'\n else ' does not enforce SSL connections'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":447,"endLineNumber":468,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_4","org":"turbot","name":"cis_v300_6_4","mod":"GCP Compliance","title":"6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL","description":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_4","org":"turbot","name":"cis_v200_6_4","mod":"GCP Compliance","title":"6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL","description":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_4","org":"turbot","name":"cis_v130_6_4","mod":"GCP Compliance","title":"6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL","description":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_4","org":"turbot","name":"cis_v120_6_4","mod":"GCP Compliance","title":"6.4 Ensure that the Cloud SQL database instance requires all incoming connections to use SSL","description":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.require_ssl_sql","org":"turbot","name":"require_ssl_sql","mod":"GCP Compliance","title":"Check if Cloud SQL instances have SSL turned on","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/SQL","severity":"high"}}],"controlTitle":"6.4 Ensure That the Cloud SQL Database Instance Requires All Incoming Connections To Use SSL","controlDescription":"It is recommended to enforce all incoming connections to SQL database instance to use SSL.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.4","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","cft_scorecard_v1":"true","pci_dss_v321":"true","severity":"high"}},"sql_instance_postgresql_log_temp_files_database_flag_0":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_temp_files_database_flag_0","org":"turbot","name":"sql_instance_postgresql_log_temp_files_database_flag_0","sql":"$29","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":333,"endLineNumber":369,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_temp_files_database_flag_0","org":"turbot","name":"sql_instance_postgresql_log_temp_files_database_flag_0","mod":"GCP Compliance","title":"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'","description":"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_15","org":"turbot","name":"cis_v120_6_2_15","mod":"GCP Compliance","title":"6.2.15 Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'","description":"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.15","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0'","controlDescription":"PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to 0 causes all temporary file information to be logged, while positive values log only files whose size is greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.15","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_statement_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_statement_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_statement_stats_database_flag_off","sql":"$2a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":1,"endLineNumber":37,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_statement_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_statement_stats_database_flag_off","mod":"GCP Compliance","title":"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The log_statement_stats flag controls the inclusion of end-to-end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats).","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_12","org":"turbot","name":"cis_v120_6_2_12","mod":"GCP Compliance","title":"6.2.12 Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The log_statement_stats flag controls the inclusion of end to end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.12","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The log_statement_stats flag controls the inclusion of end-to-end performance statistics of a SQL query in the PostgreSQL logs for each query. This cannot be enabled with other module statistics (log_parser_stats, log_planner_stats, log_executor_stats).","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.12","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_planner_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_planner_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_planner_stats_database_flag_off","sql":"$2b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":409,"endLineNumber":445,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_planner_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_planner_stats_database_flag_off","mod":"GCP Compliance","title":"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_10","org":"turbot","name":"cis_v120_6_2_10","mod":"GCP Compliance","title":"6.2.10 Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.10","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The same SQL query can be executed in multiple ways and still produce different results. The PostgreSQL planner/optimizer is responsible to create an optimal execution plan for each query. The log_planner_stats flag controls the inclusion of PostgreSQL planner performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.10","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_parser_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_parser_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_parser_stats_database_flag_off","sql":"$2c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":115,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_parser_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_parser_stats_database_flag_off","mod":"GCP Compliance","title":"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_9","org":"turbot","name":"cis_v120_6_2_9","mod":"GCP Compliance","title":"6.2.9 Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.9","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The PostgreSQL planner/optimizer is responsible to parse and verify the syntax of each query received by the server. If the syntax is correct a parse tree is built up else an error is generated. The log_parser_stats flag controls the inclusion of parser performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.9","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","org":"turbot","name":"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","sql":"$2d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":584,"endLineNumber":620,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_16","org":"turbot","name":"cis_v120_6_2_16","mod":"GCP Compliance","title":"6.2.16 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.16","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_2_7","org":"turbot","name":"cis_v300_6_2_7","mod":"GCP Compliance","title":"6.2.7 Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1'","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.7","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_2_7","org":"turbot","name":"cis_v200_6_2_7","mod":"GCP Compliance","title":"6.2.7 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.7","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_2_8","org":"turbot","name":"cis_v130_6_2_8","mod":"GCP Compliance","title":"6.2.8 Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","org":"turbot","name":"sql_instance_postgresql_log_min_duration_statement_database_flag_disabled","mod":"GCP Compliance","title":"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","description":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1' (disabled)","controlDescription":"The log_min_duration_statement flag defines the minimum amount of execution time of a statement in milliseconds where the total duration of the statement is logged. Ensure that log_min_duration_statement is disabled, i.e., a value of -1 is set.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_postgresql_log_lock_waits_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_lock_waits_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_lock_waits_database_flag_on","sql":"$2e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":698,"endLineNumber":734,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_lock_waits_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_lock_waits_database_flag_on","mod":"GCP Compliance","title":"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the allotted deadlock_timeout time to acquire a lock.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_6","org":"turbot","name":"cis_v120_6_2_6","mod":"GCP Compliance","title":"6.2.6 Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the alloted deadlock_timeout time to acquire a lock.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.6","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_lock_waits flag for a PostgreSQL instance creates a log for any session waits that take longer than the allotted deadlock_timeout time to acquire a lock.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.6","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_hostname_database_flag_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_hostname_database_flag_configured","org":"turbot","name":"sql_instance_postgresql_log_hostname_database_flag_configured","sql":"$2f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":219,"endLineNumber":255,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_hostname_database_flag_configured","org":"turbot","name":"sql_instance_postgresql_log_hostname_database_flag_configured","mod":"GCP Compliance","title":"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","description":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_2_5","org":"turbot","name":"cis_v130_6_2_5","mod":"GCP Compliance","title":"6.2.5 Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","description":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.5","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_8","org":"turbot","name":"cis_v120_6_2_8","mod":"GCP Compliance","title":"6.2.8 Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","description":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately","controlDescription":"PostgreSQL logs only the IP address of the connecting hosts. The log_hostname flag controls the logging of hostnames in addition to the IP addresses logged. The performance hit is dependent on the configuration of the environment and the host name resolution setup. This parameter can only be set in the postgresql.conf file or on the server command line.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.8","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_executor_stats_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_executor_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_executor_stats_database_flag_off","sql":"$30","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":546,"endLineNumber":582,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_executor_stats_database_flag_off","org":"turbot","name":"sql_instance_postgresql_log_executor_stats_database_flag_off","mod":"GCP Compliance","title":"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_11","org":"turbot","name":"cis_v120_6_2_11","mod":"GCP Compliance","title":"6.2.11 Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","description":"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.11","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'","controlDescription":"The PostgreSQL executor is responsible to execute the plan handed over by the PostgreSQL planner. The executor processes the plan recursively to extract the required set of rows. The log_executor_stats flag controls the inclusion of PostgreSQL executor performance statistics in the PostgreSQL logs for each query.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.11","cis_level":"2","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_duration_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_duration_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_duration_database_flag_on","sql":"$31","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":622,"endLineNumber":658,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_duration_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_duration_database_flag_on","mod":"GCP Compliance","title":"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_5","org":"turbot","name":"cis_v120_6_2_5","mod":"GCP Compliance","title":"6.2.5 Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.5","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_duration setting causes the duration of each completed statement to be logged. This does not logs the text of the query and thus behaves different from the log_min_duration_statement flag. This parameter cannot be changed after session start.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.5","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.2.0"}},"sql_instance_postgresql_log_disconnections_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_disconnections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_disconnections_database_flag_on","sql":"$32","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":508,"endLineNumber":544,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_2_3","org":"turbot","name":"cis_v300_6_2_3","mod":"GCP Compliance","title":"6.2.3 Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_2_3","org":"turbot","name":"cis_v200_6_2_3","mod":"GCP Compliance","title":"6.2.3 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_2_3","org":"turbot","name":"cis_v130_6_2_3","mod":"GCP Compliance","title":"6.2.3 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_4","org":"turbot","name":"cis_v120_6_2_4","mod":"GCP Compliance","title":"6.2.4 Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_disconnections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_disconnections_database_flag_on","mod":"GCP Compliance","title":"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_disconnections setting logs the end of each session, including the session duration.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_postgresql_log_connections_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_connections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_connections_database_flag_on","sql":"$33","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":77,"endLineNumber":113,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_2_2","org":"turbot","name":"cis_v300_6_2_2","mod":"GCP Compliance","title":"6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.2","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_2_2","org":"turbot","name":"cis_v200_6_2_2","mod":"GCP Compliance","title":"6.2.2 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.2","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_2_2","org":"turbot","name":"cis_v130_6_2_2","mod":"GCP Compliance","title":"6.2.2 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.2","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_3","org":"turbot","name":"cis_v120_6_2_3","mod":"GCP Compliance","title":"6.2.3 Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_connections_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_connections_database_flag_on","mod":"GCP Compliance","title":"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Enabling the log_connections setting causes each attempted connection to the server to be logged, along with successful completion of client authentication. This parameter cannot be changed after the session starts.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_postgresql_log_checkpoints_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_checkpoints_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_checkpoints_database_flag_on","sql":"$34","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":470,"endLineNumber":506,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_checkpoints_database_flag_on","org":"turbot","name":"sql_instance_postgresql_log_checkpoints_database_flag_on","mod":"GCP Compliance","title":"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_2_1","org":"turbot","name":"cis_v120_6_2_1","mod":"GCP Compliance","title":"6.2.1 Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'","description":"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.2.1","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'","controlDescription":"Ensure that the log_checkpoints database flag for the Cloud SQL PostgreSQL instance is set to on.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/SQL","benchmark":"cis","cis_item_id":"6.2.1","cis_level":"1","cis_section_id":"6.2","cis_type":"automated","cis_version":"v1.2.0"}},"sql_instance_mysql_skip_show_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_mysql_skip_show_database_flag_on","org":"turbot","name":"sql_instance_mysql_skip_show_database_flag_on","sql":"$35","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":257,"endLineNumber":293,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_1_2","org":"turbot","name":"cis_v300_6_1_2","mod":"GCP Compliance","title":"6.1.2 Ensure 'Skip_show_database' Database Flag for Cloud SQL MySQL Instance Is Set to 'On'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_1_2","org":"turbot","name":"cis_v200_6_1_2","mod":"GCP Compliance","title":"6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_1_2","org":"turbot","name":"cis_v130_6_1_2","mod":"GCP Compliance","title":"6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_1_2","org":"turbot","name":"cis_v120_6_1_2","mod":"GCP Compliance","title":"6.1.2 Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_mysql_skip_show_database_flag_on","org":"turbot","name":"sql_instance_mysql_skip_show_database_flag_on","mod":"GCP Compliance","title":"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","description":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL","soc_2_2017":"true"}}],"controlTitle":"Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'","controlDescription":"It is recommended to set skip_show_database database flag for Cloud SQL Mysql instance to on.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.2","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"sql_instance_mysql_local_infile_database_flag_off":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_mysql_local_infile_database_flag_off","org":"turbot","name":"sql_instance_mysql_local_infile_database_flag_off","sql":"$36","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":736,"endLineNumber":772,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_1_3","org":"turbot","name":"cis_v300_6_1_3","mod":"GCP Compliance","title":"6.1.3 Ensure That the 'Local_infile' Database Flag for a Cloud SQL MySQL Instance Is Set to 'Off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.3","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_1_3","org":"turbot","name":"cis_v200_6_1_3","mod":"GCP Compliance","title":"6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.3","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_1_3","org":"turbot","name":"cis_v130_6_1_3","mod":"GCP Compliance","title":"6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.3","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_1_3","org":"turbot","name":"cis_v120_6_1_3","mod":"GCP Compliance","title":"6.1.3 Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.3","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_mysql_local_infile_database_flag_off","org":"turbot","name":"sql_instance_mysql_local_infile_database_flag_off","mod":"GCP Compliance","title":"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","description":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'","controlDescription":"It is recommended to set the local_infile database flag for a Cloud SQL MySQL instance to off.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.1.3","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","nist_800_53_rev_5":"true","nist_csf_v10":"true"}},"sql_instance_automated_backups_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_automated_backups_enabled","org":"turbot","name":"sql_instance_automated_backups_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings') is null then ' ''settings'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration') is null then ' ''settings.backup_configuration'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled') is null\n then ' ''settings.backup_configuration.enabled'' is not defined'\n when (attributes_std -> 'settings' -> 'backup_configuration' ->> 'enabled')::boolean then ' automatic backups configured'\n else ' automatic backups not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":774,"endLineNumber":795,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_6_7","org":"turbot","name":"cis_v300_6_7","mod":"GCP Compliance","title":"6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.7","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_6_7","org":"turbot","name":"cis_v200_6_7","mod":"GCP Compliance","title":"6.7 Ensure that Cloud SQL database instances are configured with automated backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.7","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_6_7","org":"turbot","name":"cis_v130_6_7","mod":"GCP Compliance","title":"6.7 Ensure that Cloud SQL database instances are configured with automated backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.7","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_6_7","org":"turbot","name":"cis_v120_6_7","mod":"GCP Compliance","title":"6.7 Ensure that Cloud SQL database instances are configured with automated backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.7","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.sql_instance_automated_backups_enabled","org":"turbot","name":"sql_instance_automated_backups_enabled","mod":"GCP Compliance","title":"Ensure that Cloud SQL database instances are configured with automated backups","description":"It is recommended to have all SQL database instances set to enable automated backups.","tags":{"category":"Compliance","hipaa":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/SQL"}}],"controlTitle":"Ensure that Cloud SQL database instances are configured with automated backups","controlDescription":"It is recommended to have all SQL database instances set to enable automated backups.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"6.7","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/SQL","hipaa":"true","nist_csf_v10":"true"}},"sql_server_azure_ad_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_azure_ad_authentication_enabled","org":"turbot","name":"sql_server_azure_ad_authentication_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'server_name'), '.', 2) from terraform_resource where type = 'azurerm_sql_active_directory_administrator') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'server_name'), '.', 2) from terraform_resource where type = 'azurerm_sql_active_directory_administrator') then ' has AzureAD authentication enabled'\n else ' does not have AzureAD authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_sql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":129,"endLineNumber":148,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_server_azure_ad_authentication_enabled","org":"turbot","name":"sql_server_azure_ad_authentication_enabled","mod":"Azure Compliance","title":"An Azure Active Directory administrator should be provisioned for SQL servers","description":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/SQL"}}],"controlTitle":"An Azure Active Directory administrator should be provisioned for SQL servers","controlDescription":"Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/SQL"}},"sql_server_auditing_storage_account_destination_retention_90_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_auditing_storage_account_destination_retention_90_days","org":"turbot","name":"sql_server_auditing_storage_account_destination_retention_90_days","sql":"$37","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":150,"endLineNumber":175,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_server_auditing_storage_account_destination_retention_90_days","org":"turbot","name":"sql_server_auditing_storage_account_destination_retention_90_days","mod":"Azure Compliance","title":"SQL servers with auditing to storage account destination should be configured with 90 days retention or higher","description":"For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SQL"}}],"controlTitle":"SQL servers with auditing to storage account destination should be configured with 90 days retention or higher","controlDescription":"For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SQL"}},"sql_server_atp_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_atp_enabled","org":"turbot","name":"sql_server_atp_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'state') = 'Disabled' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' does not have ATP enabled'\n when (attributes_std -> 'threat_detection_policy' ->> 'state') = 'Disabled' then ' does not have ATP enabled'\n else ' has ATP enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_sql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":50,"endLineNumber":71,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_server_atp_enabled","org":"turbot","name":"sql_server_atp_enabled","mod":"Azure Compliance","title":"Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers","description":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","tags":{"service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_2_1","org":"turbot","name":"cis_v140_4_2_1","mod":"Azure Compliance","title":"4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'","description":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_section_id":"4.2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_2_1","org":"turbot","name":"cis_v130_4_2_1","mod":"Azure Compliance","title":"4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'","description":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_section_id":"4.2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_2_1","org":"turbot","name":"cis_v200_4_2_1","mod":"Azure Compliance","title":"4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers","description":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_section_id":"4.2","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_2_1","org":"turbot","name":"cis_v150_4_2_1","mod":"Azure Compliance","title":"4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers","description":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_section_id":"4.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SQL"}}],"controlTitle":"Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers","controlDescription":"Enable \"Azure Defender for SQL\" on critical SQL Servers.","controlTags":{"service":"Azure/SQL","category":"Compliance","cis":"true","cis_item_id":"4.2.1","cis_level":"2","cis_section_id":"4.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure"}},"sql_db_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_db_public_network_access_disabled","org":"turbot","name":"sql_db_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' ''public_network_access_enabled'' not defined'\n when (attributes_std -> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":233,"endLineNumber":254,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_1_7","org":"turbot","name":"cis_v300_5_1_7","mod":"Azure Compliance","title":"5.1.7 Ensure Public Network Access is Disabled","description":"Disabling public network access restricts the service from accessing public networks.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.7","cis_level":"1","cis_section_id":"5.1","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_db_public_network_access_disabled","org":"turbot","name":"sql_db_public_network_access_disabled","mod":"Azure Compliance","title":"Public network access on Azure SQL Database should be disabled","description":"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SQL"}}],"controlTitle":"Public network access on Azure SQL Database should be disabled","controlDescription":"Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.7","cis_level":"1","cis_section_id":"5.1","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"sql_db_active_directory_admin_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_db_active_directory_admin_configured","org":"turbot","name":"sql_db_active_directory_admin_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'azuread_administrator') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'azuread_administrator') is null then ' Azure AD authentication not configured.'\n else ' Azure AD authentication configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":177,"endLineNumber":196,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_4","org":"turbot","name":"cis_v130_4_4","mod":"Azure Compliance","title":"4.4 Ensure that Azure Active Directory Admin is configured","description":"Use Azure Active Directory Authentication for authentication with SQL Database.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_5","org":"turbot","name":"cis_v140_4_5","mod":"Azure Compliance","title":"4.5 Ensure that Azure Active Directory Admin is configured","description":"Use Azure Active Directory Authentication for authentication with SQL Database.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_db_active_directory_admin_configured","org":"turbot","name":"sql_db_active_directory_admin_configured","mod":"Azure Compliance","title":"Ensure that Azure Active Directory Admin is configured","description":"Use Azure Active Directory Authentication for authentication with SQL Database.","tags":{"service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_1_4","org":"turbot","name":"cis_v200_4_1_4","mod":"Azure Compliance","title":"4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers","description":"Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.4","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_1_4","org":"turbot","name":"cis_v150_4_1_4","mod":"Azure Compliance","title":"4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers","description":"Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.4","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_1_4","org":"turbot","name":"cis_v210_4_1_4","mod":"Azure Compliance","title":"4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers","description":"Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.4","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_1_4","org":"turbot","name":"cis_v300_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers","description":"Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL"}}],"controlTitle":"Ensure that Azure Active Directory Admin is configured","controlDescription":"Use Azure Active Directory Authentication for authentication with SQL Database.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL"}},"sql_database_long_term_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_long_term_geo_redundant_backup_enabled","org":"turbot","name":"sql_database_long_term_geo_redundant_backup_enabled","sql":"$38","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":1,"endLineNumber":28,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_database_long_term_geo_redundant_backup_enabled","org":"turbot","name":"sql_database_long_term_geo_redundant_backup_enabled","mod":"Azure Compliance","title":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","description":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SQL"}}],"controlTitle":"Long-term geo-redundant backup should be enabled for Azure SQL Databases","controlDescription":"This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SQL"}},"sql_database_allow_internet_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_allow_internet_access","org":"turbot","name":"sql_database_allow_internet_access","sql":"$39","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":198,"endLineNumber":231,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_3","org":"turbot","name":"cis_v140_6_3","mod":"Azure Compliance","title":"6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_3","org":"turbot","name":"cis_v130_6_3","mod":"Azure Compliance","title":"6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.3","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.sql_database_allow_internet_access","org":"turbot","name":"sql_database_allow_internet_access","mod":"Azure Compliance","title":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_1_2","org":"turbot","name":"cis_v210_4_1_2","mod":"Azure Compliance","title":"4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.2","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_1_2","org":"turbot","name":"cis_v200_4_1_2","mod":"Azure Compliance","title":"4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.2","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_1_2","org":"turbot","name":"cis_v150_4_1_2","mod":"Azure Compliance","title":"4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.1.2","cis_level":"1","cis_section_id":"4.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_1_2","org":"turbot","name":"cis_v300_5_1_2","mod":"Azure Compliance","title":"5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)","description":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL"}}],"controlTitle":"Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)","controlDescription":"Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.2","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SQL"}},"sql_instance_postgresql_log_statement_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_statement_flag_set","sql":"$3a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":870,"endLineNumber":891,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_statement_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should log SQL statements","description":"This control checks whether the log_statement database flag for Cloud SQL PostgreSQL instance is set to log SQL statements.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should log SQL statements","controlDescription":"This control checks whether the log_statement database flag for Cloud SQL PostgreSQL instance is set to log SQL statements.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_publicly_accessible","org":"turbot","name":"sql_instance_publicly_accessible","sql":"$3b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":936,"endLineNumber":960,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_publicly_accessible","org":"turbot","name":"sql_instance_publicly_accessible","mod":"Terraform GCP Compliance","title":"GCP SQL instance should not be publicly accessible","description":"This control checks whether the GCP SQL instance is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should not be publicly accessible","controlDescription":"This control checks whether the GCP SQL instance is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_sql_with_no_public_ip":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_sql_with_no_public_ip","org":"turbot","name":"sql_instance_sql_with_no_public_ip","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled') is null then 'alarm'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled') is null then ' ipv4_enabled is not defined'\n when (attributes_std -> 'settings' -> 'ip_configuration' ->> 'ipv4_enabled')::boolean then ' public IP address configured'\n else ' no public IP address configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance'\n and (attributes_std ->> 'database_version') like 'SQLSERVER%';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":893,"endLineNumber":914,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_sql_with_no_public_ip","org":"turbot","name":"sql_instance_sql_with_no_public_ip","mod":"Terraform GCP Compliance","title":"GCP SQL instance should not have public IP address","description":"This control checks whether the GCP SQL instance has a public IP address.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should not have public IP address","controlDescription":"This control checks whether the GCP SQL instance has a public IP address.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_database_ledger_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_ledger_enabled","org":"turbot","name":"sql_database_ledger_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ledger_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ledger_enabled')::bool then ' ledger enabled'\n else ' ledger disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":388,"endLineNumber":407,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_ledger_enabled","org":"turbot","name":"sql_database_ledger_enabled","mod":"Terraform Azure Compliance","title":"SQL databases ledger should be enabled","description":"This control ensures that ledger is enabled for SQL database.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases ledger should be enabled","controlDescription":"This control ensures that ledger is enabled for SQL database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_instance_postgresql_log_min_messages_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_messages_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_messages_flag_set","sql":"$3c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":847,"endLineNumber":868,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_messages_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_messages_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value","description":"This control checks whether the log_min_messages database flag for Cloud SQL PostgreSQL instance is set to a valid value.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have log_min_messages database flag set to a valid value","controlDescription":"This control checks whether the log_min_messages database flag for Cloud SQL PostgreSQL instance is set to a valid value.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_log_min_error_statement_flag_set":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_log_min_error_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_error_statement_flag_set","sql":"$3d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":824,"endLineNumber":845,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_log_min_error_statement_flag_set","org":"turbot","name":"sql_instance_postgresql_log_min_error_statement_flag_set","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower","description":"This control checks whether the log_min_error_statement database flag for Cloud SQL PostgreSQL instance is set to ERROR or lower.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have log_min_error_statement database flag set to ERROR or lower","controlDescription":"This control checks whether the log_min_error_statement database flag for Cloud SQL PostgreSQL instance is set to ERROR or lower.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_server_vm_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_vm_azure_defender_enabled","org":"turbot","name":"sql_server_vm_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SqlServerVirtualMachines'\n else ' Azure Defender off for SqlServerVirtualMachines'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":30,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_vm_azure_defender_enabled","org":"turbot","name":"sql_server_vm_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for SQL servers on machines should be enabled","description":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Azure Defender for SQL servers on machines should be enabled","controlDescription":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_server_email_security_alert_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_email_security_alert_enabled","org":"turbot","name":"sql_server_email_security_alert_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'email_addresses') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'email_addresses') is null then ' email security alert disabled'\n else ' email security alert enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":256,"endLineNumber":275,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_email_security_alert_enabled","org":"turbot","name":"sql_server_email_security_alert_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have Email Security Alert enabled","description":"Enable Email Security Alert on SQL servers. It is recommended to enable Email Security Alert on SQL servers.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have Email Security Alert enabled","controlDescription":"Enable Email Security Alert on SQL servers. It is recommended to enable Email Security Alert on SQL servers.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_database_server_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_server_azure_defender_enabled","org":"turbot","name":"sql_database_server_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'SqlServers' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' and (attributes_std ->> 'resource_type') = 'SqlServers' then ' Azure defender enabled for SqlServer(s)'\n else ' Azure defender enabled for ' || (attributes_std ->> 'resource_type') || ''\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":73,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_server_azure_defender_enabled","org":"turbot","name":"sql_database_server_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Azure SQL Database servers should be enabled","description":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"Azure Defender for Azure SQL Database servers should be enabled","controlDescription":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/SQL"}},"sql_instance_using_latest_major_database_version":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_using_latest_major_database_version","org":"turbot","name":"sql_instance_using_latest_major_database_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'database_version') in ('POSTGRES_15', 'MYSQL_8_0', 'SQLSERVER_2019_STANDARD', 'SQLSERVER_2019_WEB', 'SQLSERVER_2019_ENTERPRISE', 'SQLSERVER_2019_EXPRESS') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'database_version') in ('POSTGRES_15', 'MYSQL_8_0', 'SQLSERVER_2019_STANDARD', 'SQLSERVER_2019_WEB', 'SQLSERVER_2019_ENTERPRISE', 'SQLSERVER_2019_EXPRESS') then ' latest major database version in use'\n else ' latest major database version not in use'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_sql_database_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":916,"endLineNumber":934,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_using_latest_major_database_version","org":"turbot","name":"sql_instance_using_latest_major_database_version","mod":"Terraform GCP Compliance","title":"GCP SQL instance should be using latest major database version","description":"This control checks whether the GCP SQL instance is using the latest major database version.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL instance should be using latest major database version","controlDescription":"This control checks whether the GCP SQL instance is using the latest major database version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_instance_postgresql_pgaudit_database_flag_on":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/sql_instance_postgresql_pgaudit_database_flag_on","org":"turbot","name":"sql_instance_postgresql_pgaudit_database_flag_on","sql":"$3e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":797,"endLineNumber":822,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.sql_instance_postgresql_pgaudit_database_flag_on","org":"turbot","name":"sql_instance_postgresql_pgaudit_database_flag_on","mod":"Terraform GCP Compliance","title":"GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'","description":"This control checks whether the pgaudit database flag for Cloud SQL PostgreSQL instance is set to 'on'.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}}],"controlTitle":"GCP SQL PostgreSQL instance should have pgaudit database flag set to 'on'","controlDescription":"This control checks whether the pgaudit database flag for Cloud SQL PostgreSQL instance is set to 'on'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/SQL"}},"sql_server_admins_email_security_alert_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_admins_email_security_alert_enabled","org":"turbot","name":"sql_server_admins_email_security_alert_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'email_account_admins')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'email_account_admins')::boolean then ' account administrators email security alert enabled'\n else ' account administrators email security alert disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":277,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_admins_email_security_alert_enabled","org":"turbot","name":"sql_server_admins_email_security_alert_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have Administrator Email Security Alert enabled","description":"Enable Email Security Alert on SQL server admins. It is recommended to enable Email Security Alert on SQL server admins.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have Administrator Email Security Alert enabled","controlDescription":"Enable Email Security Alert on SQL server admins. It is recommended to enable Email Security Alert on SQL server admins.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_server_all_security_alerts_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_all_security_alerts_enabled","org":"turbot","name":"sql_server_all_security_alerts_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disabled_alerts') is not null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disabled_alerts') is not null then ' some security alerts disabled'\n else ' all security alerts enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server_security_alert_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":298,"endLineNumber":317,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_all_security_alerts_enabled","org":"turbot","name":"sql_server_all_security_alerts_enabled","mod":"Terraform Azure Compliance","title":"SQL servers should have all Security Alerts enabled","description":"Enable all Security Alerts on SQL servers. It is recommended to enable all Security Alerts on SQL servers.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should have all Security Alerts enabled","controlDescription":"Enable all Security Alerts on SQL servers. It is recommended to enable all Security Alerts on SQL servers.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_server_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_server_uses_latest_tls_version","org":"turbot","name":"sql_server_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version') is null then 'ok'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version') is null then ' TLS version not defined by default uses 1.2'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then ' TLS version 1.2'\n else ' TLS version not 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":319,"endLineNumber":340,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_server_uses_latest_tls_version","org":"turbot","name":"sql_server_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"SQL servers should use the latest TLS version 1.2","description":"SQL servers currently allows user to set TLS version values as Disabled, 1.0, 1.1 and 1.2. It is recommended to use the latest TLS version 1.2.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL servers should use the latest TLS version 1.2","controlDescription":"SQL servers currently allows user to set TLS version values as Disabled, 1.0, 1.1 and 1.2. It is recommended to use the latest TLS version 1.2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_database_log_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_log_monitoring_enabled","org":"turbot","name":"sql_database_log_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'log_monitoring_enabled') is null then 'ok'\n when (attributes_std -> 'log_monitoring_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'log_monitoring_enabled') is null then ' log monitoring enabled'\n when (attributes_std -> 'log_monitoring_enabled')::boolean then ' log monitoring enabled'\n else ' log monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database_extended_auditing_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":342,"endLineNumber":363,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_log_monitoring_enabled","org":"turbot","name":"sql_database_log_monitoring_enabled","mod":"Terraform Azure Compliance","title":"SQL databases should have log monitoring enabled","description":"Enable audit log monitoring on SQL database. It is recommended to enable Log Monitoring on SQL database.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases should have log monitoring enabled","controlDescription":"Enable audit log monitoring on SQL database. It is recommended to enable Log Monitoring on SQL database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}},"sql_database_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/sql_database_zone_redundant_enabled","org":"turbot","name":"sql_database_zone_redundant_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_redundant') is null then 'alarm'\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_redundant') is null then ' ''zone_redundant'' is not set'\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mssql_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sql.pp","startLineNumber":365,"endLineNumber":386,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.sql_database_zone_redundant_enabled","org":"turbot","name":"sql_database_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"SQL databases should be zone redundant","description":"This control ensures that SQL database is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}],"controlTitle":"SQL databases should be zone redundant","controlDescription":"This control ensures that SQL database is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SQL"}}},"logging":{"logging_bucket_retention_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/logging_bucket_retention_policy_enabled","org":"turbot","name":"logging_bucket_retention_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_policy' ->> 'is_locked')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_policy') is null then ' ''retention_policy'' is not defined'\n when (attributes_std -> 'retention_policy' ->> 'is_locked') is null then ' ''retention_policy.is_locked'' is not defined'\n when (attributes_std -> 'retention_policy' ->> 'is_locked')::boolean then ' has retention policies configured'\n else ' does not have retention policies configured.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_storage_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/logging.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_2_3","org":"turbot","name":"cis_v300_2_3","mod":"GCP Compliance","title":"2.3 Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"2.3","cis_level":"2","cis_section_id":"2","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Logging"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_2_3","org":"turbot","name":"cis_v200_2_3","mod":"GCP Compliance","title":"2.3 Ensure that retention policies on log buckets are configured using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"2.3","cis_level":"2","cis_section_id":"2","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Logging"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_2_3","org":"turbot","name":"cis_v130_2_3","mod":"GCP Compliance","title":"2.3 Ensure that retention policies on log buckets are configured using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"2.3","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Logging"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_2_3","org":"turbot","name":"cis_v120_2_3","mod":"GCP Compliance","title":"2.3 Ensure that retention policies on log buckets are configured using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"2.3","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Logging"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.logging_bucket_retention_policy_enabled","org":"turbot","name":"logging_bucket_retention_policy_enabled","mod":"GCP Compliance","title":"Ensure that retention policies on log buckets are configured using Bucket Lock","description":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Logging"}}],"controlTitle":"Ensure that retention policies on log buckets are configured using Bucket Lock","controlDescription":"Enabling retention policies on log buckets will protect logs stored in cloud storage buckets from being overwritten or accidentally deleted. It is recommended to set up retention policies and configure Bucket Lock on all storage buckets that are used as log sinks.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"2.3","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Logging"}}},"kubernetes":{"kubernetes_cluster_shielded_nodes_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_nodes_enabled","org":"turbot","name":"kubernetes_cluster_shielded_nodes_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_shielded_nodes') = 'false' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_shielded_nodes') = 'false' then ' shielded nodes disabled'\n else ' shielded nodes enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":176,"endLineNumber":195,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_nodes_enabled","org":"turbot","name":"kubernetes_cluster_shielded_nodes_enabled","mod":"GCP Compliance","title":"GKE clusters should have shielded nodes enabled","description":"This control ensures that GKE clusters have shielded nodes enabled.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters should have shielded nodes enabled","controlDescription":"This control ensures that GKE clusters have shielded nodes enabled.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}},"kubernetes_cluster_shielded_node_secure_boot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_node_secure_boot_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_secure_boot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_secure_boot') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_secure_boot') = 'true' then ' secure boot enabled for shielded nodes'\n else ' secure boot disabled for shielded nodes'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_node_secure_boot_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_secure_boot_enabled","mod":"GCP Compliance","title":"GKE clusters shielded node secure boot should be enabled","description":"This control ensures that GKE clusters shielded node secure boot is enabled. This control is non-complaint if ishielded node secure boot is disabled.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters shielded node secure boot should be enabled","controlDescription":"This control ensures that GKE clusters shielded node secure boot is enabled. This control is non-complaint if ishielded node secure boot is disabled.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}},"kubernetes_cluster_release_channel_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_release_channel_configured","org":"turbot","name":"kubernetes_cluster_release_channel_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'release_channel') is null then 'alarm'\n when (attributes_std -> 'release_channel' ->> 'channel') = 'UNSPECIFIED' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'release_channel') is null then ' release channel not defined'\n when (attributes_std -> 'release_channel' ->> 'channel') = 'UNSPECIFIED' then ' release channel not set'\n else ' release channel set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":356,"endLineNumber":377,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.kubernetes_cluster_release_channel_configured","org":"turbot","name":"kubernetes_cluster_release_channel_configured","mod":"GCP Compliance","title":"GKE clusters release channel should be configured","description":"This control ensures that GKE clusters uses release channel for version management.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters release channel should be configured","controlDescription":"This control ensures that GKE clusters uses release channel for version management.","controlTags":{"category":"Compliance","plugin":"gcp","service":"GCP/Kubernetes"}},"kubernetes_cluster_private_cluster_config_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_private_cluster_config_enabled","org":"turbot","name":"kubernetes_cluster_private_cluster_config_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'private_cluster_config') is null then 'alarm'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes') is null then 'alarm'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_cluster_config') is null then ' private cluster config disabled'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes') is null then ' ''enable_private_nodes'' not defined'\n when (attributes_std -> 'private_cluster_config' -> 'enable_private_nodes')::bool then ' private cluster config enabled'\n else ' private cluster config disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":130,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.allow_only_private_cluster","org":"turbot","name":"allow_only_private_cluster","mod":"GCP Compliance","title":"Verify all GKE clusters are Private Clusters","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Verify all GKE clusters are Private Clusters","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_node_config_image_cos_containerd":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_node_config_image_cos_containerd","org":"turbot","name":"kubernetes_cluster_node_config_image_cos_containerd","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' ->> 'image_type') = 'COS_CONTAINERD' then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' ''node_config'' is not defined'\n when coalesce(trim((attributes_std -> 'node_config' ->> 'image_type')), '') = '' then ' ''node_config.image_type'' is not defined'\n when (attributes_std -> 'node_config' ->> 'image_type') = 'COS_CONTAINERD' then ' Container-Optimized OS(COS) is used'\n else ' Container-Optimized OS(COS) not used'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.gke_container_optimized_os","org":"turbot","name":"gke_container_optimized_os","mod":"GCP Compliance","title":"Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_network_policy_installed":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_network_policy_installed","org":"turbot","name":"kubernetes_cluster_network_policy_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_policy') is not null then 'ok' else 'alarm'\n end as status,\n name || case\n when (attributes_std -> 'network_policy') is not null then ' network policy defined'\n else ' network policy not defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":89,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.gke_restrict_pod_traffic","org":"turbot","name":"gke_restrict_pod_traffic","mod":"GCP Compliance","title":"Check that GKE clusters have a Network Policy installed","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Check that GKE clusters have a Network Policy installed","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_legacy_endpoints_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_legacy_endpoints_disabled","org":"turbot","name":"kubernetes_cluster_legacy_endpoints_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints') = 'true' then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' ''node_config'' is not defined'\n when (attributes_std -> 'node_config' -> 'metadata') is null then ' ''node_config.metadata'' is not defined'\n when coalesce(trim((attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints')), '') = ''\n then ' ''node_config.metadata.disable-legacy-endpoints'' is not defined'\n when (attributes_std -> 'node_config' -> 'metadata' ->> 'disable-legacy-endpoints') = 'true' then ' legacy endpoints disabled'\n else ' legacy endpoints enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":43,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.disable_gke_legacy_endpoints","org":"turbot","name":"disable_gke_legacy_endpoints","mod":"GCP Compliance","title":"Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_legacy_abac_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_legacy_abac_enabled","org":"turbot","name":"kubernetes_cluster_legacy_abac_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_legacy_abac')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_legacy_abac') is null then ' ''enable_legacy_abac'' is not defined'\n when (attributes_std ->> 'enable_legacy_abac')::boolean then ' legacy authorization enabled'\n else ' legacy authorization disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.disable_gke_legacy_abac","org":"turbot","name":"disable_gke_legacy_abac","mod":"GCP Compliance","title":"Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_auto_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_auto_upgrade_enabled","org":"turbot","name":"kubernetes_cluster_auto_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'management' ->> 'auto_upgrade')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'management') is null then ' ''management'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_upgrade') is null then ' ''management.auto_upgrade'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_upgrade')::boolean then ' node pool auto upgrade enabled'\n else ' node pool auto upgrade disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_node_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.enable_auto_upgrade","org":"turbot","name":"enable_auto_upgrade","mod":"GCP Compliance","title":"Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_auto_repair_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_auto_repair_enabled","org":"turbot","name":"kubernetes_cluster_auto_repair_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'management' ->> 'auto_repair')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'management') is null then ' ''management'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_repair') is null then ' ''management.auto_repair'' is not defined'\n when (attributes_std -> 'management' ->> 'auto_repair')::boolean then ' node pool auto repair enabled'\n else ' node pool auto repair disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_node_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":109,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.enable_auto_repair","org":"turbot","name":"enable_auto_repair","mod":"GCP Compliance","title":"Ensure automatic node repair is enabled on all node pools in a GKE cluster","tags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}}],"controlTitle":"Ensure automatic node repair is enabled on all node pools in a GKE cluster","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Kubernetes","severity":"high"}},"kubernetes_cluster_shielded_node_integrity_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_shielded_node_integrity_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_integrity_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_integrity_monitoring') = 'false' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'shielded_instance_config' ->> 'enable_integrity_monitoring') = 'false' then ' integrity monitoring disabled for shielded nodes'\n else ' integrity monitoring enabled for shielded nodes'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":481,"endLineNumber":500,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_shielded_node_integrity_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_shielded_node_integrity_monitoring_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters integrity monitoring should be enabled for shielded nodes","description":"This control checks that GKE clusters integrity monitoring is enabled for shielded nodes.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters integrity monitoring should be enabled for shielded nodes","controlDescription":"This control checks that GKE clusters integrity monitoring is enabled for shielded nodes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_cos_node_image":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_cos_node_image","org":"turbot","name":"kubernetes_cluster_cos_node_image","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config' -> 'image_type') is null then 'alarm'\n when (attributes_std -> 'node_config' ->> 'image_type') ilike 'COS_%' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config' -> 'image_type') is null then ' node image type not defined'\n when (attributes_std -> 'node_config' ->> 'image_type') ilike 'COS_%' then ' COS node image type used'\n else ' COS node image type not used'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":502,"endLineNumber":523,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_cos_node_image","org":"turbot","name":"kubernetes_cluster_cos_node_image","mod":"Terraform GCP Compliance","title":"GKE clusters should use Container-Optimized OS(cos) node image","description":"This control checks that GKE clusters use Container-Optimized OS(cos) node image.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters should use Container-Optimized OS(cos) node image","controlDescription":"This control checks that GKE clusters use Container-Optimized OS(cos) node image.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_intranodal_visibility_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_intranodal_visibility_enabled","org":"turbot","name":"kubernetes_cluster_intranodal_visibility_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_intranode_visibility') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_intranode_visibility') = 'true' then ' intranodal visibility enabled'\n else ' intranodal visibility disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":400,"endLineNumber":419,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_intranodal_visibility_enabled","org":"turbot","name":"kubernetes_cluster_intranodal_visibility_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters intranodal visibility should be enabled","description":"This control checks that GKE clusters intranodal visibility is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters intranodal visibility should be enabled","controlDescription":"This control checks that GKE clusters intranodal visibility is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_stackdriver_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_stackdriver_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'monitoring_service') = 'none' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'monitoring_service') = 'none' then ' stackdriver monitoring disabled'\n else ' stackdriver monitoring enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":197,"endLineNumber":216,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_stackdriver_monitoring_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_monitoring_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters stackdriver monitoring should be enabled","description":"This control checks that GKE clusters stackdriver monitoring is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters stackdriver monitoring should be enabled","controlDescription":"This control checks that GKE clusters stackdriver monitoring is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_no_cluster_level_node_pool":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_no_cluster_level_node_pool","org":"turbot","name":"kubernetes_cluster_no_cluster_level_node_pool","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_pool') is not null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_pool') is not null then ' node pool defined in cluster configuration'\n else ' node pool not defined in cluster configuration'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":525,"endLineNumber":544,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_no_cluster_level_node_pool","org":"turbot","name":"kubernetes_cluster_no_cluster_level_node_pool","mod":"Terraform GCP Compliance","title":"GKE clusters should not use cluster level node pool","description":"This control checks if GKE clusters use separate node pool resources since node pools defined in cluster configuration cannot be added or removed without recreating the cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters should not use cluster level node pool","controlDescription":"This control checks if GKE clusters use separate node pool resources since node pools defined in cluster configuration cannot be added or removed without recreating the cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_binary_auth_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_binary_auth_enabled","org":"turbot","name":"kubernetes_cluster_binary_auth_enabled","sql":"$3f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":331,"endLineNumber":354,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_binary_auth_enabled","org":"turbot","name":"kubernetes_cluster_binary_auth_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters client binary authorizationn should be enabled","description":"This control checks that GKE clusters client binary authorization is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters client binary authorizationn should be enabled","controlDescription":"This control checks that GKE clusters client binary authorization is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_stackdriver_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_stackdriver_logging_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'logging_service') = 'none' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'logging_service') = 'none' then ' stackdriver logging disabled'\n else ' stackdriver logging enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":155,"endLineNumber":174,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_stackdriver_logging_enabled","org":"turbot","name":"kubernetes_cluster_stackdriver_logging_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters stackdriver logging should be enabled","description":"This control checks that GKE clusters stackdriver logging is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters stackdriver logging should be enabled","controlDescription":"This control checks that GKE clusters stackdriver logging is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_control_plane_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_control_plane_restrict_public_access","org":"turbot","name":"kubernetes_cluster_control_plane_restrict_public_access","sql":"$40","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":421,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_control_plane_restrict_public_access","org":"turbot","name":"kubernetes_cluster_control_plane_restrict_public_access","mod":"Terraform GCP Compliance","title":"GKE clusters control plane should restrict public access","description":"This control checks that GKE clusters control plane restricts public access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters control plane should restrict public access","controlDescription":"This control checks that GKE clusters control plane restricts public access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_client_certificate_authentication_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_client_certificate_authentication_disabled","org":"turbot","name":"kubernetes_cluster_client_certificate_authentication_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' -> 'issue_client_certificate') is null then 'alarm'\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' ->> 'issue_client_certificate') = 'false' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' -> 'issue_client_certificate') is null then ' client certificate authentication not defined'\n when (attributes_std -> 'master_auth' -> 'client_certificate_config' ->> 'issue_client_certificate') = 'false' then ' client certificate authentication disabled'\n else ' client certificate authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":308,"endLineNumber":329,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_client_certificate_authentication_disabled","org":"turbot","name":"kubernetes_cluster_client_certificate_authentication_disabled","mod":"Terraform GCP Compliance","title":"GKE clusters client certificate authentication should be disabled","description":"This control checks that GKE clusters client certificate authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters client certificate authentication should be disabled","controlDescription":"This control checks that GKE clusters client certificate authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_authenticator_group_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_authenticator_group_configured","org":"turbot","name":"kubernetes_cluster_authenticator_group_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'authenticator_groups_config' -> 'security_group') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'authenticator_groups_config' -> 'security_group') is not null then ' authenticator group configured'\n else ' authenticator group not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":266,"endLineNumber":285,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_authenticator_group_configured","org":"turbot","name":"kubernetes_cluster_authenticator_group_configured","mod":"Terraform GCP Compliance","title":"GKE clusters authenticator group should be configured to manage RBAC users","description":"This control checks that GKE clusters authenticator group is configured to manage RBAC users.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters authenticator group should be configured to manage RBAC users","controlDescription":"This control checks that GKE clusters authenticator group is configured to manage RBAC users.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_alias_ip_range_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_alias_ip_range_enabled","org":"turbot","name":"kubernetes_cluster_alias_ip_range_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'ip_allocation_policy') is not null) and ((attributes_std ->> 'ip_allocation_policy') <> '{}') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ip_allocation_policy') is not null and ((attributes_std ->> 'ip_allocation_policy') <> '{}') then ' alias IP range enabled'\n else ' alias IP range disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":379,"endLineNumber":398,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_alias_ip_range_enabled","org":"turbot","name":"kubernetes_cluster_alias_ip_range_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters alias IP ranges should be enabled","description":"This control checks that GKE clusters alias IP ranges is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters alias IP ranges should be enabled","controlDescription":"This control checks that GKE clusters alias IP ranges is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_master_authorized_network_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_master_authorized_network_enabled","org":"turbot","name":"kubernetes_cluster_master_authorized_network_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'master_authorized_networks_config') = '{}' then 'alarm'\n when (attributes_std -> 'master_authorized_networks_config') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'master_authorized_networks_config') = '{}' then ' master authorized network not defined'\n when (attributes_std -> 'master_authorized_networks_config') is not null then ' master authorized network enabled'\n else ' master authorized network disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":243,"endLineNumber":264,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_master_authorized_network_enabled","org":"turbot","name":"kubernetes_cluster_master_authorized_network_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters master authorized networks should be enabled","description":"This control checks that GKE clusters master authorized networks is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters master authorized networks should be enabled","controlDescription":"This control checks that GKE clusters master authorized networks is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_resource_label_configured":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_resource_label_configured","org":"turbot","name":"kubernetes_cluster_resource_label_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'resource_labels' -> 'key') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'resource_labels' -> 'key') is not null then ' labels configured'\n else ' labels not configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_container_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":287,"endLineNumber":306,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_resource_label_configured","org":"turbot","name":"kubernetes_cluster_resource_label_configured","mod":"Terraform GCP Compliance","title":"GKE clusters resource labels should be configured","description":"This control checks that GKE clusters resource labels are configured.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters resource labels should be configured","controlDescription":"This control checks that GKE clusters resource labels are configured.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}},"kubernetes_cluster_metadata_server_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kubernetes_cluster_metadata_server_enabled","org":"turbot","name":"kubernetes_cluster_metadata_server_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_config') is null then 'alarm'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config') is null then 'alarm'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config' ->> 'mode') = 'GKE_METADATA' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_config') is null then ' node config not defined'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config') is null then ' workload metadata config not defined'\n when (attributes_std -> 'node_config' -> 'workload_metadata_config' ->> 'mode') = 'GKE_METADATA' then ' GKE metadata server enabled'\n else ' GKE metadata server disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_container_node_pool', 'google_container_cluster');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":218,"endLineNumber":241,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kubernetes_cluster_metadata_server_enabled","org":"turbot","name":"kubernetes_cluster_metadata_server_enabled","mod":"Terraform GCP Compliance","title":"GKE clusters GKE metadata server should be enabled","description":"This control checks that GKE clusters GKE metadata server is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}],"controlTitle":"GKE clusters GKE metadata server should be enabled","controlDescription":"This control checks that GKE clusters GKE metadata server is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Kubernetes"}}},"kms":{"kms_key_rotated_within_90_day":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_rotated_within_90_day","org":"turbot","name":"kms_key_rotated_within_90_day","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then 'alarm'\n when split_part(coalesce((attributes_std ->> 'rotation_period'), ''), 's', 1) :: int <= 7776000 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then ' requires manual rotation'\n else ' rotation period set for ' || (split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int)/86400 || ' day(s)'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_1_10","org":"turbot","name":"cis_v300_1_10","mod":"GCP Compliance","title":"1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.10","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_1_10","org":"turbot","name":"cis_v200_1_10","mod":"GCP Compliance","title":"1.10 Ensure KMS encryption keys are rotated within a period of 90 days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.10","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_1_10","org":"turbot","name":"cis_v130_1_10","mod":"GCP Compliance","title":"1.10 Ensure KMS encryption keys are rotated within a period of 90 days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.10","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_1_10","org":"turbot","name":"cis_v120_1_10","mod":"GCP Compliance","title":"1.10 Ensure KMS encryption keys are rotated within a period of 90 days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.10","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.kms_key_rotated_within_90_day","org":"turbot","name":"kms_key_rotated_within_90_day","mod":"GCP Compliance","title":"Ensure KMS encryption keys are rotated within a period of 90 days","description":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/KMS","soc_2_2017":"true"}}],"controlTitle":"Ensure KMS encryption keys are rotated within a period of 90 days","controlDescription":"Google Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management. The format for the rotation schedule depends on the client library that is used. For the gcloud command-line tool, the next rotation time must be in ISO or RFC3339 format, and the rotation period must be in the form INTEGER[UNIT], where units can be one of seconds (s), minutes (m), hours (h) or days (d).","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.10","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/KMS","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","soc_2_2017":"true"}},"kms_key_rotated_within_100_day":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_rotated_within_100_day","org":"turbot","name":"kms_key_rotated_within_100_day","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then 'alarm'\n when split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int <= 8640000 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'rotation_period'), '') = '' then ' requires manual rotation'\n else ' rotation period set for ' || (split_part((attributes_std ->> 'rotation_period'), 's', 1) :: int)/86400 || ' day(s)'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cmek_rotation_one_hundred_days","org":"turbot","name":"cmek_rotation_one_hundred_days","mod":"GCP Compliance","title":"Check that CMEK rotation policy is in place and is sufficiently short","tags":{"category":"Compliance","forseti_security_v226":"true","plugin":"gcp","service":"GCP/KMS","severity":"high"}}],"controlTitle":"Check that CMEK rotation policy is in place and is sufficiently short","controlTags":{"category":"Compliance","forseti_security_v226":"true","plugin":"gcp","service":"GCP/KMS","severity":"high"}},"kms_key_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_not_publicly_accessible","org":"turbot","name":"kms_key_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_kms_crypto_key_iam_policy', 'google_kms_crypto_key_iam_binding', 'google_kms_crypto_key_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":63,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_1_9","org":"turbot","name":"cis_v300_1_9","mod":"GCP Compliance","title":"1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible","description":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.9","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_1_9","org":"turbot","name":"cis_v200_1_9","mod":"GCP Compliance","title":"1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.9","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_1_9","org":"turbot","name":"cis_v130_1_9","mod":"GCP Compliance","title":"1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.9","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_1_9","org":"turbot","name":"cis_v120_1_9","mod":"GCP Compliance","title":"1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.9","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/KMS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.kms_key_not_publicly_accessible","org":"turbot","name":"kms_key_not_publicly_accessible","mod":"GCP Compliance","title":"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/KMS","soc_2_2017":"true"}}],"controlTitle":"Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible","controlDescription":"It is recommended that the IAM policy on Cloud KMS cryptokeys should restrict anonymous and/or public access.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.9","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/KMS","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"kms_key_prevent_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/kms_key_prevent_destroy_enabled","org":"turbot","name":"kms_key_prevent_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'prevent_destroy')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'prevent_destroy')::bool then ' prevent destroy enabled'\n else ' prevent destroy disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_kms_crypto_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":43,"endLineNumber":61,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.kms_key_prevent_destroy_enabled","org":"turbot","name":"kms_key_prevent_destroy_enabled","mod":"Terraform GCP Compliance","title":"KMS Crypto keys should have prevent destroy enabled","description":"CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}}],"controlTitle":"KMS Crypto keys should have prevent destroy enabled","controlDescription":"CryptoKeys cannot be deleted from Google Cloud Platform. Destroying a Terraform-managed CryptoKey will remove it from state and delete all CryptoKeyVersions, rendering the key unusable, but will not delete the resource from the project. When Terraform destroys these keys, any data previously encrypted with these keys will be irrecoverable. For this reason, it is strongly recommended that you add lifecycle hooks to the resource to prevent accidental destruction.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/KMS"}},"kms_cmk_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kms_cmk_rotation_enabled","org":"turbot","name":"kms_cmk_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_key_rotation') is null then 'alarm'\n when (attributes_std -> 'enable_key_rotation')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_key_rotation') is null then ' key rotation disabled'\n when (attributes_std -> 'enable_key_rotation')::boolean then ' key rotation enabled'\n else ' key rotation disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kms_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kms.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kms_cmk_rotation_enabled","org":"turbot","name":"kms_cmk_rotation_enabled","mod":"Terraform AWS Compliance","title":"KMS CMK rotation should be enabled","description":"Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/KMS"}}],"controlTitle":"KMS CMK rotation should be enabled","controlDescription":"Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/KMS"}}},"iam":{"iam_service_account_gcp_managed_key":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_service_account_gcp_managed_key","org":"turbot","name":"iam_service_account_gcp_managed_key","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'service_account_id'), '.', 2) from terraform_resource where type = 'google_service_account_key') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'service_account_id'), '.', 2) from terraform_resource where type = 'google_service_account_key') then ' has user-managed keys'\n else ' does not have user-managed keys'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_service_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_1_4","org":"turbot","name":"cis_v300_1_4","mod":"GCP Compliance","title":"1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account","description":"User managed service accounts should not have user-managed keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/IAM"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_1_4","org":"turbot","name":"cis_v200_1_4","mod":"GCP Compliance","title":"1.4 Ensure that there are only GCP-managed service account keys for each service account","description":"User managed service accounts should not have user-managed keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/IAM"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_1_4","org":"turbot","name":"cis_v130_1_4","mod":"GCP Compliance","title":"1.4 Ensure that there are only GCP-managed service account keys for each service account","description":"User managed service accounts should not have user-managed keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/IAM"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_1_4","org":"turbot","name":"cis_v120_1_4","mod":"GCP Compliance","title":"1.4 Ensure that there are only GCP-managed service account keys for each service account","description":"User managed service accounts should not have user-managed keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/IAM"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.iam_service_account_gcp_managed_key","org":"turbot","name":"iam_service_account_gcp_managed_key","mod":"GCP Compliance","title":"Ensure that there are only GCP-managed service account keys for each service account","description":"User managed service accounts should not have user-managed keys.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/IAM"}}],"controlTitle":"Ensure that there are only GCP-managed service account keys for each service account","controlDescription":"User managed service accounts should not have user-managed keys.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"1.4","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/IAM"}},"iam_project_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_use_default_service_role","org":"turbot","name":"iam_project_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":141,"endLineNumber":159,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_use_default_service_role","org":"turbot","name":"iam_project_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a project level","description":"This control checks that the Default Service account is not used at a project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a project level","controlDescription":"This control checks that the Default Service account is not used at a project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_service_account_no_admin_priviledge":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_service_account_no_admin_priviledge","org":"turbot","name":"iam_service_account_no_admin_priviledge","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') like '%.iam.gserviceaccount.com$' and (attributes_std ->> 'role') like any (array ['roles/Admin', 'roles/admin', 'roles/owner', 'roles/editor']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') like '%.iam.gserviceaccount.com$' and (attributes_std ->> 'role') like any (array ['roles/Admin', 'roles/admin', 'roles/owner', 'roles/editor']) then ' has admin privileges'\n else ' does not have admin privileges'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_project_iam_member';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":61,"endLineNumber":79,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_service_account_no_admin_priviledge","org":"turbot","name":"iam_service_account_no_admin_priviledge","mod":"Terraform GCP Compliance","title":"Ensure that Service Account has no admin privileges","description":"This control checks that Service Account has no admin privileges.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure that Service Account has no admin privileges","controlDescription":"This control checks that Service Account has no admin privileges.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_use_default_service_role","org":"turbot","name":"iam_organization_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_organization_iam_member', 'google_organization_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":161,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_use_default_service_role","org":"turbot","name":"iam_organization_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a organization level","description":"This control checks that Default Service account is not used at an organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a organization level","controlDescription":"This control checks that Default Service account is not used at an organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_use_default_service_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_use_default_service_role","org":"turbot","name":"iam_folder_use_default_service_role","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'members') like any (array ['%@developer.gserviceaccount.com', '%@appspot.gserviceaccount.com']) or (attributes_std ->> 'member') like '%@developer.gserviceaccount.com' or (attributes_std ->> 'member') like '%@appspot.gserviceaccount.com') then ' uses default service account role'\n else ' does not use default service account role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_folder_iam_member', 'google_folder_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":221,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_use_default_service_role","org":"turbot","name":"iam_folder_use_default_service_role","mod":"Terraform GCP Compliance","title":"Ensure Default Service account is not used at a folder level","description":"This control checks that the Default Service account is not used at a folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure Default Service account is not used at a folder level","controlDescription":"This control checks that the Default Service account is not used at a folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_impersonation_role","org":"turbot","name":"iam_folder_impersonation_role","sql":"$41","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":201,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_impersonation_role","org":"turbot","name":"iam_folder_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at folder level","description":"This control checks that roles do not impersonate or manage Service Accounts used at folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at folder level","controlDescription":"This control checks that roles do not impersonate or manage Service Accounts used at folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_folder_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_folder_use_basic_role","org":"turbot","name":"iam_folder_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_folder_iam_member', 'google_folder_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":181,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_folder_use_basic_role","org":"turbot","name":"iam_folder_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at folder level","description":"This control checks that basic roles are not used at folder level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at folder level","controlDescription":"This control checks that basic roles are not used at folder level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_workload_identity_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_workload_identity_restricted","org":"turbot","name":"iam_workload_identity_restricted","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'attribute_condition') is null or (attributes_std ->> 'attribute_condition') = '' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'attribute_condition') is null or (attributes_std ->> 'attribute_condition') = '' then ' attribute condition does not exist'\n else ' attribute condition exists'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_iam_workload_identity_pool_provider';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":241,"endLineNumber":260,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_workload_identity_restricted","org":"turbot","name":"iam_workload_identity_restricted","mod":"Terraform GCP Compliance","title":"IAM workload identity pool provider should be restricted","description":"This control checks whether the IAM workload identity pool provider is restricted.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"IAM workload identity pool provider should be restricted","controlDescription":"This control checks whether the IAM workload identity pool provider is restricted.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_no_service_account_token_creator_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_no_service_account_token_creator_role","org":"turbot","name":"iam_project_no_service_account_token_creator_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/iam.serviceAccountUser', 'roles/iam.serviceAccountTokenCreator']) then ' service account roles assigned'\n else ' no service account roles assigned'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":121,"endLineNumber":139,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_no_service_account_token_creator_role","org":"turbot","name":"iam_project_no_service_account_token_creator_role","mod":"Terraform GCP Compliance","title":"Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level","description":"This control checks that users are not assigned the Service Account User or Service Account Token Creator roles at the project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure that users are not assigned the Service Account User or Service Account Token Creator roles at project level","controlDescription":"This control checks that users are not assigned the Service Account User or Service Account Token Creator roles at the project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_impersonation_role","org":"turbot","name":"iam_organization_impersonation_role","sql":"$42","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":101,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_impersonation_role","org":"turbot","name":"iam_organization_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at organization level","description":"This control checks that roles do not impersonate or manage Service Accounts used at organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at organization level","controlDescription":"This control checks that roles do not impersonate or manage Service Accounts used at organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_use_basic_role","org":"turbot","name":"iam_project_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_project_iam_member', 'google_project_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_use_basic_role","org":"turbot","name":"iam_project_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at project level","description":"This control checks that basic roles are not used at the project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at project level","controlDescription":"This control checks that basic roles are not used at the project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_project_impersonation_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_project_impersonation_role","org":"turbot","name":"iam_project_impersonation_role","sql":"$43","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":81,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_project_impersonation_role","org":"turbot","name":"iam_project_impersonation_role","mod":"Terraform GCP Compliance","title":"Ensure roles do not impersonate or manage Service Accounts used at project level","description":"This control checks roles do not impersonate or manage Service Accounts used at project level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure roles do not impersonate or manage Service Accounts used at project level","controlDescription":"This control checks roles do not impersonate or manage Service Accounts used at project level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_organization_use_basic_role":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/iam_organization_use_basic_role","org":"turbot","name":"iam_organization_use_basic_role","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'role') like any (array ['roles/owner', 'roles/editor', 'roles/viewer']) then ' uses basic role'\n else ' does not use basic role'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_organization_iam_member', 'google_organization_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":41,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.iam_organization_use_basic_role","org":"turbot","name":"iam_organization_use_basic_role","mod":"Terraform GCP Compliance","title":"Ensure basic roles are not used at organization level","description":"This control checks that basic roles are not used at the organization level.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}}],"controlTitle":"Ensure basic roles are not used at organization level","controlDescription":"This control checks that basic roles are not used at the organization level.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/IAM"}},"iam_account_password_policy_strong_min_length_8":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_strong_min_length_8","org":"turbot","name":"iam_account_password_policy_strong_min_length_8","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'minimum_password_length')::integer >= 8\n and (attributes_std -> 'require_lowercase_characters')::bool\n and (attributes_std -> 'require_uppercase_characters')::bool\n and (attributes_std -> 'require_numbers')::bool\n and (attributes_std -> 'require_symbols')::bool\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'minimum_password_length')::integer >= 8\n and (attributes_std -> 'require_lowercase_characters')::bool\n and (attributes_std -> 'require_uppercase_characters')::bool\n and (attributes_std -> 'require_numbers')::bool\n and (attributes_std -> 'require_symbols')::bool\n then ' Strong password policies configured'\n else ' Strong password policies not configured'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":133,"endLineNumber":163,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_strong_min_length_8","org":"turbot","name":"iam_account_password_policy_strong_min_length_8","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires a minimum length of 8 or greater","description":"This control checks whether the account password policy for IAM users uses the recommended configurations.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires a minimum length of 8 or greater","controlDescription":"This control checks whether the account password policy for IAM users uses the recommended configurations.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_strong":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_strong","org":"turbot","name":"iam_account_password_policy_strong","sql":"$44","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":165,"endLineNumber":197,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_strong","org":"turbot","name":"iam_account_password_policy_strong","mod":"Terraform AWS Compliance","title":"Password policies for IAM users should have strong configurations","description":"This control checks whether the account password policy for IAM users have strong configurations.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/IAM"}}],"controlTitle":"Password policies for IAM users should have strong configurations","controlDescription":"This control checks whether the account password policy for IAM users have strong configurations.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/IAM"}},"iam_account_password_policy_one_symbol":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_symbol","org":"turbot","name":"iam_account_password_policy_one_symbol","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_symbols') is null then 'alarm'\n when (attributes_std -> 'require_symbols')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_symbols') is null then ' symbol not set to required'\n when (attributes_std -> 'require_symbols')::boolean then ' symbol set to required'\n else ' symbol not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_symbol","org":"turbot","name":"iam_account_password_policy_one_symbol","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one symbol","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one symbol","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_min_length_14":"$45","iam_account_password_policy_one_uppercase_letter":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_uppercase_letter","org":"turbot","name":"iam_account_password_policy_one_uppercase_letter","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_uppercase_characters') is null then 'alarm'\n when (attributes_std -> 'require_uppercase_characters')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_uppercase_characters') is null then ' ''require_uppercase_characters'' not defined'\n when (attributes_std -> 'require_uppercase_characters')::boolean then ' uppercase characters set to required'\n else ' uppercase characters not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":89,"endLineNumber":109,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_uppercase_letter","org":"turbot","name":"iam_account_password_policy_one_uppercase_letter","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one uppercase letter","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one uppercase letter","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_one_number":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_number","org":"turbot","name":"iam_account_password_policy_one_number","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_numbers') is null then 'alarm'\n when (attributes_std -> 'require_numbers')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_numbers') is null then ' number not set to required'\n when (attributes_std -> 'require_numbers')::bool then ' number set to required'\n else ' number not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":45,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_number","org":"turbot","name":"iam_account_password_policy_one_number","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one number","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one number","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_one_lowercase_letter":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_one_lowercase_letter","org":"turbot","name":"iam_account_password_policy_one_lowercase_letter","sql":"select\n address as resource,\n case\n when (attributes_std -> 'require_lowercase_characters') is null then 'alarm'\n when (attributes_std -> 'require_lowercase_characters')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'require_lowercase_characters') is null then ' lowercase character not set to required'\n when (attributes_std -> 'require_lowercase_characters')::boolean then ' lowercase character set to required'\n else ' lowercase character not set to required'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":23,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_one_lowercase_letter","org":"turbot","name":"iam_account_password_policy_one_lowercase_letter","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy requires at least one lowercase letter","description":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy requires at least one lowercase letter","controlDescription":"Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_account_password_policy_reuse_24":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_account_password_policy_reuse_24","org":"turbot","name":"iam_account_password_policy_reuse_24","sql":"select\n address as resource,\n case\n when (attributes_std -> 'password_reuse_prevention') is null then 'alarm'\n when (attributes_std -> 'password_reuse_prevention')::integer >= 24 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'password_reuse_prevention') is null then ' password reuse prevention not set'\n when (attributes_std -> 'password_reuse_prevention')::integer >= 24 then ' password reuse prevention set to ' || (attributes_std ->> 'password_reuse_prevention') || ' days'\n else ' password reuse prevention set to ' || (attributes_std ->> 'password_reuse_prevention') || ' days'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":111,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_account_password_policy_reuse_24","org":"turbot","name":"iam_account_password_policy_reuse_24","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy prevents password reuse","description":"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user.","tags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy prevents password reuse","controlDescription":"This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user.","controlTags":{"category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}},"iam_password_policy_expire_90":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/iam_password_policy_expire_90","org":"turbot","name":"iam_password_policy_expire_90","sql":"select\n address as resource,\n case\n when (attributes_std -> 'max_password_age') is null then 'alarm'\n when (attributes_std -> 'max_password_age')::integer <= 90 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'max_password_age') is null then ' password expiration not set'\n when (attributes_std -> 'max_password_age')::integer <= 90 then ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'\n else ' password expiration set to ' || (attributes_std ->> 'max_password_age') || ' days'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_iam_account_password_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":199,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.iam_password_policy_expire_90","org":"turbot","name":"iam_password_policy_expire_90","mod":"Terraform AWS Compliance","title":"Ensure IAM password policy expires passwords within 90 days or less","description":"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}],"controlTitle":"Ensure IAM password policy expires passwords within 90 days or less","controlDescription":"IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","service":"AWS/IAM"}}},"dns":{"dns_managed_zone_zone_signing_not_using_rsasha1":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dns_managed_zone_zone_signing_not_using_rsasha1","org":"turbot","name":"dns_managed_zone_zone_signing_not_using_rsasha1","sql":"$4e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":1,"endLineNumber":32,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.dnssec_prevent_rsasha1_zsk","org":"turbot","name":"dnssec_prevent_rsasha1_zsk","mod":"GCP Compliance","title":"Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/DNS","severity":"high"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_5","org":"turbot","name":"cis_v300_3_5","mod":"GCP Compliance","title":"3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_5","org":"turbot","name":"cis_v200_3_5","mod":"GCP Compliance","title":"3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_5","org":"turbot","name":"cis_v130_3_5","mod":"GCP Compliance","title":"3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_5","org":"turbot","name":"cis_v120_3_5","mod":"GCP Compliance","title":"3.5 Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/DNS"}}],"controlTitle":"Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/DNS","severity":"high","benchmark":"cis","cis_item_id":"3.5","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0"}},"dns_managed_zone_key_signing_not_using_rsasha1":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dns_managed_zone_key_signing_not_using_rsasha1","org":"turbot","name":"dns_managed_zone_key_signing_not_using_rsasha1","sql":"$4f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":63,"endLineNumber":94,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_4","org":"turbot","name":"cis_v300_3_4","mod":"GCP Compliance","title":"3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.4","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_4","org":"turbot","name":"cis_v200_3_4","mod":"GCP Compliance","title":"3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.4","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_4","org":"turbot","name":"cis_v130_3_4","mod":"GCP Compliance","title":"3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.4","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_4","org":"turbot","name":"cis_v120_3_4","mod":"GCP Compliance","title":"3.4 Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC","description":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.4","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.dnssec_prevent_rsasha1_ksk","org":"turbot","name":"dnssec_prevent_rsasha1_ksk","mod":"GCP Compliance","title":"Ensure that RSASHA1 is not used for key-signing key in Cloud DNS","tags":{"category":"Compliance","cft_scorecard_v1":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/DNS","severity":"high","soc_2_2017":"true"}}],"controlTitle":"3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC","controlDescription":"DNSSEC algorithm numbers in this registry may be used in CERT RRs. Zone signing (DNSSEC) and transaction security mechanisms (SIG(0) and TSIG) make use of particular subsets of these algorithms. The algorithm used for key signing should be a recommended one and it should be strong.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.4","cis_level":"1","cis_section_id":"3","cis_type":"manual","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/DNS","cft_scorecard_v1":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","severity":"high","soc_2_2017":"true"}},"dns_managed_zone_dnssec_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dns_managed_zone_dnssec_enabled","org":"turbot","name":"dns_managed_zone_dnssec_enabled","sql":"$50","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":34,"endLineNumber":61,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_3","org":"turbot","name":"cis_v300_3_3","mod":"GCP Compliance","title":"3.3 Ensure That DNSSEC Is Enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.3","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_3","org":"turbot","name":"cis_v200_3_3","mod":"GCP Compliance","title":"3.3 Ensure that DNSSEC is enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.3","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_3","org":"turbot","name":"cis_v130_3_3","mod":"GCP Compliance","title":"3.3 Ensure that DNSSEC is enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.3","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_3","org":"turbot","name":"cis_v120_3_3","mod":"GCP Compliance","title":"3.3 Ensure that DNSSEC is enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.3","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/DNS"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.dns_managed_zone_dnssec_enabled","org":"turbot","name":"dns_managed_zone_dnssec_enabled","mod":"GCP Compliance","title":"Ensure that DNSSEC is enabled for Cloud DNS","description":"Cloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/DNS","soc_2_2017":"true"}}],"controlTitle":"Ensure that DNSSEC is enabled for Cloud DNS","controlDescription":"Cloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system that powers millions of domains on the internet. Domain Name System Security Extensions (DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains against DNS hijacking and man-in-the-middle and other attacks.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.3","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/DNS","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"dns_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/dns_azure_defender_enabled","org":"turbot","name":"dns_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'Dns' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'Dns' and (attributes_std ->> 'tier') = 'Standard' then ' Dns azure defender enabled'\n else ' Dns azure defender disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dns.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.dns_azure_defender_enabled","org":"turbot","name":"dns_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for DNS should be enabled","description":"Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DNS"}}],"controlTitle":"Azure Defender for DNS should be enabled","controlDescription":"Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/DNS"}}},"compute":{"compute_subnetwork_private_ip_google_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_private_ip_google_access","org":"turbot","name":"compute_subnetwork_private_ip_google_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_ip_google_access')::boolean then 'ok' else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'private_ip_google_access') is null then ' ''private_ip_google_access'' is not defined'\n when (attributes_std ->> 'private_ip_google_access')::boolean then ' private Google Access is enabled'\n else ' private Google Access is disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":189,"endLineNumber":207,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.enable_network_private_google_access","org":"turbot","name":"enable_network_private_google_access","mod":"GCP Compliance","title":"Ensure Private Google Access is enabled for all subnetworks in VPC","tags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Compute","severity":"high"}}],"controlTitle":"Ensure Private Google Access is enabled for all subnetworks in VPC","controlTags":{"category":"Compliance","cft_scorecard_v1":"true","plugin":"gcp","service":"GCP/Compute","severity":"high"}},"compute_subnetwork_flow_log_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_flow_log_enabled","org":"turbot","name":"compute_subnetwork_flow_log_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purpose') in ('REGIONAL_MANAGED_PROXY', 'GLOBAL_MANAGED_PROXY') then 'skip'\n when (attributes_std -> 'log_config') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purpose') in ('REGIONAL_MANAGED_PROXY', 'GLOBAL_MANAGED_PROXY') then ' flow logging not supported'\n when (attributes_std -> 'log_config') is not null then ' flow logging enabled'\n else ' flow logging disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":144,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_8","org":"turbot","name":"cis_v300_3_8","mod":"GCP Compliance","title":"3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network","description":"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.8","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_8","org":"turbot","name":"cis_v200_3_8","mod":"GCP Compliance","title":"3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network","description":"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.8","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_8","org":"turbot","name":"cis_v130_3_8","mod":"GCP Compliance","title":"3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network","description":"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_8","org":"turbot","name":"cis_v120_3_8","mod":"GCP Compliance","title":"3.8 Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network","description":"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.enable_network_flow_logs","org":"turbot","name":"enable_network_flow_logs","mod":"GCP Compliance","title":"Ensure VPC Flow logs is enabled for every subnet in VPC Network","tags":{"category":"Compliance","cft_scorecard_v1":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Compute","severity":"high","soc_2_2017":"true"}}],"controlTitle":"3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network","controlDescription":"Flow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in the organization's VPC Subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs be enabled for every business-critical VPC subnet.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.8","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","cft_scorecard_v1":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","severity":"high","soc_2_2017":"true"}},"compute_network_contains_no_legacy_network":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_network_contains_no_legacy_network","org":"turbot","name":"compute_network_contains_no_legacy_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auto_create_subnetworks') is null then 'ok'\n when (attributes_std -> 'auto_create_subnetworks')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auto_create_subnetworks') is null then ' is not a legacy network'\n when (attributes_std -> 'auto_create_subnetworks')::bool then ' is not a legacy network'\n else ' is a legacy network'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":122,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_2","org":"turbot","name":"cis_v200_3_2","mod":"GCP Compliance","title":"3.2 Ensure legacy networks do not exist for a project","description":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.2","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_2","org":"turbot","name":"cis_v130_3_2","mod":"GCP Compliance","title":"3.2 Ensure legacy networks do not exist for a project","description":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.2","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_2","org":"turbot","name":"cis_v120_3_2","mod":"GCP Compliance","title":"3.2 Ensure legacy networks do not exist for a project","description":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.2","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_2","org":"turbot","name":"cis_v300_3_2","mod":"GCP Compliance","title":"3.2 Ensure Legacy Networks Do Not Exist for Older Projects","description":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.2","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_network_contains_no_legacy_network","org":"turbot","name":"compute_network_contains_no_legacy_network","mod":"GCP Compliance","title":"Ensure legacy networks do not exist for a project","description":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure legacy networks do not exist for a project","controlDescription":"In order to prevent use of legacy networks, a project should not have a legacy network configured.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.2","cis_level":"1","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"compute_network_contains_no_default_network":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_network_contains_no_default_network","org":"turbot","name":"compute_network_contains_no_default_network","sql":"select\n address as resource,\n case\n when name not ilike 'default' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name not ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is not using default network'\n when name not ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is not using default network'\n when name ilike 'default' and (attributes_std ->> 'project') is null then ' provider project is using default network'\n when name ilike 'default' and (attributes_std ->> 'project') is not null then ' ' || (attributes_std ->> 'project') || ' is using default network'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":80,"endLineNumber":100,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_3_1","org":"turbot","name":"cis_v300_3_1","mod":"GCP Compliance","title":"3.1 Ensure That the Default Network Does Not Exist in a Project","description":"To prevent use of default network, a project should not have a default network.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.1","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_3_1","org":"turbot","name":"cis_v200_3_1","mod":"GCP Compliance","title":"3.1 Ensure that the default network does not exist in a project","description":"To prevent use of default network, a project should not have a default network.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.1","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_3_1","org":"turbot","name":"cis_v130_3_1","mod":"GCP Compliance","title":"3.1 Ensure that the default network does not exist in a project","description":"To prevent use of default network, a project should not have a default network.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.1","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_3_1","org":"turbot","name":"cis_v120_3_1","mod":"GCP Compliance","title":"3.1 Ensure that the default network does not exist in a project","description":"To prevent use of default network, a project should not have a default network.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.1","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_network_contains_no_default_network","org":"turbot","name":"compute_network_contains_no_default_network","mod":"GCP Compliance","title":"Ensure that the default network does not exist in a project","description":"To prevent the use of default network, a project should not have a default network.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that the default network does not exist in a project","controlDescription":"To prevent the use of default network, a project should not have a default network.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"3.1","cis_level":"2","cis_section_id":"3","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"compute_instance_with_no_public_ip_addresses":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_public_ip_addresses","org":"turbot","name":"compute_instance_with_no_public_ip_addresses","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_interface' -> 'access_config') is null or (attributes_std -> 'network_interface' ->> 'access_config') like '{}' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_interface' -> 'access_config') is null or (attributes_std -> 'network_interface' ->> 'access_config') like '{}' then ' not associated with public IP addresses'\n else ' associated with public IP addresses'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":280,"endLineNumber":299,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_9","org":"turbot","name":"cis_v300_4_9","mod":"GCP Compliance","title":"4.9 Ensure That Compute Instances Do Not Have Public IP Addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.9","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_9","org":"turbot","name":"cis_v200_4_9","mod":"GCP Compliance","title":"4.9 Ensure that Compute instances do not have public IP addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.9","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_9","org":"turbot","name":"cis_v130_4_9","mod":"GCP Compliance","title":"4.9 Ensure that Compute instances do not have public IP addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.9","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_9","org":"turbot","name":"cis_v120_4_9","mod":"GCP Compliance","title":"4.9 Ensure that Compute instances do not have public IP addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.9","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_with_no_public_ip_addresses","org":"turbot","name":"compute_instance_with_no_public_ip_addresses","mod":"GCP Compliance","title":"Ensure that Compute instances do not have public IP addresses","description":"Compute instances should not be configured to have external IP addresses.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that Compute instances do not have public IP addresses","controlDescription":"Compute instances should not be configured to have external IP addresses.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.9","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","soc_2_2017":"true"}},"compute_instance_with_no_default_service_account_with_full_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_default_service_account_with_full_access","org":"turbot","name":"compute_instance_with_no_default_service_account_with_full_access","sql":"$51","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":55,"endLineNumber":78,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_2","org":"turbot","name":"cis_v300_4_2","mod":"GCP Compliance","title":"4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.2","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_2","org":"turbot","name":"cis_v200_4_2","mod":"GCP Compliance","title":"4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.2","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_2","org":"turbot","name":"cis_v130_4_2","mod":"GCP Compliance","title":"4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.2","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_2","org":"turbot","name":"cis_v120_4_2","mod":"GCP Compliance","title":"4.2 Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.2","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_with_no_default_service_account_with_full_access","org":"turbot","name":"compute_instance_with_no_default_service_account_with_full_access","mod":"GCP Compliance","title":"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","description":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that instances are not configured to use the default service account with full access to all Cloud APIs","controlDescription":"To support principle of least privileges and prevent potential privilege escalation it is recommended that instances are not assigned to default service account Compute Engine default service account with Scope Allow full access to all Cloud APIs.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.2","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","soc_2_2017":"true"}},"compute_instance_with_no_default_service_account":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_with_no_default_service_account","org":"turbot","name":"compute_instance_with_no_default_service_account","sql":"$52","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":26,"endLineNumber":53,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_1","org":"turbot","name":"cis_v300_4_1","mod":"GCP Compliance","title":"4.1 Ensure That Instances Are Not Configured To Use the Default Service Account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_1","org":"turbot","name":"cis_v200_4_1","mod":"GCP Compliance","title":"4.1 Ensure that instances are not configured to use the default service account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_1","org":"turbot","name":"cis_v130_4_1","mod":"GCP Compliance","title":"4.1 Ensure that instances are not configured to use the default service account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_1","org":"turbot","name":"cis_v120_4_1","mod":"GCP Compliance","title":"4.1 Ensure that instances are not configured to use the default service account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_with_no_default_service_account","org":"turbot","name":"compute_instance_with_no_default_service_account","mod":"GCP Compliance","title":"Ensure that instances are not configured to use the default service account","description":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that instances are not configured to use the default service account","controlDescription":"It is recommended to configure your instance to not use the default Compute Engine service account because it has the Editor role on the project.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.1","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","soc_2_2017":"true"}},"compute_instance_shielded_vm_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_shielded_vm_enabled","org":"turbot","name":"compute_instance_shielded_vm_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'shielded_instance_config') is null then 'alarm'\n when (attributes_std -> 'shielded_instance_config' -> 'enable_integrity_monitoring')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'shielded_instance_config') is null then ' shielded VM disabled'\n when (attributes_std -> 'shielded_instance_config' -> 'enable_integrity_monitoring')::bool then ' shielded VM enabled'\n else ' shielded VM disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":234,"endLineNumber":255,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_8","org":"turbot","name":"cis_v300_4_8","mod":"GCP Compliance","title":"4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled","description":"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_8","org":"turbot","name":"cis_v200_4_8","mod":"GCP Compliance","title":"4.8 Ensure Compute instances are launched with Shielded VM enabled","description":"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_8","org":"turbot","name":"cis_v130_4_8","mod":"GCP Compliance","title":"4.8 Ensure Compute instances are launched with Shielded VM enabled","description":"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_8","org":"turbot","name":"cis_v120_4_8","mod":"GCP Compliance","title":"4.8 Ensure Compute instances are launched with Shielded VM enabled","description":"To defend against against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_shielded_vm_enabled","org":"turbot","name":"compute_instance_shielded_vm_enabled","mod":"GCP Compliance","title":"Ensure Compute instances are launched with Shielded VM enabled","description":"To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","tags":{"category":"Compliance","plugin":"gcp","service":"GCP/Compute"}}],"controlTitle":"Ensure Compute instances are launched with Shielded VM enabled","controlDescription":"To defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, it is recommended that Compute instances are launched with Shielded VM enabled.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.8","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},"compute_instance_serial_port_connection_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_serial_port_connection_disabled","org":"turbot","name":"compute_instance_serial_port_connection_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata') is null then 'alarm'\n when (attributes_std -> 'metadata' -> 'serial-port-enable') is null then 'alarm'\n when (attributes_std -> 'metadata' ->> 'serial-port-enable') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata') is null then ' ''metadata'' property is not defined'\n when (attributes_std -> 'metadata' -> 'serial-port-enable') is null then ' ''serial-port-enable'' property is not defined'\n when (attributes_std -> 'metadata' ->> 'serial-port-enable') = 'true' then ' has serial port connections enabled'\n else ' has serial port connections disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":209,"endLineNumber":232,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_5","org":"turbot","name":"cis_v300_4_5","mod":"GCP Compliance","title":"4.5 Ensure ‘Enable Connecting to Serial Ports’ Is Not Enabled for VM Instance ","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_5","org":"turbot","name":"cis_v200_4_5","mod":"GCP Compliance","title":"4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_5","org":"turbot","name":"cis_v130_4_5","mod":"GCP Compliance","title":"4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_5","org":"turbot","name":"cis_v120_4_5","mod":"GCP Compliance","title":"4.5 Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_serial_port_connection_disabled","org":"turbot","name":"compute_instance_serial_port_connection_disabled","mod":"GCP Compliance","title":"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","description":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure 'Enable connecting to serial ports' is not enabled for VM Instance","controlDescription":"Interacting with a serial port is often referred to as the serial console, which is similar to using a terminal window, in that input and output is entirely in text mode and there is no graphical interface or mouse support.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.5","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","soc_2_2017":"true"}},"compute_instance_oslogin_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_oslogin_enabled","org":"turbot","name":"compute_instance_oslogin_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'metadata') is null then 'alarm'\n when (attributes_std -> 'metadata' -> 'enable-oslogin') is null then 'alarm'\n when (attributes_std -> 'metadata' ->> 'enable-oslogin') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'metadata') is null then ' ''metadata'' property is not defined'\n when (attributes_std -> 'metadata' -> 'enable-oslogin') is null then ' ''enable-oslogin'' property is not defined'\n when (attributes_std -> 'metadata' ->> 'enable-oslogin') = 'true' then ' has OS login enabled'\n else ' has OS login disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_4","org":"turbot","name":"cis_v300_4_4","mod":"GCP Compliance","title":"4.4 Ensure Oslogin Is Enabled for a Project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_4","org":"turbot","name":"cis_v200_4_4","mod":"GCP Compliance","title":"4.4 Ensure oslogin is enabled for a Project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_4","org":"turbot","name":"cis_v130_4_4","mod":"GCP Compliance","title":"4.4 Ensure oslogin is enabled for a Project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_4","org":"turbot","name":"cis_v120_4_4","mod":"GCP Compliance","title":"4.4 Ensure oslogin is enabled for a Project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_oslogin_enabled","org":"turbot","name":"compute_instance_oslogin_enabled","mod":"GCP Compliance","title":"Ensure OS login is enabled for all instances in the Project","description":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure OS login is enabled for all instances in the Project","controlDescription":"Enabling OS login binds SSH certificates to IAM users and facilitates effective SSH certificate management.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.4","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","soc_2_2017":"true"}},"compute_instance_ip_forwarding_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_ip_forwarding_disabled","org":"turbot","name":"compute_instance_ip_forwarding_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'can_ip_forward') is null then 'alarm'\n when (attributes_std -> 'can_ip_forward')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'can_ip_forward') is null then ' IP forwarding disabled'\n when (attributes_std -> 'can_ip_forward')::bool then ' IP forwarding enabled'\n else ' IP forwarding disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":257,"endLineNumber":278,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_6","org":"turbot","name":"cis_v300_4_6","mod":"GCP Compliance","title":"4.6 Ensure That IP Forwarding Is Not Enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_6","org":"turbot","name":"cis_v200_4_6","mod":"GCP Compliance","title":"4.6 Ensure that IP forwarding is not enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_6","org":"turbot","name":"cis_v130_4_6","mod":"GCP Compliance","title":"4.6 Ensure that IP forwarding is not enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_6","org":"turbot","name":"cis_v120_4_6","mod":"GCP Compliance","title":"4.6 Ensure that IP forwarding is not enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_ip_forwarding_disabled","org":"turbot","name":"compute_instance_ip_forwarding_disabled","mod":"GCP Compliance","title":"Ensure that IP forwarding is not enabled on Instances","description":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that IP forwarding is not enabled on Instances","controlDescription":"Compute Engine instance cannot forward a packet unless the source IP address of the packet matches the IP address of the instance. Similarly, GCP won't deliver a packet whose destination IP address is different than the IP address of the instance receiving the packet. However, both capabilities are required if you want to use instances to help route packets.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.6","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","soc_2_2017":"true"}},"compute_instance_confidential_computing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_confidential_computing_enabled","org":"turbot","name":"compute_instance_confidential_computing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'confidential_instance_config') is null then 'alarm'\n when (attributes_std -> 'confidential_instance_config' -> 'enable_confidential_compute')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'confidential_instance_config') is null then ' confidential computing disabled'\n when (attributes_std -> 'confidential_instance_config' -> 'enable_confidential_compute')::bool then ' confidential computing enabled'\n else ' confidential computing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":166,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_11","org":"turbot","name":"cis_v300_4_11","mod":"GCP Compliance","title":"4.11 Ensure That Compute Instances Have Confidential Computing Enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_11","org":"turbot","name":"cis_v200_4_11","mod":"GCP Compliance","title":"4.11 Ensure that Compute instances have Confidential Computing enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_11","org":"turbot","name":"cis_v130_4_11","mod":"GCP Compliance","title":"4.11 Ensure that Compute instances have Confidential Computing enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_11","org":"turbot","name":"cis_v120_4_11","mod":"GCP Compliance","title":"4.11 Ensure that Compute instances have Confidential Computing enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_confidential_computing_enabled","org":"turbot","name":"compute_instance_confidential_computing_enabled","mod":"GCP Compliance","title":"Ensure that Compute instances have Confidential Computing enabled","description":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure that Compute instances have Confidential Computing enabled","controlDescription":"Google Cloud encrypts data at-rest and in-transit, but customer data must be decrypted for processing. Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.11","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"compute_instance_block_project_wide_ssh_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_block_project_wide_ssh_enabled","org":"turbot","name":"compute_instance_block_project_wide_ssh_enabled","sql":"$53","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":322,"endLineNumber":349,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_3","org":"turbot","name":"cis_v300_4_3","mod":"GCP Compliance","title":"4.3 Ensure 'Block Project-Wide SSH Keys' Is Enabled for VM Instances","description":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.3","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_3","org":"turbot","name":"cis_v200_4_3","mod":"GCP Compliance","title":"4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances","description":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.3","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_3","org":"turbot","name":"cis_v130_4_3","mod":"GCP Compliance","title":"4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances","description":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.3","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_3","org":"turbot","name":"cis_v120_4_3","mod":"GCP Compliance","title":"4.3 Ensure 'Block Project-wide SSH keys' is enabled for VM instances","description":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.3","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_instance_block_project_wide_ssh_enabled","org":"turbot","name":"compute_instance_block_project_wide_ssh_enabled","mod":"GCP Compliance","title":"Ensure 'Block Project-wide SSH keys' is enabled for VM instances","description":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","tags":{"category":"Compliance","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure 'Block Project-wide SSH keys' is enabled for VM instances","controlDescription":"It is recommended to use Instance specific SSH key(s) instead of using common/shared project-wide SSH key(s) to access Instances.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.3","cis_level":"1","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"compute_disk_encrypted_with_csk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_disk_encrypted_with_csk","org":"turbot","name":"compute_disk_encrypted_with_csk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_key') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_key') is null then 'not encrypted with Customer Supplied Key'\n else ' encrypted with Customer Supplied Key'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_disk';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":102,"endLineNumber":120,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_4_7","org":"turbot","name":"cis_v300_4_7","mod":"GCP Compliance","title":"4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.7","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_4_7","org":"turbot","name":"cis_v200_4_7","mod":"GCP Compliance","title":"4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.7","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_4_7","org":"turbot","name":"cis_v130_4_7","mod":"GCP Compliance","title":"4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.7","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_4_7","org":"turbot","name":"cis_v120_4_7","mod":"GCP Compliance","title":"4.7 Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.7","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.compute_disk_encrypted_with_csk","org":"turbot","name":"compute_disk_encrypted_with_csk","mod":"GCP Compliance","title":"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","description":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/Compute","soc_2_2017":"true"}}],"controlTitle":"Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys (CSEK)","controlDescription":"Customer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and Google Compute Engine. If you supply your own encryption keys, Google uses your key to protect the Google-generated keys used to encrypt and decrypt your data. By default, Google Compute Engine encrypts all data at rest. Compute Engine handles and manages this encryption for you without any additional actions on your part. However, if you wanted to control and manage this encryption yourself, you can provide your own encryption keys.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"4.7","cis_level":"2","cis_section_id":"4","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/Compute","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"network_interface_ip_forwarding_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_ip_forwarding')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_ip_forwarding')::boolean then ' network interface enabled with IP forwarding'\n else ' network interface disabled with IP forwarding'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_interface'\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":35,"endLineNumber":54,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_interface_ip_forwarding_disabled","org":"turbot","name":"network_interface_ip_forwarding_disabled","mod":"Azure Compliance","title":"IP Forwarding on your virtual machine should be disabled","description":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"IP Forwarding on your virtual machine should be disabled","controlDescription":"Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_utilizing_managed_disk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_utilizing_managed_disk","org":"turbot","name":"compute_vm_utilizing_managed_disk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_os_disk' ->> 'managed_disk_type') is not null or\n (attributes_std -> 'storage_os_disk' ->> 'managed_disk_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_os_disk' ->> 'managed_disk_type') is not null or\n (attributes_std -> 'storage_os_disk' ->> 'managed_disk_id') is not null then ' utilizing managed disks'\n else ' not utilizing managed disks'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":111,"endLineNumber":132,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_7_1","org":"turbot","name":"cis_v150_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_7_1","org":"turbot","name":"cis_v140_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_7_1","org":"turbot","name":"cis_v130_7_1","mod":"Azure Compliance","title":"7.1 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_7_2","org":"turbot","name":"cis_v210_7_2","mod":"Azure Compliance","title":"7.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_7_2","org":"turbot","name":"cis_v200_7_2","mod":"Azure Compliance","title":"7.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_8_2","org":"turbot","name":"cis_v300_8_2","mod":"Azure Compliance","title":"8.2 Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_utilizing_managed_disk","org":"turbot","name":"compute_vm_utilizing_managed_disk","mod":"Azure Compliance","title":"Ensure Virtual Machines are utilizing Managed Disks","description":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","tags":{"service":"Azure/Compute"}}],"controlTitle":"Ensure Virtual Machines are utilizing Managed Disks","controlDescription":"Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Compute"}},"compute_vm_uses_azure_resource_manager":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_group_name') is not null then ' uses azure resource manager'\n else ' uses azure resource manager'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":227,"endLineNumber":246,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_uses_azure_resource_manager","org":"turbot","name":"compute_vm_uses_azure_resource_manager","mod":"Azure Compliance","title":"Virtual machines should be migrated to new Azure Resource Manager resources","description":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should be migrated to new Azure Resource Manager resources","controlDescription":"Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_system_updates_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'os_profile_windows_config' ->> 'enable_automatic_upgrades')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'os_profile_windows_config' ->> 'enable_automatic_upgrades')::boolean then ' automatic system updates enabled'\n else ' automatic system updates disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_system_updates_installed","org":"turbot","name":"compute_vm_system_updates_installed","mod":"Azure Compliance","title":"System updates should be installed on your machines","description":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}}],"controlTitle":"System updates should be installed on your machines","controlDescription":"Missing security system updates on your servers will be monitored by Azure Security Center as recommendations.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Compute"}},"compute_vm_malware_agent_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","sql":"$54","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":248,"endLineNumber":290,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_malware_agent_installed","org":"turbot","name":"compute_vm_malware_agent_installed","mod":"Azure Compliance","title":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","description":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy default Microsoft IaaSAntimalware extension for Windows Server","controlDescription":"This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension.","controlTags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_windows":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","sql":"$55","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":22,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_windows","org":"turbot","name":"compute_vm_guest_configuration_installed_windows","mod":"Azure Compliance","title":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","description":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs","controlDescription":"This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","sql":"$56","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":134,"endLineNumber":177,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed_linux","org":"turbot","name":"compute_vm_guest_configuration_installed_linux","mod":"Azure Compliance","title":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","description":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs","controlDescription":"This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_vm_guest_configuration_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","sql":"with all_vm as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_virtual_machine'\n), vm_extensions as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_virtual_machine_extension'\n),\nvm_guest_configuration as (\n select\n split_part((b.attributes_std ->> 'virtual_machine_id'), '.', 2) as vm_name\n from\n all_vm as a\n left join vm_extensions as b on (split_part((b.attributes_std ->> 'virtual_machine_id'), '.', 2)) = a.name\n where\n (b.attributes_std ->> 'publisher') = 'Microsoft.GuestConfiguration'\n)\nselect\n address as resource,\n case\n when d.vm_name is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when d.vm_name is null then ' have guest configuration extension not installed'\n else ' have guest configuration extension installed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_vm as c\n left join vm_guest_configuration as d on c.name = d.vm_name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":67,"endLineNumber":109,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.compute_vm_guest_configuration_installed","org":"turbot","name":"compute_vm_guest_configuration_installed","mod":"Azure Compliance","title":"Guest Configuration extension should be installed on your machines","description":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}}],"controlTitle":"Guest Configuration extension should be installed on your machines","controlDescription":"To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Compute"}},"compute_instance_metadata_service_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_metadata_service_disabled","org":"turbot","name":"compute_instance_metadata_service_disabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and\n (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled') is not null and\n (attributes_std -> 'instance_options' ->> 'are_legacy_imds_endpoints_disabled')::boolean)\n then ' legacy metadata service endpoint disabled'\n else ' legacy metadata service endpoint enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":26,"endLineNumber":49,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_metadata_service_disabled","org":"turbot","name":"compute_instance_metadata_service_disabled","mod":"Terraform OCI Compliance","title":"Compute instance legacy metadata service endpoint should be disabled","description":"The instance metadata service (IMDS) provides information about a running instance, including a variety of details about the instance, its attached virtual network interface cards (VNICs), its attached multipath-enabled volume attachments, and any custom metadata that you define. IMDS also provides information to cloud-init that you can use for various system initialization tasks. To increase the security of metadata requests, it is strongly recommended to update all applications to use the IMDS version 2 endpoint, if supported by the image. Then, disable requests to IMDS version 1.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance legacy metadata service endpoint should be disabled","controlDescription":"The instance metadata service (IMDS) provides information about a running instance, including a variety of details about the instance, its attached virtual network interface cards (VNICs), its attached multipath-enabled volume attachments, and any custom metadata that you define. IMDS also provides information to cloud-init that you can use for various system initialization tasks. To increase the security of metadata requests, it is strongly recommended to update all applications to use the IMDS version 2 endpoint, if supported by the image. Then, disable requests to IMDS version 1.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}},"compute_instance_boot_volume_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_boot_volume_encryption_in_transit_enabled","org":"turbot","name":"compute_instance_boot_volume_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'launch_options' -> 'is_pv_encryption_in_transit_enabled') is not null and\n (attributes_std -> 'launch_options' ->> 'is_pv_encryption_in_transit_enabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std -> 'launch_options' -> 'is_pv_encryption_in_transit_enabled') is not null and\n (attributes_std -> 'launch_options' ->> 'is_pv_encryption_in_transit_enabled')::boolean)\n then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":51,"endLineNumber":74,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_boot_volume_encryption_in_transit_enabled","org":"turbot","name":"compute_instance_boot_volume_encryption_in_transit_enabled","mod":"Terraform OCI Compliance","title":"Compute instance boot volume encryption in transit should be enabled","description":"This control checks whether the boot volume encryption in transit is enabled or not. The boot volume encryption in transit is a feature that enables you to encrypt the data on the boot volume when it is transferred between the boot volume and the instance.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance boot volume encryption in transit should be enabled","controlDescription":"This control checks whether the boot volume encryption in transit is enabled or not. The boot volume encryption in transit is a feature that enables you to encrypt the data on the boot volume when it is transferred between the boot volume and the instance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}},"compute_vm_and_scale_set_agent_installed":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_agent_installed","org":"turbot","name":"compute_vm_and_scale_set_agent_installed","sql":"select\n address as resource,\n case\n when (attributes_std -> 'provision_vm_agent') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'provision_vm_agent') = 'false' then ' agent not installed'\n else ' agent installed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set', 'azurerm_windows_virtual_machine', 'azurerm_linux_virtual_machine');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_agent_installed","org":"turbot","name":"compute_vm_and_scale_set_agent_installed","mod":"Terraform Azure Compliance","title":"Virtual machines and scale sets should have agent installed","description":"This control checks whether windows virtual machine and scale sets have agent installed.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines and scale sets should have agent installed","controlDescription":"This control checks whether windows virtual machine and scale sets have agent installed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_allow_extension_operations_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_allow_extension_operations_disabled","org":"turbot","name":"compute_vm_allow_extension_operations_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'allow_extension_operations')::boolean or (attributes_std ->> 'allow_extension_operations') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'allow_extension_operations')::boolean or (attributes_std ->> 'allow_extension_operations') is null then ' allow extension operations'\n else ' disallow extension operations'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine', 'azurerm_windows_virtual_machine');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":313,"endLineNumber":332,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_allow_extension_operations_disabled","org":"turbot","name":"compute_vm_allow_extension_operations_disabled","mod":"Terraform Azure Compliance","title":"Virtual machines should not allow extension operations","description":"Virtual machines should not allow extension operations to prevent unauthorized users from adding extensions to virtual machines.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should not allow extension operations","controlDescription":"Virtual machines should not allow extension operations to prevent unauthorized users from adding extensions to virtual machines.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_disable_password_authentication_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_disable_password_authentication_linux","org":"turbot","name":"compute_vm_disable_password_authentication_linux","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disable_password_authentication')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disable_password_authentication')::boolean then ' disable password authentication'\n else ' enable password authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_linux_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":334,"endLineNumber":353,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_disable_password_authentication_linux","org":"turbot","name":"compute_vm_disable_password_authentication_linux","mod":"Terraform Azure Compliance","title":"Linux virtual machines should disable password authentication","description":"Linux virtual machines should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux virtual machines should disable password authentication","controlDescription":"Linux virtual machines should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_subnetwork_private_ipv6_google_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_subnetwork_private_ipv6_google_access","org":"turbot","name":"compute_subnetwork_private_ipv6_google_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_ipv6_google_access') in ('ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE', 'ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_ipv6_google_access') in ('ENABLE_OUTBOUND_VM_ACCESS_TO_GOOGLE', 'ENABLE_BIDIRECTIONAL_ACCESS_TO_GOOGLE') then ' private IPv6 Google Access is enabled'\n else ' private IPv6 Google Access is disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_subnetwork';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":374,"endLineNumber":392,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_subnetwork_private_ipv6_google_access","org":"turbot","name":"compute_subnetwork_private_ipv6_google_access","mod":"Terraform GCP Compliance","title":"Compute Subnetworks should have Private IPv6 Google Access enabled","description":"This control checks if Compute Subnetworks have Private IPv6 Google Access enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Compute Subnetworks should have Private IPv6 Google Access enabled","controlDescription":"This control checks if Compute Subnetworks have Private IPv6 Google Access enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_instance_boot_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_instance_boot_disk_encryption_enabled","org":"turbot","name":"compute_instance_boot_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'boot_disk' -> 'disk_encryption_key_raw') is not null or (attributes_std -> 'boot_disk' -> 'kms_key_self_link') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'boot_disk' -> 'disk_encryption_key_raw') is not null or (attributes_std -> 'boot_disk' -> 'kms_key_self_link') is not null then ' boot disk encryption enabled'\n else ' boot disk encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_compute_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":301,"endLineNumber":320,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_instance_boot_disk_encryption_enabled","org":"turbot","name":"compute_instance_boot_disk_encryption_enabled","mod":"Terraform GCP Compliance","title":"Compute instance boot disk encryption should be enabled","description":"This control checks whether Compute instance boot disk encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Compute instance boot disk encryption should be enabled","controlDescription":"This control checks whether Compute instance boot disk encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_ftp_port_21_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ftp_port_21_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_21_ingress","sql":"$57","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":506,"endLineNumber":560,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ftp_port_21_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_21_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted FTP port 21 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 21 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted FTP port 21 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 21 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_managed_disk_set_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_managed_disk_set_encryption_enabled","org":"turbot","name":"compute_managed_disk_set_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_set_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_set_id') is not null then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_managed_disk';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":292,"endLineNumber":311,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_managed_disk_set_encryption_enabled","org":"turbot","name":"compute_managed_disk_set_encryption_enabled","mod":"Terraform Azure Compliance","title":"Managed disks should be encrypted","description":"Managed disks should be encrypted to protect data at rest. Encryption at rest is enabled by default for all new managed disks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Managed disks should be encrypted","controlDescription":"Managed disks should be encrypted to protect data at rest. Encryption at rest is enabled by default for all new managed disks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_firewall_allow_ssh_port_22_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ssh_port_22_ingress","org":"turbot","name":"compute_firewall_allow_ssh_port_22_ingress","sql":"$58","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":562,"endLineNumber":616,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ssh_port_22_ingress","org":"turbot","name":"compute_firewall_allow_ssh_port_22_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted SSH port 22 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted SSH port 22 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted SSH port 22 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted SSH port 22 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_http_port_80_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_http_port_80_ingress","org":"turbot","name":"compute_firewall_allow_http_port_80_ingress","sql":"$59","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":394,"endLineNumber":448,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_http_port_80_ingress","org":"turbot","name":"compute_firewall_allow_http_port_80_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted HTTP port 80 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted HTTP port 80 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted HTTP port 80 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted HTTP port 80 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_vm_scale_set_disable_password_authentication_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_scale_set_disable_password_authentication_linux","org":"turbot","name":"compute_vm_scale_set_disable_password_authentication_linux","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disable_password_authentication') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disable_password_authentication') = 'false' then ' password authentication enabled'\n else ' password authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_linux_virtual_machine_scale_set';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":376,"endLineNumber":395,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_scale_set_disable_password_authentication_linux","org":"turbot","name":"compute_vm_scale_set_disable_password_authentication_linux","mod":"Terraform Azure Compliance","title":"Linux virtual machines scale sets should disable password authentication","description":"Linux virtual machines scale sets should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux virtual machines scale sets should disable password authentication","controlDescription":"Linux virtual machines scale sets should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_and_scale_set_ssh_key_enabled_linux":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_ssh_key_enabled_linux","org":"turbot","name":"compute_vm_and_scale_set_ssh_key_enabled_linux","sql":"select\n address as resource,\n case\n when (attributes_std -> 'admin_ssh_key') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'admin_ssh_key') is not null then ' SSH key enabled'\n else ' SSH key disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":397,"endLineNumber":416,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_ssh_key_enabled_linux","org":"turbot","name":"compute_vm_and_scale_set_ssh_key_enabled_linux","mod":"Terraform Azure Compliance","title":"Linux Virtual machines and scale sets should enable SSH key authentication","description":"Ensure linux VM enables SSH with keys for secure communication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Linux Virtual machines and scale sets should enable SSH key authentication","controlDescription":"Ensure linux VM enables SSH with keys for secure communication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_instance_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/compute_instance_monitoring_enabled","org":"turbot","name":"compute_instance_monitoring_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'agent_config' -> 'is_monitoring_disabled') is null or\n not (attributes_std -> 'agent_config' -> 'is_monitoring_disabled')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std -> 'agent_config' -> 'is_monitoring_disabled') is null or\n not (attributes_std -> 'agent_config' -> 'is_monitoring_disabled')::boolean)\n then ' has monitoring enabled'\n else ' has monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.compute_instance_monitoring_enabled","org":"turbot","name":"compute_instance_monitoring_enabled","mod":"Terraform OCI Compliance","title":"Compute instance monitoring should be enabled","description":"Oracle Cloud Infrastructure Monitoring helps organizations optimize the resource utilization and uptime of their infrastructure and applications. This service provides fine-grained, out-of-the-box metrics and dashboards that equip DevOps, IT, and site reliability engineers (SREs) with the real-time insights to respond to anomalies as they occur. The Monitoring capabilities are concerning Service Metrics, Metrics Explorer, Alarm Status and Definition and Health Checks.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}}],"controlTitle":"Compute instance monitoring should be enabled","controlDescription":"Oracle Cloud Infrastructure Monitoring helps organizations optimize the resource utilization and uptime of their infrastructure and applications. This service provides fine-grained, out-of-the-box metrics and dashboards that equip DevOps, IT, and site reliability engineers (SREs) with the real-time insights to respond to anomalies as they occur. The Monitoring capabilities are concerning Service Metrics, Metrics Explorer, Alarm Status and Definition and Health Checks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Compute"}},"compute_firewall_allow_rdp_port_3389_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_rdp_port_3389_ingress","org":"turbot","name":"compute_firewall_allow_rdp_port_3389_ingress","sql":"$5a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":618,"endLineNumber":672,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_rdp_port_3389_ingress","org":"turbot","name":"compute_firewall_allow_rdp_port_3389_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted RDP port 3389 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted RDP port 3389 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted RDP port 3389 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted RDP port 3389 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_firewall_allow_mysql_port_3306_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_mysql_port_3306_ingress","org":"turbot","name":"compute_firewall_allow_mysql_port_3306_ingress","sql":"$5b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":674,"endLineNumber":728,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_mysql_port_3306_ingress","org":"turbot","name":"compute_firewall_allow_mysql_port_3306_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted MySQL port 3306 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted MySQL port 3306 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted MySQL port 3306 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted MySQL port 3306 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_vm_disable_password_authentication":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_disable_password_authentication","org":"turbot","name":"compute_vm_disable_password_authentication","sql":"select\n address as resource,\n case\n when (attributes_std -> 'os_profile_linux_config' ->> 'disable_password_authentication')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'os_profile_linux_config' ->> 'disable_password_authentication')::boolean then ' disable password authentication'\n else ' enable password authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":355,"endLineNumber":374,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_disable_password_authentication","org":"turbot","name":"compute_vm_disable_password_authentication","mod":"Terraform Azure Compliance","title":"Virtual machines should disable password authentication","description":"Virtual machines should disable password authentication to prevent brute-force attacks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines should disable password authentication","controlDescription":"Virtual machines should disable password authentication to prevent brute-force attacks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_firewall_allow_ftp_port_20_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_firewall_allow_ftp_port_20_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_20_ingress","sql":"$5c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":450,"endLineNumber":504,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_firewall_allow_ftp_port_20_ingress","org":"turbot","name":"compute_firewall_allow_ftp_port_20_ingress","mod":"Terraform GCP Compliance","title":"Google compute firewall ingress does not allow unrestricted FTP port 20 access","description":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 20 access.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Google compute firewall ingress does not allow unrestricted FTP port 20 access","controlDescription":"This control checks if Google compute firewall ingress does not allow unrestricted FTP port 20 access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_security_policy_prevent_message_lookup":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/compute_security_policy_prevent_message_lookup","org":"turbot","name":"compute_security_policy_prevent_message_lookup","sql":"$5d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":351,"endLineNumber":372,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.compute_security_policy_prevent_message_lookup","org":"turbot","name":"compute_security_policy_prevent_message_lookup","mod":"Terraform GCP Compliance","title":"Cloud Armor prevents message lookup in Log4j2","description":"This control checks if Cloud Armor is configured to prevent message lookup in Log4j2. See CVE-2021-44228 aka log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}}],"controlTitle":"Cloud Armor prevents message lookup in Log4j2","controlDescription":"This control checks if Cloud Armor is configured to prevent message lookup in Log4j2. See CVE-2021-44228 aka log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Compute"}},"compute_vm_automatic_updates_enabled_windows":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_automatic_updates_enabled_windows","org":"turbot","name":"compute_vm_automatic_updates_enabled_windows","sql":"select\n address as resource,\n case\n when not (attributes_std ->> 'enable_automatic_updates')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when not (attributes_std ->> 'enable_automatic_updates')::boolean then ' automatic updates disabled'\n else ' automatic updates enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_windows_virtual_machine', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":439,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_automatic_updates_enabled_windows","org":"turbot","name":"compute_vm_automatic_updates_enabled_windows","mod":"Terraform Azure Compliance","title":"Windows Virtual machines and scale sets should have automatic updates enabled","description":"This control checks whether windows virtual machine and scale sets have automatic updates enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Windows Virtual machines and scale sets should have automatic updates enabled","controlDescription":"This control checks whether windows virtual machine and scale sets have automatic updates enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_and_scale_set_encryption_at_host_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_and_scale_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_scale_set_encryption_at_host_enabled","sql":"$5e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":179,"endLineNumber":225,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_and_scale_set_encryption_at_host_enabled","org":"turbot","name":"compute_vm_and_scale_set_encryption_at_host_enabled","mod":"Terraform Azure Compliance","title":"Virtual machines and virtual machine scale sets should have encryption at host enabled","description":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Virtual machines and virtual machine scale sets should have encryption at host enabled","controlDescription":"Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Compute"}},"compute_vm_scale_set_automatic_os_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/compute_vm_scale_set_automatic_os_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_os_upgrade_enabled","sql":" select\n address as resource,\n case\n when (attributes_std -> 'automatic_os_upgrade_policy' ->> 'enable_automatic_os_upgrade') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automatic_os_upgrade_policy' ->> 'enable_automatic_os_upgrade') = 'true' then ' automatic OS upgrade enabled'\n else ' automatic OS upgrade disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_virtual_machine_scale_set', 'azurerm_windows_virtual_machine_scale_set');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/compute.pp","startLineNumber":418,"endLineNumber":437,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.compute_vm_scale_set_automatic_os_upgrade_enabled","org":"turbot","name":"compute_vm_scale_set_automatic_os_upgrade_enabled","mod":"Terraform Azure Compliance","title":"Compute virtual machine scale sets should have automatic OS image patching enabled","description":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Compute"}}],"controlTitle":"Compute virtual machine scale sets should have automatic OS image patching enabled","controlDescription":"This control checks whether virtual machine scale sets have automatic OS image patching enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/Compute"}}},"big_query":{"bigquery_table_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_encrypted_with_cmk","org":"turbot","name":"bigquery_table_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration') is null then ' not encrypted with customer-managed encryption keys'\n else ' encrypted with customer-managed encryption keys'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_7_2","org":"turbot","name":"cis_v300_7_2","mod":"GCP Compliance","title":"7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_7_2","org":"turbot","name":"cis_v200_7_2","mod":"GCP Compliance","title":"7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_7_2","org":"turbot","name":"cis_v130_7_2","mod":"GCP Compliance","title":"7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_7_2","org":"turbot","name":"cis_v120_7_2","mod":"GCP Compliance","title":"7.2 Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using google-managed encryption keys.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.bigquery_table_encrypted_with_cmk","org":"turbot","name":"bigquery_table_encrypted_with_cmk","mod":"GCP Compliance","title":"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solutions for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using Google-managed encryption keys.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/BigQuery","soc_2_2017":"true"}}],"controlTitle":"Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)","controlDescription":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solutions for BigQuery Data Sets. If CMEK is used, the CMEK is used to encrypt the data encryption keys instead of using Google-managed encryption keys.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.2","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/BigQuery","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"bigquery_dataset_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_dataset_not_publicly_accessible","org":"turbot","name":"bigquery_dataset_not_publicly_accessible","sql":"$5f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":64,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_7_1","org":"turbot","name":"cis_v300_7_1","mod":"GCP Compliance","title":"7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible","description":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_7_1","org":"turbot","name":"cis_v200_7_1","mod":"GCP Compliance","title":"7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_7_1","org":"turbot","name":"cis_v130_7_1","mod":"GCP Compliance","title":"7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_7_1","org":"turbot","name":"cis_v120_7_1","mod":"GCP Compliance","title":"7.1 Ensure that BigQuery datasets are not anonymously or publicly accessible","description":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_8_1","org":"turbot","name":"cis_v300_8_1","mod":"GCP Compliance","title":"8.1 Ensure that Dataproc Cluster is encrypted using CustomerManaged Encryption Key","description":"When you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated with the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This PD and bucket data is encrypted using a Google-generated data encryption key (DEK) and key encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key encryption key (KEK). Google still controls the data encryption key (DEK).","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"8.1","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/Dataproc"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.require_bq_table_iam","org":"turbot","name":"require_bq_table_iam","mod":"GCP Compliance","title":"Check if BigQuery datasets are publicly readable","tags":{"category":"Compliance","cft_scorecard_v1":"true","forseti_security_v226":"true","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","plugin":"gcp","service":"GCP/BigQuery","severity":"high","soc_2_2017":"true"}}],"controlTitle":"7.1 Ensure That BigQuery Datasets Are Not Anonymously or Publicly Accessible","controlDescription":"It is recommended that the IAM policy on BigQuery datasets does not allow anonymous and/or public access.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"8.1","cis_level":"2","cis_section_id":"8","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/BigQuery","cft_scorecard_v1":"true","forseti_security_v226":"true","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","pci_dss_v321":"true","severity":"high","soc_2_2017":"true"}},"bigquery_dataset_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_dataset_encrypted_with_cmk","org":"turbot","name":"bigquery_dataset_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_encryption_configuration') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_encryption_configuration') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_dataset';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v300_7_3","org":"turbot","name":"cis_v300_7_3","mod":"GCP Compliance","title":"7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v200_7_3","org":"turbot","name":"cis_v200_7_3","mod":"GCP Compliance","title":"7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v2.0.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v130_7_3","org":"turbot","name":"cis_v130_7_3","mod":"GCP Compliance","title":"7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.3.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.cis_v120_7_3","org":"turbot","name":"cis_v120_7_3","mod":"GCP Compliance","title":"7.3 Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and do not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solution for BigQuery Data Sets.","tags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/BigQuery"}},{"path":"/mods/turbot/steampipe-mod-gcp-compliance/benchmarks/control.bigquery_dataset_encrypted_with_cmk","org":"turbot","name":"bigquery_dataset_encrypted_with_cmk","mod":"GCP Compliance","title":"Ensure that a default customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","description":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solutions for BigQuery Data Sets.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","plugin":"gcp","service":"GCP/BigQuery","soc_2_2017":"true"}}],"controlTitle":"Ensure that a default customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets","controlDescription":"BigQuery by default encrypts the data as rest by employing Envelope Encryption using Google managed cryptographic keys. The data is encrypted using the data encryption keys and data encryption keys themselves are further encrypted using key encryption keys. This is seamless and does not require any additional input from the user. However, if you want to have greater control, Customer-managed encryption keys (CMEK) can be used as encryption key management solutions for BigQuery Data Sets.","controlTags":{"benchmark":"cis","category":"Compliance","cis_item_id":"7.3","cis_level":"2","cis_section_id":"7","cis_type":"automated","cis_version":"v1.2.0","plugin":"gcp","service":"GCP/BigQuery","hipaa":"true","nist_800_53_rev_5":"true","nist_csf_v10":"true","soc_2_2017":"true"}},"bigquery_table_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_not_publicly_accessible","org":"turbot","name":"bigquery_table_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_bigquery_table_iam_binding','google_bigquery_table_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_table_not_publicly_accessible","org":"turbot","name":"bigquery_table_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Big Query Table should not be publicly accessible","description":"This control checks whether the Big Query Table is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Table should not be publicly accessible","controlDescription":"This control checks whether the Big Query Table is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}},"bigquery_table_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigquery_table_deletion_protection_enabled","org":"turbot","name":"bigquery_table_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigquery_table';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigquery.pp","startLineNumber":110,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigquery_table_deletion_protection_enabled","org":"turbot","name":"bigquery_table_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Big Query Table deletion protection should be enabled","description":"This rule ensures that Big Query Table has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Table deletion protection should be enabled","controlDescription":"This rule ensures that Big Query Table has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}},"bigtable_instance_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigtable_instance_encrypted_with_kms_cmk","org":"turbot","name":"bigtable_instance_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster' ->> 'kms_key_name') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster' ->> 'kms_key_name') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigtable_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigtable.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigtable_instance_encrypted_with_kms_cmk","org":"turbot","name":"bigtable_instance_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Big Query Instance should be encrypted with KMS CMK","description":"This control checks whether the Big Query Instance is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}],"controlTitle":"Big Query Instance should be encrypted with KMS CMK","controlDescription":"This control checks whether the Big Query Instance is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/BigQuery"}}},"synapse_analytics":{"synapse_workspace_private_link_used":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_private_link_used","org":"turbot","name":"synapse_workspace_private_link_used","sql":"with synapse_workspaces as (\n select\n '${azurerm_synapse_workspace.' || name || '.id}' as sw_id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_synapse_workspace'\n), synapse_workspace_private_link as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_synapse_managed_private_endpoint'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'synapse_workspace_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'synapse_workspace_id') is not null then ' uses private link'\n else ' not uses private link'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n synapse_workspaces as a\n left join synapse_workspace_private_link as s on a.sw_id = (s.attributes_std ->> 'synapse_workspace_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":24,"endLineNumber":58,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.synapse_workspace_private_link_used","org":"turbot","name":"synapse_workspace_private_link_used","mod":"Azure Compliance","title":"Azure Synapse workspaces should use private link","description":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SynapseAnalytics"}}],"controlTitle":"Azure Synapse workspaces should use private link","controlDescription":"Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SynapseAnalytics"}},"synapse_workspace_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_encryption_at_rest_using_cmk","org":"turbot","name":"synapse_workspace_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key') is null then 'alarm'\n when (attributes_std -> 'customer_managed_key' -> 'key_versionless_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key') is null then ' ''customer_managed_key'' not defined'\n when (attributes_std -> 'customer_managed_key' -> 'key_versionless_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_synapse_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.synapse_workspace_encryption_at_rest_using_cmk","org":"turbot","name":"synapse_workspace_encryption_at_rest_using_cmk","mod":"Azure Compliance","title":"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SynapseAnalytics"}}],"controlTitle":"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SynapseAnalytics"}},"synapse_workspace_data_exfiltration_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/synapse_workspace_data_exfiltration_protection_enabled","org":"turbot","name":"synapse_workspace_data_exfiltration_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'data_exfiltration_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'data_exfiltration_protection_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'data_exfiltration_protection_enabled') is null then ' data exfiltration protection not defined'\n when (attributes_std ->> 'data_exfiltration_protection_enabled' ) = 'true' then ' data exfiltration protection enabled'\n else ' data exfiltration protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_synapse_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/synapse.pp","startLineNumber":60,"endLineNumber":81,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.synapse_workspace_data_exfiltration_protection_enabled","org":"turbot","name":"synapse_workspace_data_exfiltration_protection_enabled","mod":"Azure Compliance","title":"Synapse workspaces should have data exfiltration protection enabled","description":"This control checks whether Synapse workspace has data exfiltration protection enabled.","tags":{"service":"Azure/SynapseAnalytics"}}],"controlTitle":"Synapse workspaces should have data exfiltration protection enabled","controlDescription":"This control checks whether Synapse workspace has data exfiltration protection enabled.","controlTags":{"service":"Azure/SynapseAnalytics"}}},"file_sync":{"storage_sync_private_link_used":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_sync_private_link_used","org":"turbot","name":"storage_sync_private_link_used","sql":"select\n address as resource,\n case\n when (attributes_std -> 'incoming_traffic_policy') is null then 'alarm'\n when (attributes_std ->> 'incoming_traffic_policy') = 'AllowAllTraffic' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'incoming_traffic_policy') is null then ' does not use private link'\n when (attributes_std ->> 'incoming_traffic_policy') = 'AllowAllTraffic' then ' uses public networks'\n else ' uses private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_sync';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storagesync.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.storage_sync_private_link_used","org":"turbot","name":"storage_sync_private_link_used","mod":"Azure Compliance","title":"Azure File Sync should use private link","description":"Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/FileSync"}}],"controlTitle":"Azure File Sync should use private link","controlDescription":"Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/FileSync"}}},"spring_cloud":{"spring_cloud_service_network_injection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_service_network_injection_enabled","org":"turbot","name":"spring_cloud_service_network_injection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network') is null then ' network injection disabled'\n else ' network injection enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.spring_cloud_service_network_injection_enabled","org":"turbot","name":"spring_cloud_service_network_injection_enabled","mod":"Azure Compliance","title":"Azure Spring Cloud should use network injection","description":"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SpringCloud"}}],"controlTitle":"Azure Spring Cloud should use network injection","controlDescription":"Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/SpringCloud"}},"spring_cloud_api_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_api_restrict_public_access","org":"turbot","name":"spring_cloud_api_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_api_portal';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.spring_cloud_api_restrict_public_access","org":"turbot","name":"spring_cloud_api_restrict_public_access","mod":"Terraform Azure Compliance","title":"Spring Cloud API should not be publicly accessible","description":"This control checks whether the Azure Spring Cloud API is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}],"controlTitle":"Spring Cloud API should not be publicly accessible","controlDescription":"This control checks whether the Azure Spring Cloud API is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}},"spring_cloud_api_https_only_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/spring_cloud_api_https_only_enabled","org":"turbot","name":"spring_cloud_api_https_only_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'https_only_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'https_only_enabled')::boolean then ' HTTPS only enabled'\n else ' HTTPS only disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_spring_cloud_api_portal';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/springcloud.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.spring_cloud_api_https_only_enabled","org":"turbot","name":"spring_cloud_api_https_only_enabled","mod":"Terraform Azure Compliance","title":"Spring Cloud API should only be accessible over HTTPS","description":"This control checks whether the Azure Spring Cloud API is only accessible over HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}],"controlTitle":"Spring Cloud API should only be accessible over HTTPS","controlDescription":"This control checks whether the Azure Spring Cloud API is only accessible over HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SpringCloud"}}},"service_fabric":{"servicefabric_cluster_protection_level_as_encrypt_and_sign":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/servicefabric_cluster_protection_level_as_encrypt_and_sign","org":"turbot","name":"servicefabric_cluster_protection_level_as_encrypt_and_sign","sql":"select\n address as resource,\n case\n when (attributes_std -> 'fabric_settings') is null then 'alarm'\n when (attributes_std -> 'fabric_settings' -> 'parameters') is null then 'alarm'\n when (attributes_std -> 'fabric_settings' ->> 'parameters') like '%EncryptAndSign%' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'fabric_settings') is null then ' Cluster Protection Level not set'\n when (attributes_std -> 'fabric_settings' -> 'parameters') is null then ' Cluster Protection Level not set to EncryptAndSign'\n when (attributes_std -> 'fabric_settings' ->> 'parameters') like '%EncryptAndSign%' then ' Cluster Protection Level set to EncryptAndSign'\n else ' Cluster Protection Level not set to EncryptAndSign'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_fabric_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicefabric.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.servicefabric_cluster_protection_level_as_encrypt_and_sign","org":"turbot","name":"servicefabric_cluster_protection_level_as_encrypt_and_sign","mod":"Azure Compliance","title":"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","description":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/ServiceFabric"}}],"controlTitle":"Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign","controlDescription":"Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/ServiceFabric"}},"servicefabric_cluster_active_directory_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/servicefabric_cluster_active_directory_authentication_enabled","org":"turbot","name":"servicefabric_cluster_active_directory_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'azure_active_directory') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'azure_active_directory') is null then ' does not use Azure Active Directory for client authentication'\n else ' uses Azure Active Directory for client authentication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_fabric_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicefabric.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.servicefabric_cluster_active_directory_authentication_enabled","org":"turbot","name":"servicefabric_cluster_active_directory_authentication_enabled","mod":"Azure Compliance","title":"Service Fabric clusters should only use Azure Active Directory for client authentication","description":"Audit usage of client authentication only via Azure Active Directory in Service Fabric.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ServiceFabric"}}],"controlTitle":"Service Fabric clusters should only use Azure Active Directory for client authentication","controlDescription":"Audit usage of client authentication only via Azure Active Directory in Service Fabric.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ServiceFabric"}}},"security_center":{"securitycenter_security_alerts_to_owner_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_security_alerts_to_owner_enabled","org":"turbot","name":"securitycenter_security_alerts_to_owner_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alerts_to_admins')::bool is true and (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alerts_to_admins')::bool is true and (attributes_std -> 'alert_notifications')::bool is true then ' notify alerts to admins configured'\n else ' notify alerts to admin not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_15","org":"turbot","name":"cis_v140_2_15","mod":"Azure Compliance","title":"2.15 Ensure that 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.15","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_15","org":"turbot","name":"cis_v130_2_15","mod":"Azure Compliance","title":"2.15 Ensure that 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.15","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_17","org":"turbot","name":"cis_v210_2_1_17","mod":"Azure Compliance","title":"2.1.17 Ensure That 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.17","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_18","org":"turbot","name":"cis_v200_2_1_18","mod":"Azure Compliance","title":"2.1.18 Ensure That 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.18","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_3_1","org":"turbot","name":"cis_v150_2_3_1","mod":"Azure Compliance","title":"2.3.1 Ensure That 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3.1","cis_level":"1","cis_section_id":"2.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_12","org":"turbot","name":"cis_v300_3_1_12","mod":"Azure Compliance","title":"3.1.12 Ensure That 'All users with the following roles' is set to 'Owner'","description":"Enable security alert emails to subscription owners.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.12","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_security_alerts_to_owner_enabled","org":"turbot","name":"securitycenter_security_alerts_to_owner_enabled","mod":"Azure Compliance","title":"Email notification to subscription owner for high severity alerts should be enabled","description":"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Email notification to subscription owner for high severity alerts should be enabled","controlDescription":"To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.12","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_notify_alerts_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_notify_alerts_configured","org":"turbot","name":"securitycenter_notify_alerts_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'alert_notifications')::bool is true then ' notify alerts configured'\n else ' notify alerts not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":141,"endLineNumber":159,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_14","org":"turbot","name":"cis_v140_2_14","mod":"Azure Compliance","title":"2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.14","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_14","org":"turbot","name":"cis_v130_2_14","mod":"Azure Compliance","title":"2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.14","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_19","org":"turbot","name":"cis_v210_2_1_19","mod":"Azure Compliance","title":"2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.19","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_20","org":"turbot","name":"cis_v200_2_1_20","mod":"Azure Compliance","title":"2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.20","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_3_3","org":"turbot","name":"cis_v150_2_3_3","mod":"Azure Compliance","title":"2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3.3","cis_level":"1","cis_section_id":"2.2","cis_type":"Automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_14","org":"turbot","name":"cis_v300_3_1_14","mod":"Azure Compliance","title":"3.1.14 Ensure That 'Notify about alerts with the following severity' is Set to 'High'","description":"Enables emailing security alerts to the subscription owner or other designated security contact.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.14","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_notify_alerts_configured","org":"turbot","name":"securitycenter_notify_alerts_configured","mod":"Azure Compliance","title":"Email notification for high severity alerts should be enabled","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Email notification for high severity alerts should be enabled","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.14","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_email_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_email_configured","org":"turbot","name":"securitycenter_email_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'email') is not null and (attributes_std -> 'alert_notifications')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'email') is not null and (attributes_std -> 'alert_notifications')::bool is true then ' additional email & alert notifications configured'\n else ' additional email & alert notifications not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":201,"endLineNumber":219,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_email_configured","org":"turbot","name":"securitycenter_email_configured","mod":"Azure Compliance","title":"Subscriptions should have a contact email address for security issues","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Subscriptions should have a contact email address for security issues","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_storage":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_storage","org":"turbot","name":"securitycenter_azure_defender_on_for_storage","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'StorageAccounts' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'StorageAccounts' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Storage'\n else ' Azure Defender off for Storage'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":181,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_5","org":"turbot","name":"cis_v130_2_5","mod":"Azure Compliance","title":"2.5 Ensure that Azure Defender is set to On for Storage","description":"Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.5","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_5","org":"turbot","name":"cis_v140_2_5","mod":"Azure Compliance","title":"2.5 Ensure that Microsoft Defender for Storage is set to 'On'","description":"Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.5","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_7","org":"turbot","name":"cis_v210_2_1_7","mod":"Azure Compliance","title":"2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'","description":"Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.7","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_7","org":"turbot","name":"cis_v200_2_1_7","mod":"Azure Compliance","title":"2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'","description":"Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.7","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_7","org":"turbot","name":"cis_v150_2_1_7","mod":"Azure Compliance","title":"2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' ","description":"Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.7","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_storage","org":"turbot","name":"securitycenter_azure_defender_on_for_storage","mod":"Azure Compliance","title":"Microsoft Defender for Storage (Classic) should be enabled","description":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_5_1","org":"turbot","name":"cis_v300_3_1_5_1","mod":"Azure Compliance","title":"3.1.5.1 Ensure That Microsoft Defender for Storage Is Set To 'On'","description":"Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.5.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}}],"controlTitle":"Microsoft Defender for Storage (Classic) should be enabled","controlDescription":"Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.5.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_azure_defender_on_for_sqlservervm":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_sqlservervm","org":"turbot","name":"securitycenter_azure_defender_on_for_sqlservervm","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServerVirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SQL servers on machines'\n else ' Azure Defender off for SQL servers on machines'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":121,"endLineNumber":139,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_4","org":"turbot","name":"cis_v130_2_4","mod":"Azure Compliance","title":"2.4 Ensure that Azure Defender is set to On for SQL servers on machines","description":"Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.4","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_4","org":"turbot","name":"cis_v140_2_4","mod":"Azure Compliance","title":"2.4 Ensure that Microsoft Defender for SQL servers on machines is set to 'On'","description":"Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.4","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_4","org":"turbot","name":"cis_v210_2_1_4","mod":"Azure Compliance","title":"2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'","description":"Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.4","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_5","org":"turbot","name":"cis_v200_2_1_5","mod":"Azure Compliance","title":"2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'","description":"Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.5","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_5","org":"turbot","name":"cis_v150_2_1_5","mod":"Azure Compliance","title":"2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'","description":"Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.5","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_7_4","org":"turbot","name":"cis_v300_3_1_7_4","mod":"Azure Compliance","title":"3.1.7.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'","description":"Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.7.4","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_sqlservervm","org":"turbot","name":"securitycenter_azure_defender_on_for_sqlservervm","mod":"Azure Compliance","title":"Azure Defender for SQL should be enabled for unprotected SQL Managed Instances","description":"Audit each SQL Managed Instance without advanced data security.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for SQL should be enabled for unprotected SQL Managed Instances","controlDescription":"Audit each SQL Managed Instance without advanced data security.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.7.4","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_azure_defender_on_for_sqldb":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_sqldb","org":"turbot","name":"securitycenter_azure_defender_on_for_sqldb","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'SqlServers' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'SqlServers' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for SQL database servers'\n else ' Azure Defender off for SQL database servers'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_3","org":"turbot","name":"cis_v130_2_3","mod":"Azure Compliance","title":"2.3 Ensure that Azure Defender is set to On for Azure SQL database servers","description":"Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_3","org":"turbot","name":"cis_v140_2_3","mod":"Azure Compliance","title":"2.3 Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'","description":"Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.3","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_3","org":"turbot","name":"cis_v210_2_1_3","mod":"Azure Compliance","title":"2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'","description":"Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.3","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_4","org":"turbot","name":"cis_v200_2_1_4","mod":"Azure Compliance","title":"2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'","description":"Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.4","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_4","org":"turbot","name":"cis_v150_2_1_4","mod":"Azure Compliance","title":"2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'","description":"Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.4","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_7_3","org":"turbot","name":"cis_v300_3_1_7_3","mod":"Azure Compliance","title":"3.1.7.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'","description":"Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.7.3","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_sqldb","org":"turbot","name":"securitycenter_azure_defender_on_for_sqldb","mod":"Azure Compliance","title":"Azure Defender for Azure SQL Database servers should be enabled","description":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for Azure SQL Database servers should be enabled","controlDescription":"Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.7.3","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_azure_defender_on_for_server":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_server","org":"turbot","name":"securitycenter_azure_defender_on_for_server","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'VirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'VirtualMachines' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Servers'\n else ' Azure Defender off for Servers'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":81,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_1","org":"turbot","name":"cis_v130_2_1","mod":"Azure Compliance","title":"2.1 Ensure that Azure Defender is set to On for Servers","description":"Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_1","org":"turbot","name":"cis_v140_2_1","mod":"Azure Compliance","title":"2.1 Ensure that Microsoft Defender for Servers is set to 'On'","description":"Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_1","org":"turbot","name":"cis_v210_2_1_1","mod":"Azure Compliance","title":"2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'","description":"Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.1","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_1","org":"turbot","name":"cis_v200_2_1_1","mod":"Azure Compliance","title":"2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'","description":"Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.1","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_1","org":"turbot","name":"cis_v150_2_1_1","mod":"Azure Compliance","title":"2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'","description":"Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.1","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_3_1","org":"turbot","name":"cis_v300_3_1_3_1","mod":"Azure Compliance","title":"3.1.3.1 Ensure That Microsoft Defender for Servers Is Set to 'On'","description":"Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.3.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_server","org":"turbot","name":"securitycenter_azure_defender_on_for_server","mod":"Azure Compliance","title":"Azure Defender for servers should be enabled","description":"Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for servers should be enabled","controlDescription":"Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.3.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_azure_defender_on_for_keyvault":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_keyvault","org":"turbot","name":"securitycenter_azure_defender_on_for_keyvault","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Key Vaults'\n else ' Azure Defender off for Key Vaults'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":161,"endLineNumber":179,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_8","org":"turbot","name":"cis_v130_2_8","mod":"Azure Compliance","title":"2.8 Ensure that Azure Defender is set to On for Key Vault","description":"Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.8","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_8","org":"turbot","name":"cis_v140_2_8","mod":"Azure Compliance","title":"2.8 Ensure that Microsoft Defender for Key Vault is set to 'On'","description":"Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.8","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_10","org":"turbot","name":"cis_v200_2_1_10","mod":"Azure Compliance","title":"2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'","description":"Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.10","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_10","org":"turbot","name":"cis_v150_2_1_10","mod":"Azure Compliance","title":"2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'","description":"Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.10","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_9","org":"turbot","name":"cis_v210_2_1_9","mod":"Azure Compliance","title":"2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'","description":"Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.9","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_8_1","org":"turbot","name":"cis_v300_3_1_8_1","mod":"Azure Compliance","title":"3.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On'","description":"Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.8.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_keyvault","org":"turbot","name":"securitycenter_azure_defender_on_for_keyvault","mod":"Azure Compliance","title":"Azure Defender for Key Vault should be enabled","description":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for Key Vault should be enabled","controlDescription":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.8.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_azure_defender_on_for_k8s":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_k8s","org":"turbot","name":"securitycenter_azure_defender_on_for_k8s","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Kubernetes Service'\n else ' Azure Defender off for Kubernetes Service'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":101,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_6","org":"turbot","name":"cis_v130_2_6","mod":"Azure Compliance","title":"2.6 Ensure that Azure Defender is set to On for Kubernetes","description":"Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.6","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_6","org":"turbot","name":"cis_v140_2_6","mod":"Azure Compliance","title":"2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On'","description":"Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.6","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_k8s","org":"turbot","name":"securitycenter_azure_defender_on_for_k8s","mod":"Azure Compliance","title":"Azure Defender for Kubernetes should be enabled","description":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","tags":{"service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for Kubernetes should be enabled","controlDescription":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.6","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_containerregistry":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_containerregistry","org":"turbot","name":"securitycenter_azure_defender_on_for_containerregistry","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Container Registry'\n else ' Azure Defender off for Container Registry'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":61,"endLineNumber":79,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_7","org":"turbot","name":"cis_v130_2_7","mod":"Azure Compliance","title":"2.7 Ensure that Azure Defender is set to On for Container Registries","description":"Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.7","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_7","org":"turbot","name":"cis_v140_2_7","mod":"Azure Compliance","title":"2.7 Ensure that Microsoft Defender for Container Registries is set to 'On'","description":"Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.7","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_containerregistry","org":"turbot","name":"securitycenter_azure_defender_on_for_containerregistry","mod":"Azure Compliance","title":"Azure Defender for container registries should be enabled","description":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","tags":{"service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_8","org":"turbot","name":"cis_v210_2_1_8","mod":"Azure Compliance","title":"2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'","description":"Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.8","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_8","org":"turbot","name":"cis_v200_2_1_8","mod":"Azure Compliance","title":"2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'","description":"Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.8","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_8","org":"turbot","name":"cis_v150_2_1_8","mod":"Azure Compliance","title":"2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'","description":"Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.8","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_4_1","org":"turbot","name":"cis_v300_3_1_4_1","mod":"Azure Compliance","title":"3.1.4.1 Ensure That Microsoft Defender for Containers Is Set To 'On'","description":"Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.4.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for container registries should be enabled","controlDescription":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.4.1","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},"securitycenter_azure_defender_on_for_appservice":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_azure_defender_on_for_appservice","org":"turbot","name":"securitycenter_azure_defender_on_for_appservice","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'skip'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for App Services'\n else ' Azure Defender off for App Services'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":41,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_2","org":"turbot","name":"cis_v130_2_2","mod":"Azure Compliance","title":"2.2 Ensure that Azure Defender is set to On for App Service","description":"Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.2","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_2","org":"turbot","name":"cis_v140_2_2","mod":"Azure Compliance","title":"2.2 Ensure that Microsoft Defender for App Service is set to 'On'","description":"Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.2","cis_level":"2","cis_section_id":"2","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_2","org":"turbot","name":"cis_v210_2_1_2","mod":"Azure Compliance","title":"2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'","description":"Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.2","cis_level":"2","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_2","org":"turbot","name":"cis_v200_2_1_2","mod":"Azure Compliance","title":"2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'","description":"Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.2","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_1_2","org":"turbot","name":"cis_v150_2_1_2","mod":"Azure Compliance","title":"2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'","description":"Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.2","cis_level":"2","cis_section_id":"2.1","cis_type":"manual","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_6_1","org":"turbot","name":"cis_v300_3_1_6_1","mod":"Azure Compliance","title":"3.1.6.1 Ensure That Microsoft Defender for App Services Is Set To 'On'","description":"Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.6.","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_azure_defender_on_for_appservice","org":"turbot","name":"securitycenter_azure_defender_on_for_appservice","mod":"Azure Compliance","title":"Azure Defender for App Service should be enabled","description":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Azure Defender for App Service should be enabled","controlDescription":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.6.","cis_level":"2","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_automatic_provisioning_monitoring_agent_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_automatic_provisioning_monitoring_agent_on","org":"turbot","name":"securitycenter_automatic_provisioning_monitoring_agent_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_provision') = 'On' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_provision') = 'On' then ' automatic provisioning of monitoring agent is on'\n else ' automatic provisioning of monitoring agent is off'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_auto_provisioning';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":221,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_2_11","org":"turbot","name":"cis_v130_2_11","mod":"Azure Compliance","title":"2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.11","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_2_11","org":"turbot","name":"cis_v140_2_11","mod":"Azure Compliance","title":"2.11 Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.11","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_2_1_14","org":"turbot","name":"cis_v210_2_1_14","mod":"Azure Compliance","title":"2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.14","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_2_1_15","org":"turbot","name":"cis_v200_2_1_15","mod":"Azure Compliance","title":"2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.1.15","cis_level":"1","cis_section_id":"2.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_2_2_1","org":"turbot","name":"cis_v150_2_2_1","mod":"Azure Compliance","title":"2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.2.1","cis_level":"1","cis_section_id":"2.2","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_3_1_1_1","org":"turbot","name":"cis_v300_3_1_1_1","mod":"Azure Compliance","title":"3.1.1.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'","description":"Enable automatic provisioning of the monitoring agent to collect security data.","tags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.1.1","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.securitycenter_automatic_provisioning_monitoring_agent_on","org":"turbot","name":"securitycenter_automatic_provisioning_monitoring_agent_on","mod":"Azure Compliance","title":"Auto provisioning of the Log Analytics agent should be enabled on your subscription","description":"To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/SecurityCenter"}}],"controlTitle":"Auto provisioning of the Log Analytics agent should be enabled on your subscription","controlDescription":"To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"3.1.1.1","cis_level":"1","cis_section_id":"3.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/SecurityCenter","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"securitycenter_contact_number_configured":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_contact_number_configured","org":"turbot","name":"securitycenter_contact_number_configured","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'phone') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'phone') is not null then ' contact number configured'\n else ' contact number not configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_contact';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":241,"endLineNumber":259,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_contact_number_configured","org":"turbot","name":"securitycenter_contact_number_configured","mod":"Terraform Azure Compliance","title":"Subscriptions should have a contact phone number for security issues","description":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive phone notifications from Security Center.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Subscriptions should have a contact phone number for security issues","controlDescription":"To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive phone notifications from Security Center.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}},"securitycenter_uses_standard_pricing_tier":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/securitycenter_uses_standard_pricing_tier","org":"turbot","name":"securitycenter_uses_standard_pricing_tier","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tier') = 'Standard' then ' uses standard pricing tier'\n else ' not use standard pricing tier'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/securitycenter.pp","startLineNumber":261,"endLineNumber":279,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.securitycenter_uses_standard_pricing_tier","org":"turbot","name":"securitycenter_uses_standard_pricing_tier","mod":"Terraform Azure Compliance","title":"Security Center should use the standard pricing tier","description":"The standard pricing tier provides advanced security capabilities, including threat detection for Azure and hybrid workloads, just-in-time (JIT) virtual machine (VM) access, and access and application controls.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}}],"controlTitle":"Security Center should use the standard pricing tier","controlDescription":"The standard pricing tier provides advanced security capabilities, including threat detection for Azure and hybrid workloads, just-in-time (JIT) virtual machine (VM) access, and access and application controls.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SecurityCenter"}}},"cognitive_search":{"search_service_uses_sku_supporting_private_link":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_uses_sku_supporting_private_link","org":"turbot","name":"search_service_uses_sku_supporting_private_link","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku')::text = 'free' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku')::text = 'free' then ' SKU does not supports private link'\n else ' SKU supports private link'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.search_service_uses_sku_supporting_private_link","org":"turbot","name":"search_service_uses_sku_supporting_private_link","mod":"Azure Compliance","title":"Azure Cognitive Search service should use a SKU that supports private link","description":"With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveSearch"}}],"controlTitle":"Azure Cognitive Search service should use a SKU that supports private link","controlDescription":"With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveSearch"}},"search_service_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_uses_managed_identity","org":"turbot","name":"search_service_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.search_service_uses_managed_identity","org":"turbot","name":"search_service_uses_managed_identity","mod":"Azure Compliance","title":"Cognitive Search services should use managed identity","description":"Cognitive Search services should use a managed identity for enhanced authentication security.","tags":{"service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services should use managed identity","controlDescription":"Cognitive Search services should use a managed identity for enhanced authentication security.","controlTags":{"service":"Azure/CognitiveSearch"}},"search_service_replica_count_3":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_replica_count_3","org":"turbot","name":"search_service_replica_count_3","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'replica_count')::int > 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'replica_count')::int > 3 then ' replica count is greater than 3'\n else ' replica count is greater than 3'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.search_service_replica_count_3","org":"turbot","name":"search_service_replica_count_3","mod":"Azure Compliance","title":"Cognitive Search services should maintain SLA for index updates","description":"This control checks if Cognitive Search maintains SLA for index updates.","tags":{"service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services should maintain SLA for index updates","controlDescription":"This control checks if Cognitive Search maintains SLA for index updates.","controlTags":{"service":"Azure/CognitiveSearch"}},"search_service_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_public_network_access_disabled","org":"turbot","name":"search_service_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku')::text = 'free' then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.search_service_public_network_access_disabled","org":"turbot","name":"search_service_public_network_access_disabled","mod":"Azure Compliance","title":"Azure Cognitive Search services should disable public network access","description":"Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveSearch"}}],"controlTitle":"Azure Cognitive Search services should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveSearch"}},"search_service_public_allowed_ip_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/search_service_public_allowed_ip_restrict_public_access","org":"turbot","name":"search_service_public_allowed_ip_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allowed_ips') @> '[\"0.0.0.0/0\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allowed_ips') @> '[\"0.0.0.0/0\"]' then ' allowed IPS does not restrict public access'\n else ' allowed IPS restrict public access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_search_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitivesearch.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.search_service_public_allowed_ip_restrict_public_access","org":"turbot","name":"search_service_public_allowed_ip_restrict_public_access","mod":"Terraform Azure Compliance","title":"Cognitive Search services allowed IPs should restrict public access","description":"This control checks if Cognitive Search service allowed IPs restrict public access.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CognitiveSearch"}}],"controlTitle":"Cognitive Search services allowed IPs should restrict public access","controlDescription":"This control checks if Cognitive Search service allowed IPs restrict public access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CognitiveSearch"}}},"redis":{"redis_cache_min_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_min_tls_1_2","org":"turbot","name":"redis_cache_min_tls_1_2","sql":"select\n address as resource,\n attributes_std ->> 'minimum_tls_version',\n case\n when (attributes_std -> 'minimum_tls_version') is null then 'alarm'\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'minimum_tls_version') is null then ' ''min_tls_version'' not defined'\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":43,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.redis_cache_min_tls_1_2","org":"turbot","name":"redis_cache_min_tls_1_2","mod":"Azure Compliance","title":"Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'","description":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","tags":{"service":"Azure/Redis"}}],"controlTitle":"Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'","controlDescription":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","controlTags":{"service":"Azure/Redis"}},"azure_redis_cache_in_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/azure_redis_cache_in_virtual_network","org":"turbot","name":"azure_redis_cache_in_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_id') is not null then ' in virtual network'\n else ' not in virtual network'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.azure_redis_cache_in_virtual_network","org":"turbot","name":"azure_redis_cache_in_virtual_network","mod":"Terraform Azure Compliance","title":"Azure Cache for Redis should reside within a virtual network","description":"Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Azure Cache for Redis should reside within a virtual network","controlDescription":"Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}},"azure_redis_cache_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/azure_redis_cache_ssl_enabled","org":"turbot","name":"azure_redis_cache_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_non_ssl_port')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_non_ssl_port')::boolean then ' secure connections disabled'\n else ' secure connections enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.azure_redis_cache_ssl_enabled","org":"turbot","name":"azure_redis_cache_ssl_enabled","mod":"Terraform Azure Compliance","title":"Only secure connections to your Azure Cache for Redis should be enabled","description":"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Only secure connections to your Azure Cache for Redis should be enabled","controlDescription":"Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/Redis"}},"redis_cache_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_restrict_public_access","org":"turbot","name":"redis_cache_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":67,"endLineNumber":86,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.redis_cache_restrict_public_access","org":"turbot","name":"redis_cache_restrict_public_access","mod":"Terraform Azure Compliance","title":"Redis Caches should restrict public access","description":"Disabling public network access improves security by ensuring that Redis Cache isn't exposed on the public internet. Creating private endpoints can limit exposure of Redis Cache.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Redis Caches should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that Redis Cache isn't exposed on the public internet. Creating private endpoints can limit exposure of Redis Cache.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}},"redis_cache_standard_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/redis_cache_standard_replication_enabled","org":"turbot","name":"redis_cache_standard_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_name') in ('Standard' , 'Premium') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_name') in ('Standard' , 'Premium') then ' standard replication enabled'\n else ' standard replication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_redis_cache';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":88,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.redis_cache_standard_replication_enabled","org":"turbot","name":"redis_cache_standard_replication_enabled","mod":"Terraform Azure Compliance","title":"Redis Caches standard replication should be enabled","description":"This control ensures that standard replication is enabled for Redis Caches.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}}],"controlTitle":"Redis Caches standard replication should be enabled","controlDescription":"This control ensures that standard replication is enabled for Redis Caches.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Redis"}},"redis_instance_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/redis_instance_encryption_in_transit_enabled","org":"turbot","name":"redis_instance_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_mode') = 'SERVER_AUTHENTICATION' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_mode') = 'SERVER_AUTHENTICATION' then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_redis_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":21,"endLineNumber":39,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.redis_instance_encryption_in_transit_enabled","org":"turbot","name":"redis_instance_encryption_in_transit_enabled","mod":"Terraform GCP Compliance","title":"Redis instances encryption in transit should be enabled","description":"Ensure Redis instance encryption in transit is enabled. This control is non-compliant if encryption in transit is disabled for Redis instances.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}],"controlTitle":"Redis instances encryption in transit should be enabled","controlDescription":"Ensure Redis instance encryption in transit is enabled. This control is non-compliant if encryption in transit is disabled for Redis instances.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}},"redis_instance_auth_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/redis_instance_auth_enabled","org":"turbot","name":"redis_instance_auth_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auth_enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auth_enabled') = 'true' then ' Auth enabled'\n else ' Auth disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_redis_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redis.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.redis_instance_auth_enabled","org":"turbot","name":"redis_instance_auth_enabled","mod":"Terraform GCP Compliance","title":"Redis instances should have auth enabled","description":"Ensure Redis instance has Auth enabled. This control is non-compliant if Auth is disabled for Redis instance.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}],"controlTitle":"Redis instances should have auth enabled","controlDescription":"Ensure Redis instance has Auth enabled. This control is non-compliant if Auth is disabled for Redis instance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Redis"}}},"postgre_sql":{"postgresql_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_public_network_access_disabled","org":"turbot","name":"postgresql_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') is null then ' ''public_network_access_enabled'' not set'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":232,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgresql_server_public_network_access_disabled","org":"turbot","name":"postgresql_server_public_network_access_disabled","mod":"Azure Compliance","title":"Public network access should be disabled for PostgreSQL servers","description":"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Public network access should be disabled for PostgreSQL servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/PostgreSQL"}},"postgresql_server_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_infrastructure_encryption_enabled","org":"turbot","name":"postgresql_server_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'infrastructure_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'infrastructure_encryption_enabled') is null then ' ''infrastructure_encryption_enabled'' not set'\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":75,"endLineNumber":96,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_8","org":"turbot","name":"cis_v210_4_3_8","mod":"Azure Compliance","title":"4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'","description":"Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.8","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_8","org":"turbot","name":"cis_v200_4_3_8","mod":"Azure Compliance","title":"4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'","description":"Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.8","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_8","org":"turbot","name":"cis_v150_4_3_8","mod":"Azure Compliance","title":"4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'","description":"Enable encryption at rest for PostgreSQL Databases.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.8","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_8","org":"turbot","name":"cis_v140_4_3_8","mod":"Azure Compliance","title":"4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'","description":"Enable encryption at rest for PostgreSQL Databases.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.8","cis_level":"1","cis_section_id":"4.3","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_2_8","org":"turbot","name":"cis_v300_5_2_8","mod":"Azure Compliance","title":"5.2.8 [LEGACY]Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'","description":"Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgresql_server_infrastructure_encryption_enabled","org":"turbot","name":"postgresql_server_infrastructure_encryption_enabled","mod":"Azure Compliance","title":"Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers","description":"Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers","controlDescription":"Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.8","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"postgres_db_server_log_retention_days_3":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_retention_days_3","org":"turbot","name":"postgres_db_server_log_retention_days_3","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_disconnections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_retention_days'\n and (attributes_std ->> 'value')::int > 3\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' log files are retained for more than 3 days'\n else ' og files are retained for 3 days or lesser'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_disconnections_configuration as s on a.name = ( split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":1,"endLineNumber":36,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_log_retention_days_3","org":"turbot","name":"postgres_db_server_log_retention_days_3","mod":"Azure Compliance","title":"Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","description":"Enable log_retention_days on PostgreSQL Servers.","tags":{"service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_6","org":"turbot","name":"cis_v210_4_3_6","mod":"Azure Compliance","title":"4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","description":"Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_6","org":"turbot","name":"cis_v200_4_3_6","mod":"Azure Compliance","title":"4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","description":"Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_6","org":"turbot","name":"cis_v150_4_3_6","mod":"Azure Compliance","title":"4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server ","description":"Enable log_retention_days on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_6","org":"turbot","name":"cis_v140_4_3_6","mod":"Azure Compliance","title":"4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","description":"Enable log_retention_days on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_7","org":"turbot","name":"cis_v130_4_3_7","mod":"Azure Compliance","title":"4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","description":"Enable log_retention_days on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.7","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL"}}],"controlTitle":"Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server","controlDescription":"Enable log_retention_days on PostgreSQL Servers.","controlTags":{"service":"Azure/PostgreSQL","category":"Compliance","cis":"true","cis_item_id":"4.3.7","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"postgres_db_server_log_disconnections_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_disconnections_on","org":"turbot","name":"postgres_db_server_log_disconnections_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_disconnections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_disconnections'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_disconnections on'\n else ' server parameter log_disconnections off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_disconnections_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":255,"endLineNumber":290,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_4","org":"turbot","name":"cis_v210_4_3_4","mod":"Azure Compliance","title":"4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_4","org":"turbot","name":"cis_v200_4_3_4","mod":"Azure Compliance","title":"4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_4","org":"turbot","name":"cis_v150_4_3_4","mod":"Azure Compliance","title":"4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server ","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_4","org":"turbot","name":"cis_v140_4_3_4","mod":"Azure Compliance","title":"4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_5","org":"turbot","name":"cis_v130_4_3_5","mod":"Azure Compliance","title":"4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_2_7","org":"turbot","name":"cis_v300_5_2_7","mod":"Azure Compliance","title":"5.2.7 [LEGACY]Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single Server","description":"Enable 'log_disconnections' on 'PostgreSQL Servers'.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_log_disconnections_on","org":"turbot","name":"postgres_db_server_log_disconnections_on","mod":"Azure Compliance","title":"Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_disconnections on PostgreSQL Servers.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server","controlDescription":"Enable log_disconnections on PostgreSQL Servers.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.7","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL","rbi_itf_nbfc_v2017":"true"}},"postgres_db_server_log_connections_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_connections_on","org":"turbot","name":"postgres_db_server_log_connections_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_connections_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_connections'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_connections on'\n else ' server parameter log_connections off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_connections_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":195,"endLineNumber":230,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_3","org":"turbot","name":"cis_v210_4_3_3","mod":"Azure Compliance","title":"4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_3","org":"turbot","name":"cis_v200_4_3_3","mod":"Azure Compliance","title":"4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_3","org":"turbot","name":"cis_v150_4_3_3","mod":"Azure Compliance","title":"4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_3","org":"turbot","name":"cis_v140_4_3_3","mod":"Azure Compliance","title":"4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_4","org":"turbot","name":"cis_v130_4_3_4","mod":"Azure Compliance","title":"4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.4","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_5_2_6","org":"turbot","name":"cis_v300_5_2_6","mod":"Azure Compliance","title":"5.2.6 [LEGACY]Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single Server","description":"Enable 'log_connections' on 'PostgreSQL single Servers'.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_log_connections_on","org":"turbot","name":"postgres_db_server_log_connections_on","mod":"Azure Compliance","title":"Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_connections on PostgreSQL Servers.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server","controlDescription":"Enable log_connections on PostgreSQL Servers.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.2.6","cis_level":"1","cis_section_id":"5.2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/PostgreSQL","rbi_itf_nbfc_v2017":"true"}},"postgres_db_server_log_checkpoints_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_log_checkpoints_on","org":"turbot","name":"postgres_db_server_log_checkpoints_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), log_checkpoints_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'log_checkpoints'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter log_checkpoints on'\n else ' server parameter log_checkpoints off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join log_checkpoints_configuration as s on a.name = (split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":158,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_2","org":"turbot","name":"cis_v210_4_3_2","mod":"Azure Compliance","title":"4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.2","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_2","org":"turbot","name":"cis_v200_4_3_2","mod":"Azure Compliance","title":"4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.2","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_2","org":"turbot","name":"cis_v150_4_3_2","mod":"Azure Compliance","title":"4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.2","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_2","org":"turbot","name":"cis_v140_4_3_2","mod":"Azure Compliance","title":"4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.2","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_3","org":"turbot","name":"cis_v130_4_3_3","mod":"Azure Compliance","title":"4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_log_checkpoints_on","org":"turbot","name":"postgres_db_server_log_checkpoints_on","mod":"Azure Compliance","title":"Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","description":"Enable log_checkpoints on PostgreSQL Servers.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server","controlDescription":"Enable log_checkpoints on PostgreSQL Servers.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.3","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL","rbi_itf_nbfc_v2017":"true"}},"postgres_db_server_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_latest_tls_version","org":"turbot","name":"postgres_db_server_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_minimal_tls_version_enforced') is null or (attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_minimal_tls_version_enforced') is null or (attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2' then ' using the latest version of TLS encryption'\n else ' not using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":361,"endLineNumber":380,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_latest_tls_version","org":"turbot","name":"postgres_db_server_latest_tls_version","mod":"Azure Compliance","title":"PostgreSQL servers should have the latest TLS version","description":"This control checks if the PostgreSQL server is upgraded to the latest TLS version.","tags":{"service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL servers should have the latest TLS version","controlDescription":"This control checks if the PostgreSQL server is upgraded to the latest TLS version.","controlTags":{"service":"Azure/PostgreSQL"}},"postgres_db_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then ' ''geo_redundant_backup_enabled'' not set'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' Geo-redundant backup enabled'\n else ' Geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":98,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_server_geo_redundant_backup_enabled","mod":"Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","description":"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for PostgreSQL","controlDescription":"Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/PostgreSQL"}},"postgres_db_server_connection_throttling_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_connection_throttling_on","org":"turbot","name":"postgres_db_server_connection_throttling_on","sql":"with postgresql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), connection_throttling_configuration as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_configuration'\n and (attributes_std ->> 'name') = 'connection_throttling'\n and (attributes_std ->> 'value') = 'on'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_name') is not null then ' server parameter connection_throttling on'\n else ' server parameter connection_throttling off'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join connection_throttling_configuration as s on a.name = ( split_part((s.attributes_std ->> 'server_name'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":38,"endLineNumber":73,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.postgres_db_server_connection_throttling_on","org":"turbot","name":"postgres_db_server_connection_throttling_on","mod":"Azure Compliance","title":"Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_3_5","org":"turbot","name":"cis_v210_4_3_5","mod":"Azure Compliance","title":"4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_3_5","org":"turbot","name":"cis_v200_4_3_5","mod":"Azure Compliance","title":"4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_3_5","org":"turbot","name":"cis_v150_4_3_5","mod":"Azure Compliance","title":"4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_3_5","org":"turbot","name":"cis_v140_4_3_5","mod":"Azure Compliance","title":"4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.5","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/PostgreSQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_6","org":"turbot","name":"cis_v130_4_3_6","mod":"Azure Compliance","title":"4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","description":"Enable connection_throttling on PostgreSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/PostgreSQL"}}],"controlTitle":"Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server","controlDescription":"Enable connection_throttling on PostgreSQL Servers.","controlTags":{"service":"Azure/PostgreSQL","category":"Compliance","cis":"true","cis_item_id":"4.3.6","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure"}},"mariadb_server_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_ssl_enabled","org":"turbot","name":"mariadb_server_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled') = 'true' then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mariadb_server_ssl_enabled","org":"turbot","name":"mariadb_server_ssl_enabled","mod":"Azure Compliance","title":"MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'","description":"This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled.","tags":{"service":"Azure/PostgreSQL"}}],"controlTitle":"MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'","controlDescription":"This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled.","controlTags":{"service":"Azure/PostgreSQL"}},"postgresql_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_ssl_enabled","org":"turbot","name":"postgresql_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled') is null then 'alarm'\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled') is null then ' ''ssl_enforcement_enabled'' not set'\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":292,"endLineNumber":313,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_ssl_enabled","org":"turbot","name":"postgresql_ssl_enabled","mod":"Terraform Azure Compliance","title":"Enforce SSL connection should be enabled for PostgreSQL database servers","description":"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server","tags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"Enforce SSL connection should be enabled for PostgreSQL database servers","controlDescription":"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server","controlTags":{"category":"Compliance","hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgresql_server_encrypted_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgresql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"postgresql_server_encrypted_at_rest_using_cmk","sql":"with postgresql_server as (\n select\n '${azurerm_postgresql_server.' || name || '.id}' as pg_id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server'\n), server_keys as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_postgresql_server_key'\n and (attributes_std -> 'key_vault_key_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n postgresql_server as a\n left join server_keys as s on a.pg_id = ( s.attributes_std ->> 'server_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":121,"endLineNumber":156,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgresql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"postgresql_server_encrypted_at_rest_using_cmk","mod":"Terraform Azure Compliance","title":"PostgreSQL servers should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL servers should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_flexible_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_flexible_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_flexible_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled') is null then ' ''geo_redundant_backup_enabled'' not set'\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' geo-redundant backup enabled'\n else ' geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_flexible_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":315,"endLineNumber":336,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_flexible_server_geo_redundant_backup_enabled","org":"turbot","name":"postgres_db_flexible_server_geo_redundant_backup_enabled","mod":"Terraform Azure Compliance","title":"PostgreSQL flexible serves Geo-redundant backup should be enabled","description":"Azure Database for PostgreSQL flexible serves allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL flexible serves Geo-redundant backup should be enabled","controlDescription":"Azure Database for PostgreSQL flexible serves allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}},"postgres_db_server_threat_detection_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/postgres_db_server_threat_detection_policy_enabled","org":"turbot","name":"postgres_db_server_threat_detection_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' threat detection policy not set'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then ' threat detection policy enabled'\n else ' threat detection policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_postgresql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/postgres.pp","startLineNumber":338,"endLineNumber":359,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.postgres_db_server_threat_detection_policy_enabled","org":"turbot","name":"postgres_db_server_threat_detection_policy_enabled","mod":"Terraform Azure Compliance","title":"PostgreSQL Servers threat detection policy should be enabled","description":"Ensure that PostgreSQL server threat detection policy is enabled. This control is non-compliant if PostgreSQL server threat detection policy is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}],"controlTitle":"PostgreSQL Servers threat detection policy should be enabled","controlDescription":"Ensure that PostgreSQL server threat detection policy is enabled. This control is non-compliant if PostgreSQL server threat detection policy is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/PostgreSQL"}}},"network":{"network_security_group_subnet_associated":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","sql":"with all_subnet as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_subnet'\n), network_security_group_association as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_subnet_network_security_group_association'\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'subnet_id') is not null then ' associated with subnet'\n else ' not associated with subnet'\n end || '.' reason\n , a.path || ':' || a.start_line\nfrom\n all_subnet as a\n left join network_security_group_association as s on a.name = ( split_part((s.attributes_std ->> 'subnet_id'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":1,"endLineNumber":33,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_subnet_associated","org":"turbot","name":"network_security_group_subnet_associated","mod":"Azure Compliance","title":"Subnets should be associated with a Network Security Group","description":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Subnets should be associated with a Network Security Group","controlDescription":"This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_security_group_ssh_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","sql":"$60","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":349,"endLineNumber":405,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_2","org":"turbot","name":"cis_v210_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_2","org":"turbot","name":"cis_v200_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_2","org":"turbot","name":"cis_v150_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access from the internet is evaluated and restricted ","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_2","org":"turbot","name":"cis_v140_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_2","org":"turbot","name":"cis_v130_6_2","mod":"Azure Compliance","title":"6.2 Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_2","org":"turbot","name":"cis_v300_7_2","mod":"Azure Compliance","title":"7.2 Ensure that SSH access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_ssh_access_restricted","org":"turbot","name":"network_security_group_ssh_access_restricted","mod":"Azure Compliance","title":"Ensure that SSH access is restricted from the internet","description":"Disable SSH access on network security groups from the Internet.","tags":{"service":"Azure/Network"}}],"controlTitle":"Ensure that SSH access is restricted from the internet","controlDescription":"Disable SSH access on network security groups from the Internet.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.2","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},"network_security_group_rdp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","sql":"$61","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":240,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_6_1","org":"turbot","name":"cis_v210_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_6_1","org":"turbot","name":"cis_v200_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_6_1","org":"turbot","name":"cis_v140_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access is restricted from the internet","description":"Disable RDP access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_6_1","org":"turbot","name":"cis_v130_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP access is restricted from the internet","description":"Disable RDP access on network security groups from the Internet.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_6_1","org":"turbot","name":"cis_v150_6_1","mod":"Azure Compliance","title":"6.1 Ensure that RDP from the internet access is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1","cis_level":"1","cis_section_id":"6","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_7_1","org":"turbot","name":"cis_v300_7_1","mod":"Azure Compliance","title":"7.1 Ensure that RDP access from the Internet is evaluated and restricted","description":"Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required.","tags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_rdp_access_restricted","org":"turbot","name":"network_security_group_rdp_access_restricted","mod":"Azure Compliance","title":"Windows machines should meet requirements for 'User Rights Assignment'","description":"Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Windows machines should meet requirements for 'User Rights Assignment'","controlDescription":"Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"7.1","cis_level":"1","cis_section_id":"7","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/Network","hipaa_hitrust_v92":"true"}},"network_security_group_not_configured_gateway_subnets":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","sql":"$62","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":56,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.network_security_group_not_configured_gateway_subnets","org":"turbot","name":"network_security_group_not_configured_gateway_subnets","mod":"Azure Compliance","title":"Gateway subnets should not be configured with a network security group","description":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}}],"controlTitle":"Gateway subnets should not be configured with a network security group","controlDescription":"Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/Network"}},"application_gateway_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'waf_configuration') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'waf_configuration') is not null then ' WAF enabled'\n else ' WAF disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_application_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.application_gateway_waf_enabled","org":"turbot","name":"application_gateway_waf_enabled","mod":"Azure Compliance","title":"Web Application Firewall (WAF) should be enabled for Application Gateway","description":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}}],"controlTitle":"Web Application Firewall (WAF) should be enabled for Application Gateway","controlDescription":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Network"}},"network_security_rule_udp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_udp_access_restricted","org":"turbot","name":"network_security_rule_udp_access_restricted","sql":"select\n address as resource,\n case\n when lower(attributes_std ->> 'protocol') = 'udp'\n and lower(attributes_std ->> 'direction') = 'inbound'\n and lower(attributes_std ->> 'access') = 'allow'\n and lower(attributes_std ->> 'source_address_prefix') in ('*', '0.0.0.0', '/0', '/0', 'internet', 'any') then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when lower(attributes_std ->> 'protocol') = 'udp'\n and lower(attributes_std ->> 'direction') = 'inbound'\n and lower(attributes_std ->> 'access') = 'allow'\n and lower(attributes_std ->> 'source_address_prefix') in ('*', '0.0.0.0', '/0', '/0', 'internet', 'any') then ' allows UDP services from internet'\n else ' restricts UDP services from internet'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_security_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":163,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_udp_access_restricted","org":"turbot","name":"network_security_rule_udp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules UDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed UDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_udp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_udp_access_restricted","org":"turbot","name":"network_security_group_udp_access_restricted","sql":"$63","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":114,"endLineNumber":161,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_udp_access_restricted","org":"turbot","name":"network_security_group_udp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups UDP Services are restricted from the Internet","description":"Disable Internet exposed UDP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups UDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed UDP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_dns_server_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_dns_server_2","org":"turbot","name":"network_dns_server_2","sql":"select\n address as resource,\n case\n when attributes_std -> 'dns_servers' is null then 'alarm'\n when jsonb_array_length(attributes_std -> 'dns_servers') > 1 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'dns_servers' is null then ' DNS servers not defined'\n else ' has ' || (jsonb_array_length(attributes_std -> 'dns_servers')) || ' DNS server(s) configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_network';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":516,"endLineNumber":536,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_dns_server_2","org":"turbot","name":"network_dns_server_2","mod":"Terraform Azure Compliance","title":"Network should have at least two connected DNS Endpoints","description":"This check ensures that Network has at least two connected DNS Endpoints.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network should have at least two connected DNS Endpoints","controlDescription":"This check ensures that Network has at least two connected DNS Endpoints.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_group_http_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_group_http_access_restricted","org":"turbot","name":"network_security_group_http_access_restricted","sql":"$64","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":458,"endLineNumber":514,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_group_http_access_restricted","org":"turbot","name":"network_security_group_http_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Groups HTTP Services are restricted from the Internet","description":"Disable Internet exposed HTTP ports on network security groups.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Groups HTTP Services are restricted from the Internet","controlDescription":"Disable Internet exposed HTTP ports on network security groups.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_ssh_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_ssh_access_restricted","org":"turbot","name":"network_security_rule_ssh_access_restricted","sql":"$65","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":298,"endLineNumber":347,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_ssh_access_restricted","org":"turbot","name":"network_security_rule_ssh_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules SSH Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules SSH Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_watcher_flow_log_retention_period_90_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_watcher_flow_log_retention_period_90_days","org":"turbot","name":"network_watcher_flow_log_retention_period_90_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'false' then 'alarm'\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'true' and (attributes_std -> 'retention_policy' ->> 'days')::int >= 90 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'retention_policy' ->> 'enabled') = 'false' then ' retention policy disabled'\n else ' retention set to ' || (attributes_std -> 'retention_policy' ->> 'days') || ' day(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_network_watcher_flow_log';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":92,"endLineNumber":112,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_watcher_flow_log_retention_period_90_days","org":"turbot","name":"network_watcher_flow_log_retention_period_90_days","mod":"Terraform Azure Compliance","title":"Network Watcher flow logs should have retention set to 90 days or greater","description":"This control is non-compliant if Network Watcher flow log retention is set to less than 90 days.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Watcher flow logs should have retention set to 90 days or greater","controlDescription":"This control is non-compliant if Network Watcher flow log retention is set to less than 90 days.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_rdp_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_rdp_access_restricted","org":"turbot","name":"network_security_rule_rdp_access_restricted","sql":"$66","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":189,"endLineNumber":238,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_rdp_access_restricted","org":"turbot","name":"network_security_rule_rdp_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules RDP Services are restricted from the Internet","description":"Disable Internet exposed RDP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules RDP Services are restricted from the Internet","controlDescription":"Disable Internet exposed RDP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_virtual_network_dns_server_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_virtual_network_dns_server_2","org":"turbot","name":"network_virtual_network_dns_server_2","sql":"select\n address as resource,\n case\n when attributes_std -> 'dns_servers' is null then 'alarm'\n when jsonb_array_length(attributes_std -> 'dns_servers') > 1 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'dns_servers' is null then ' DNS servers not defined'\n else ' has ' || (jsonb_array_length(attributes_std -> 'dns_servers')) || ' DNS server(s) configured'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_virtual_network_dns_servers';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":538,"endLineNumber":557,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_virtual_network_dns_server_2","org":"turbot","name":"network_virtual_network_dns_server_2","mod":"Terraform Azure Compliance","title":"Network DNS server should have at least two connected DNS Endpoint","description":"This check ensures that Network DNS server has at least two connected DNS Endpoints.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network DNS server should have at least two connected DNS Endpoint","controlDescription":"This check ensures that Network DNS server has at least two connected DNS Endpoints.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}},"network_security_rule_http_access_restricted":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/network_security_rule_http_access_restricted","org":"turbot","name":"network_security_rule_http_access_restricted","sql":"$67","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/network.pp","startLineNumber":407,"endLineNumber":456,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.network_security_rule_http_access_restricted","org":"turbot","name":"network_security_rule_http_access_restricted","mod":"Terraform Azure Compliance","title":"Network Security Rules HTTP Services are restricted from the Internet","description":"Disable Internet exposed HTTP ports on network security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}],"controlTitle":"Network Security Rules HTTP Services are restricted from the Internet","controlDescription":"Disable Internet exposed HTTP ports on network security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Network"}}},"my_sql":{"mysql_ssl_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_ssl_enabled","org":"turbot","name":"mysql_ssl_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ssl_enforcement_enabled')::boolean then ' SSL connection enabled'\n else ' SSL connection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_4_3_2","org":"turbot","name":"cis_v130_4_3_2","mod":"Azure Compliance","title":"4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server","description":"Enable SSL connection on MYSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.3.2","cis_level":"1","cis_section_id":"4.3","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_4_1","org":"turbot","name":"cis_v210_4_4_1","mod":"Azure Compliance","title":"4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server","description":"Enable SSL connection on MySQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.1","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_4_1","org":"turbot","name":"cis_v200_4_4_1","mod":"Azure Compliance","title":"4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server","description":"Enable SSL connection on MySQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.1","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_4_1","org":"turbot","name":"cis_v150_4_4_1","mod":"Azure Compliance","title":"4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server","description":"Enable SSL connection on MySQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.1","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_4_1","org":"turbot","name":"cis_v140_4_4_1","mod":"Azure Compliance","title":"4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server","description":"Enable SSL connection on MYSQL Servers.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.1","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_ssl_enabled","org":"turbot","name":"mysql_ssl_enabled","mod":"Azure Compliance","title":"Enforce SSL connection should be enabled for MySQL database servers","description":"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}}],"controlTitle":"Enforce SSL connection should be enabled for MySQL database servers","controlDescription":"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.1","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/MySQL","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"mysql_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_public_network_access_disabled","org":"turbot","name":"mysql_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_server_public_network_access_disabled","org":"turbot","name":"mysql_server_public_network_access_disabled","mod":"Azure Compliance","title":"Public network access should be disabled for MySQL servers","description":"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MySQL"}}],"controlTitle":"Public network access should be disabled for MySQL servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MySQL"}},"mysql_server_min_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_min_tls_1_2","org":"turbot","name":"mysql_server_min_tls_1_2","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'ssl_minimal_tls_version_enforced') is null)\n or ((attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'ssl_minimal_tls_version_enforced') is null)\n or ((attributes_std ->> 'ssl_minimal_tls_version_enforced') = 'TLS1_2') then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":121,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_server_min_tls_1_2","org":"turbot","name":"mysql_server_min_tls_1_2","mod":"Azure Compliance","title":"Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to the default value.","tags":{"service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_4_4_2","org":"turbot","name":"cis_v210_4_4_2","mod":"Azure Compliance","title":"4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to use TLS version 1.2 or higher.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.2","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_4_4_2","org":"turbot","name":"cis_v200_4_4_2","mod":"Azure Compliance","title":"4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to the default value.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.2","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_4_4_2","org":"turbot","name":"cis_v150_4_4_2","mod":"Azure Compliance","title":"4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to the default value.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.2","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/MySQL"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_4_4_2","org":"turbot","name":"cis_v140_4_4_2","mod":"Azure Compliance","title":"4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","description":"Ensure TLS version on MySQL flexible servers is set to the default value.","tags":{"category":"Compliance","cis":"true","cis_item_id":"4.4.2","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/MySQL"}}],"controlTitle":"Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server","controlDescription":"Ensure TLS version on MySQL flexible servers is set to the default value.","controlTags":{"service":"Azure/MySQL","category":"Compliance","cis":"true","cis_item_id":"4.4.2","cis_level":"1","cis_section_id":"4.4","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure"}},"mysql_server_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_infrastructure_encryption_enabled","org":"turbot","name":"mysql_server_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'infrastructure_encryption_enabled')::boolean then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_server_infrastructure_encryption_enabled","org":"turbot","name":"mysql_server_infrastructure_encryption_enabled","mod":"Azure Compliance","title":"Infrastructure encryption should be enabled for Azure Database for MySQL servers","description":"Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}}],"controlTitle":"Infrastructure encryption should be enabled for Azure Database for MySQL servers","controlDescription":"Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}},"mysql_server_encrypted_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"mysql_server_encrypted_at_rest_using_cmk","sql":"with mysql_server as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_mysql_server'\n), server_keys as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_mysql_server_key'\n and (attributes_std -> 'key_vault_key_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'server_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'server_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n mysql_server as a\n left join server_keys as s on a.name = (split_part((s.attributes_std ->> 'server_id'), '.', 2));\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":85,"endLineNumber":119,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_server_encrypted_at_rest_using_cmk","org":"turbot","name":"mysql_server_encrypted_at_rest_using_cmk","mod":"Azure Compliance","title":"MySQL servers should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}}],"controlTitle":"MySQL servers should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}},"mysql_db_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_db_server_geo_redundant_backup_enabled","org":"turbot","name":"mysql_db_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'geo_redundant_backup_enabled')::boolean then ' Geo-redundant backup enabled'\n else ' Geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mysql_db_server_geo_redundant_backup_enabled","org":"turbot","name":"mysql_db_server_geo_redundant_backup_enabled","mod":"Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for MySQL","description":"Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for MySQL","controlDescription":"Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MySQL"}},"mysql_server_threat_detection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mysql_server_threat_detection_enabled","org":"turbot","name":"mysql_server_threat_detection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'threat_detection_policy') is null then 'alarm'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'threat_detection_policy') is null then ' threat detection policy not defined'\n when (attributes_std -> 'threat_detection_policy' ->> 'enabled') = 'true' then ' threat detection policy enabled'\n else ' threat detection policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mysql_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mysql.pp","startLineNumber":144,"endLineNumber":165,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.mysql_server_threat_detection_enabled","org":"turbot","name":"mysql_server_threat_detection_enabled","mod":"Terraform Azure Compliance","title":"MySQL servers should have threat detection enabled","description":"Ensure MySQL server threat detection policy enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MySQL"}}],"controlTitle":"MySQL servers should have threat detection enabled","controlDescription":"Ensure MySQL server threat detection policy enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MySQL"}}},"monitor":{"monitor_log_profile_retention_365_days":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","sql":"$68","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":67,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_retention_365_days","org":"turbot","name":"monitor_log_profile_retention_365_days","mod":"Azure Compliance","title":"Monitor log profiles should have retention set to 365 days or greater","description":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","tags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Monitor log profiles should have retention set to 365 days or greater","controlDescription":"This control is non-compliant if Monitor log profile retention is set to less than 365 days.","controlTags":{"rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_log_profile_enabled_for_all_regions":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","sql":"$69","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_regions","org":"turbot","name":"monitor_log_profile_enabled_for_all_regions","mod":"Azure Compliance","title":"Azure Monitor should collect activity logs from all regions","description":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","tags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor should collect activity logs from all regions","controlDescription":"This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global.","controlTags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_log_profile_enabled_for_all_categories":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","sql":"select\n address as resource,\n case\n when (attributes_std -> 'categories') @> '[\"Write\", \"Action\", \"Delete\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'categories') @> '[\"Write\", \"Action\", \"Delete\"]' then ' collects logs for categories write, delete and action'\n else ' does not collects logs for all categories.'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_monitor_log_profile';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":47,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.monitor_log_profile_enabled_for_all_categories","org":"turbot","name":"monitor_log_profile_enabled_for_all_categories","mod":"Azure Compliance","title":"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'","description":"This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.","tags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}}],"controlTitle":"Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'","controlDescription":"This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'.","controlTags":{"hipaa_hitrust_v92":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/Monitor"}},"monitor_logs_storage_container_not_public_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/monitor_logs_storage_container_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_not_public_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'container_access_type') is null then 'ok'\n when (attributes_std ->> 'container_access_type') ilike 'Private' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'container_access_type') is null then ' container insights-operational-logs storing activity logs not publicly accessible'\n when (attributes_std ->> 'container_access_type') ilike 'Private' then ' container insights-operational-logs storing activity logs not publicly accessible'\n else ' container insights-operational-logs storing activity logs publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_container'\n and (attributes_std ->> 'name') ilike 'insights-operational-logs';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/monitor.pp","startLineNumber":23,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.monitor_logs_storage_container_not_public_accessible","org":"turbot","name":"monitor_logs_storage_container_not_public_accessible","mod":"Terraform Azure Compliance","title":"Ensure the storage container storing the activity logs is not publicly accessible","description":"The storage account container containing the activity log export should not be publicly accessible.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Monitor"}}],"controlTitle":"Ensure the storage container storing the activity logs is not publicly accessible","controlDescription":"The storage account container containing the activity log export should not be publicly accessible.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.3","cis_level":"1","cis_type":"automated","plugin":"terraform","service":"Azure/Monitor"}}},"maria_db":{"mariadb_server_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_public_network_access_disabled","org":"turbot","name":"mariadb_server_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public network access enabled'\n when (attributes_std -> 'public_network_access_enabled')::bool then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mariadb_server_public_network_access_disabled","org":"turbot","name":"mariadb_server_public_network_access_disabled","mod":"Azure Compliance","title":"Public network access should be disabled for MariaDB servers","description":"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MariaDB"}}],"controlTitle":"Public network access should be disabled for MariaDB servers","controlDescription":"Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MariaDB"}},"mariadb_server_geo_redundant_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/mariadb_server_geo_redundant_backup_enabled","org":"turbot","name":"mariadb_server_geo_redundant_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'geo_redundant_backup_enabled') is null then 'alarm'\n when (attributes_std -> 'geo_redundant_backup_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'geo_redundant_backup_enabled') is null then ' geo-redundant backup disabled'\n when (attributes_std -> 'geo_redundant_backup_enabled')::bool then ' geo-redundant backup enabled'\n else ' geo-redundant backup disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_mariadb_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mariadb.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.mariadb_server_geo_redundant_backup_enabled","org":"turbot","name":"mariadb_server_geo_redundant_backup_enabled","mod":"Azure Compliance","title":"Geo-redundant backup should be enabled for Azure Database for MariaDB","description":"Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MariaDB"}}],"controlTitle":"Geo-redundant backup should be enabled for Azure Database for MariaDB","controlDescription":"Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/MariaDB"}}},"machine_learning":{"machine_learning_workspace_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_workspace_encrypted_with_cmk","org":"turbot","name":"machine_learning_workspace_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.machine_learning_workspace_encrypted_with_cmk","org":"turbot","name":"machine_learning_workspace_encrypted_with_cmk","mod":"Azure Compliance","title":"Azure Machine Learning workspaces should be encrypted with a customer-managed key","description":"Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MachineLearning"}}],"controlTitle":"Azure Machine Learning workspaces should be encrypted with a customer-managed key","controlDescription":"Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/MachineLearning"}},"machine_learning_compute_cluster_minimum_node_zero":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_compute_cluster_minimum_node_zero","org":"turbot","name":"machine_learning_compute_cluster_minimum_node_zero","sql":"select\n address as resource,\n case\n when (attributes_std -> 'scale_settings' ->> 'min_node_count')::int = 0 then 'ok'\n else 'alarm'\n end status,\n name || ' minimum node count set to ' || (attributes_std -> 'scale_settings' ->> 'min_node_count') || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_compute_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":43,"endLineNumber":59,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_compute_cluster_minimum_node_zero","org":"turbot","name":"machine_learning_compute_cluster_minimum_node_zero","mod":"Terraform Azure Compliance","title":"Machine Learning Compute Clusters minimum node count should be set to zero","description":"This control checks whether Machine Learning Compute Cluster minimum node count is set to zero. This control is non-complaint if Machine Learning Compute Cluster minimum node count is not set to zero.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning Compute Clusters minimum node count should be set to zero","controlDescription":"This control checks whether Machine Learning Compute Cluster minimum node count is set to zero. This control is non-complaint if Machine Learning Compute Cluster minimum node count is not set to zero.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}},"machine_learning_compute_cluster_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_compute_cluster_local_auth_disabled","org":"turbot","name":"machine_learning_compute_cluster_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_compute_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_compute_cluster_local_auth_disabled","org":"turbot","name":"machine_learning_compute_cluster_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Machine Learning Compute Clusters local authentication should be disabled","description":"This control checks whether Machine Learning Compute Cluster local authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning Compute Clusters local authentication should be disabled","controlDescription":"This control checks whether Machine Learning Compute Cluster local authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}},"machine_learning_workspace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/machine_learning_workspace_restrict_public_access","org":"turbot","name":"machine_learning_workspace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_machine_learning_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/machinelearning.pp","startLineNumber":61,"endLineNumber":80,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.machine_learning_workspace_restrict_public_access","org":"turbot","name":"machine_learning_workspace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Machine Learning workspaces should restrict public access","description":"Disabling public network access improves security by ensuring that Machine Learning workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of Machine Learning workspace.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}],"controlTitle":"Machine Learning workspaces should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that Machine Learning workspace isn't exposed on the public internet. Creating private endpoints can limit exposure of Machine Learning workspace.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/MachineLearning"}}},"logic":{"logic_app_workflow_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/logic_app_workflow_logging_enabled","org":"turbot","name":"logic_app_workflow_logging_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_logic_app_workflow')then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_logic_app_workflow')then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_logic_app_workflow';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/logicapp.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.logic_app_workflow_logging_enabled","org":"turbot","name":"logic_app_workflow_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Logic Apps should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Logic"}}],"controlTitle":"Resource logs in Logic Apps should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Logic"}}},"data_explorer":{"kusto_cluster_sku_with_sla":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_sku_with_sla","org":"turbot","name":"kusto_cluster_sku_with_sla","sql":"select\n address as resource,\n case\n when (attributes_std -> 'sku' ->> 'name') in ('Dev(No SLA)_Standard_E2a_v4' , 'Dev(No SLA)_Standard_D11_v2') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'sku' ->> 'name') in ('Dev(No SLA)_Standard_E2a_v4' , 'Dev(No SLA)_Standard_D11_v2') then ' using SKU tier without SLA'\n else ' using SKU tier with SLA'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kusto_cluster_sku_with_sla","org":"turbot","name":"kusto_cluster_sku_with_sla","mod":"Azure Compliance","title":"Kusto clusters should use SKU with an SLA","description":"This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA.","tags":{"service":"Azure/DataExplorer"}}],"controlTitle":"Kusto clusters should use SKU with an SLA","controlDescription":"This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA.","controlTags":{"service":"Azure/DataExplorer"}},"kusto_cluster_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_encrypted_at_rest_with_cmk","org":"turbot","name":"kusto_cluster_encrypted_at_rest_with_cmk","sql":"with kusto_clusters as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_kusto_cluster'\n), kusto_cluster_customer_managed_key as (\n select\n split_part((attributes_std ->> 'cluster_id'), '.', 2) as cluster_name\n from\n terraform_resource\n where\n type = 'azurerm_kusto_cluster_customer_managed_key'\n and (attributes_std ->> 'key_vault_id') is not null\n and (attributes_std ->> 'key_name') is not null\n and (attributes_std ->> 'key_version') is not null\n)\nselect\n address as resource,\n case\n when s.cluster_name is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when s.cluster_name is null then ' logging disabled'\n else ' logging enabled'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n kusto_clusters as a\n left join kusto_cluster_customer_managed_key as s on a.name = s.cluster_name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":1,"endLineNumber":37,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kusto_cluster_encrypted_at_rest_with_cmk","org":"turbot","name":"kusto_cluster_encrypted_at_rest_with_cmk","mod":"Azure Compliance","title":"Azure Data Explorer encryption at rest should use a customer-managed key","description":"Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataExplorer"}}],"controlTitle":"Azure Data Explorer encryption at rest should use a customer-managed key","controlDescription":"Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataExplorer"}},"kusto_cluster_double_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_double_encryption_enabled","org":"turbot","name":"kusto_cluster_double_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'double_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'double_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'double_encryption_enabled') is null then ' ''double_encryption_enabled'' not set'\n when (attributes_std ->> 'double_encryption_enabled')::boolean then ' double encryption enabled'\n else ' double encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":39,"endLineNumber":60,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kusto_cluster_double_encryption_enabled","org":"turbot","name":"kusto_cluster_double_encryption_enabled","mod":"Azure Compliance","title":"Double encryption should be enabled on Azure Data Explorer","description":"Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataExplorer"}}],"controlTitle":"Double encryption should be enabled on Azure Data Explorer","controlDescription":"Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataExplorer"}},"kusto_cluster_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_disk_encryption_enabled","org":"turbot","name":"kusto_cluster_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'disk_encryption_enabled') is null then 'alarm'\n when (attributes_std ->> 'disk_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'disk_encryption_enabled') is null then ' ''disk_encryption_enabled'' not set'\n when (attributes_std ->> 'disk_encryption_enabled')::boolean then ' disk encryption enabled'\n else ' disk encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":62,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kusto_cluster_disk_encryption_enabled","org":"turbot","name":"kusto_cluster_disk_encryption_enabled","mod":"Azure Compliance","title":"Disk encryption should be enabled on Azure Data Explorer","description":"Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/DataExplorer"}}],"controlTitle":"Disk encryption should be enabled on Azure Data Explorer","controlDescription":"Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/DataExplorer"}},"kusto_cluster_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kusto_cluster_uses_managed_identity","org":"turbot","name":"kusto_cluster_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kusto_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kusto.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kusto_cluster_uses_managed_identity","org":"turbot","name":"kusto_cluster_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Kusto clusters should use managed identities","description":"Use a managed identity for enhanced authentication security.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/DataExplorer"}}],"controlTitle":"Kusto clusters should use managed identities","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/DataExplorer"}}},"kubernetes_service":{"kubernetes_instance_rbac_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_instance_rbac_enabled","org":"turbot","name":"kubernetes_instance_rbac_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'role_based_access_control') is null then 'alarm'\n when (attributes_std -> 'role_based_access_control' -> 'azure_active_directory' -> 'azure_rbac_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'role_based_access_control') is null then ' ''role_based_access_control'' not defined'\n when (attributes_std -> 'role_based_access_control' -> 'azure_active_directory' -> 'azure_rbac_enabled')::boolean then ' role based access control enabled'\n else ' role based access control disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":89,"endLineNumber":110,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_instance_rbac_enabled","org":"turbot","name":"kubernetes_instance_rbac_enabled","mod":"Azure Compliance","title":"Role-Based Access Control (RBAC) should be used on Kubernetes Services","description":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}}],"controlTitle":"Role-Based Access Control (RBAC) should be used on Kubernetes Services","controlDescription":"To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies.","controlTags":{"hipaa_hitrust_v92":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}},"kubernetes_cluster_upgrade_channel":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_upgrade_channel","org":"turbot","name":"kubernetes_cluster_upgrade_channel","sql":"select\n address as resource,\n case\n when (attributes_std -> 'automatic_channel_upgrade') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automatic_channel_upgrade') is null then ' upgrade channel not configured'\n else ' upgrade channel configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":306,"endLineNumber":325,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_upgrade_channel","org":"turbot","name":"kubernetes_cluster_upgrade_channel","mod":"Azure Compliance","title":"Kubernetes clusters upgrade channel should be configured","description":"Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters upgrade channel should be configured","controlDescription":"Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","org":"turbot","name":"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'enable_host_encryption')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'enable_host_encryption')::boolean then ' encrypted at host'\n else ' not encrypted at host'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","org":"turbot","name":"kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host","mod":"Azure Compliance","title":"Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host","description":"To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}}],"controlTitle":"Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host","controlDescription":"To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}},"kubernetes_cluster_sku_standard":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_sku_standard","org":"turbot","name":"kubernetes_cluster_sku_standard","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_tier') = 'Standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_tier') = 'Standard' then ' uses standard SKU tier'\n else ' uses free SKU tier'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":153,"endLineNumber":172,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_sku_standard","org":"turbot","name":"kubernetes_cluster_sku_standard","mod":"Azure Compliance","title":"Kubernetes clusters should use standard SKU","description":"Ensure that Kubernetes clusters uses standard SKU tier for production workloads. This control is non-compliant if App Configuration does not use standard SKU.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use standard SKU","controlDescription":"Ensure that Kubernetes clusters uses standard SKU tier for production workloads. This control is non-compliant if App Configuration does not use standard SKU.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_restrict_public_access","org":"turbot","name":"kubernetes_cluster_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":132,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_restrict_public_access","org":"turbot","name":"kubernetes_cluster_restrict_public_access","mod":"Azure Compliance","title":"Kubernetes cluster should restrict public access","description":"Ensure that Kubernetes cluster enables private clusters to restrict public access.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes cluster should restrict public access","controlDescription":"Ensure that Kubernetes cluster enables private clusters to restrict public access.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","org":"turbot","name":"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'disk_encryption_set_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'disk_encryption_set_id') is null then ' os and data diska not encrypted with CMK'\n else ' os and data diska encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","org":"turbot","name":"kubernetes_cluster_os_and_data_disks_encrypted_with_cmk","mod":"Azure Compliance","title":"Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys","description":"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}}],"controlTitle":"Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys","controlDescription":"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}},"kubernetes_cluster_node_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_node_restrict_public_access","org":"turbot","name":"kubernetes_cluster_node_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'enable_node_public_ip') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'enable_node_public_ip') = 'true' then ' has public node'\n else ' has no public node'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":264,"endLineNumber":283,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_node_restrict_public_access","org":"turbot","name":"kubernetes_cluster_node_restrict_public_access","mod":"Azure Compliance","title":"Kubernetes cluster nodes should prohibit public access","description":"Ensure Kubernetes cluster nodes do not have public IP addresses. This control is non-compliant if Kubernetes cluster nodes have a public IP address assigned.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes cluster nodes should prohibit public access","controlDescription":"Ensure Kubernetes cluster nodes do not have public IP addresses. This control is non-compliant if Kubernetes cluster nodes have a public IP address assigned.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_network_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_network_policy_enabled","org":"turbot","name":"kubernetes_cluster_network_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_profile' -> 'network_policy') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_profile' -> 'network_policy') is not null then ' network policy enabled'\n else ' network policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":243,"endLineNumber":262,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_network_policy_enabled","org":"turbot","name":"kubernetes_cluster_network_policy_enabled","mod":"Azure Compliance","title":"Kubernetes clusters should have network policy enabled","description":"This control checks if network policy is enabled for Kubernetes cluster.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should have network policy enabled","controlDescription":"This control checks if network policy is enabled for Kubernetes cluster.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_max_pod_50":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_max_pod_50","org":"turbot","name":"kubernetes_cluster_max_pod_50","sql":"$6a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":195,"endLineNumber":220,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_max_pod_50","org":"turbot","name":"kubernetes_cluster_max_pod_50","mod":"Azure Compliance","title":"Kubernetes clusters should use a minimum number of 50 pods","description":"This control checks if Kubernetes clusters is using a minimum number of 50 pods.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use a minimum number of 50 pods","controlDescription":"This control checks if Kubernetes clusters is using a minimum number of 50 pods.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_logging_enabled","org":"turbot","name":"kubernetes_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'oms_agent' -> 'log_analytics_workspace_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'oms_agent' -> 'log_analytics_workspace_id') is not null then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":222,"endLineNumber":241,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_logging_enabled","org":"turbot","name":"kubernetes_cluster_logging_enabled","mod":"Azure Compliance","title":"Kubernetes clusters should have logging enabled","description":"This control checks if OMS agent is enabled for Kubernetes cluster.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should have logging enabled","controlDescription":"This control checks if OMS agent is enabled for Kubernetes cluster.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_key_vault_secret_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_key_vault_secret_rotation_enabled","org":"turbot","name":"kubernetes_cluster_key_vault_secret_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_secrets_provider' ->> 'secret_rotation_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_secrets_provider' ->> 'secret_rotation_enabled') = 'true' then ' key vault secret rotation enabled'\n else ' key vault secret rotation disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":285,"endLineNumber":304,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_key_vault_secret_rotation_enabled","org":"turbot","name":"kubernetes_cluster_key_vault_secret_rotation_enabled","mod":"Azure Compliance","title":"Kubernetes clusters key vault secret rotation should be enabled","description":"This control checks if key vault secret rotation should is enabled for Kubernetes cluster.","tags":{"service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters key vault secret rotation should be enabled","controlDescription":"This control checks if key vault secret rotation should is enabled for Kubernetes cluster.","controlTags":{"service":"Azure/KubernetesService"}},"kubernetes_cluster_authorized_ip_range_defined":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_authorized_ip_range_defined","org":"turbot","name":"kubernetes_cluster_authorized_ip_range_defined","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then 'ok'\n when (jsonb_array_length(attributes_std -> 'api_server_authorized_ip_ranges') > 0) or (jsonb_array_length(attributes_std -> 'api_server_access_profile' -> 'authorized_ip_ranges') > 0) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_cluster_enabled') = 'true' then ' is private cluster'\n when (jsonb_array_length(attributes_std -> 'api_server_authorized_ip_ranges') > 0) or (jsonb_array_length(attributes_std -> 'api_server_access_profile' -> 'authorized_ip_ranges') > 0 ) then ' authorized IP ranges defined'\n else ' authorized IP ranges not defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_authorized_ip_range_defined","org":"turbot","name":"kubernetes_cluster_authorized_ip_range_defined","mod":"Azure Compliance","title":"Authorized IP ranges should be defined on Kubernetes Services","description":"ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}}],"controlTitle":"Authorized IP ranges should be defined on Kubernetes Services","controlDescription":"ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}},"kubernetes_cluster_add_on_azure_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_add_on_azure_policy_enabled","org":"turbot","name":"kubernetes_cluster_add_on_azure_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'addon_profile') is null then 'alarm'\n when (attributes_std -> 'addon_profile' -> 'azure_policy' ->>'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'addon_profile') is null then ' ''addon_profile'' not defined'\n when (attributes_std -> 'addon_profile' -> 'azure_policy' ->>'enabled')::boolean then ' add on azure policy enabled'\n else ' add on azure policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":66,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.kubernetes_cluster_add_on_azure_policy_enabled","org":"turbot","name":"kubernetes_cluster_add_on_azure_policy_enabled","mod":"Azure Compliance","title":"Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters","description":"Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}}],"controlTitle":"Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters","controlDescription":"Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KubernetesService"}},"kubernetes_cluster_node_pool_type_scale_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_node_pool_type_scale_set","org":"turbot","name":"kubernetes_cluster_node_pool_type_scale_set","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'type') = 'AvailabilitySet' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'type') = 'AvailabilitySet' then ' is using AvailabilitySet node type'\n else ' is using VirtualMachineScaleSets node type'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":327,"endLineNumber":346,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_node_pool_type_scale_set","org":"turbot","name":"kubernetes_cluster_node_pool_type_scale_set","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use scale sets type nodes","description":"Ensure Kubernetes clusters uses scale sets type nodes. This control is non-compliant if Kubernetes clusters do not use scale sets type nodes.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use scale sets type nodes","controlDescription":"Ensure Kubernetes clusters uses scale sets type nodes. This control is non-compliant if Kubernetes clusters do not use scale sets type nodes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_local_admin_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_local_admin_disabled","org":"turbot","name":"kubernetes_cluster_local_admin_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_account_disabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_account_disabled') = 'true' then ' local account disabled'\n else ' local account enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":174,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_local_admin_disabled","org":"turbot","name":"kubernetes_cluster_local_admin_disabled","mod":"Terraform Azure Compliance","title":"Kubernetes clusters local admin should be disabled","description":"Ensure that Kubernetes cluster local admin is disabled. This control is non-compliant if Kubernetes cluster local admin is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters local admin should be disabled","controlDescription":"Ensure that Kubernetes cluster local admin is disabled. This control is non-compliant if Kubernetes cluster local admin is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_os_disk_ephemeral":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_os_disk_ephemeral","org":"turbot","name":"kubernetes_cluster_os_disk_ephemeral","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'os_disk_type') = 'Ephemeral' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'os_disk_type') = 'Ephemeral' then ' use ephemeral OS disks'\n else ' does not use ephemeral OS disks'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":348,"endLineNumber":367,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_os_disk_ephemeral","org":"turbot","name":"kubernetes_cluster_os_disk_ephemeral","mod":"Terraform Azure Compliance","title":"Kubernetes clusters should use type ephemeral OS disk","description":"Ensure Kubernetes clusters use ephemeral type OS disk. This control is non-compliant if Kubernetes clusters do not use ephemeral type OS disk.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters should use type ephemeral OS disk","controlDescription":"Ensure Kubernetes clusters use ephemeral type OS disk. This control is non-compliant if Kubernetes clusters do not use ephemeral type OS disk.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_cluster_critical_pods_on_system_nodes":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_cluster_critical_pods_on_system_nodes","org":"turbot","name":"kubernetes_cluster_critical_pods_on_system_nodes","sql":"select\n address as resource,\n case\n when (attributes_std -> 'default_node_pool' ->> 'only_critical_addons_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'default_node_pool' ->> 'only_critical_addons_enabled')::bool then ' critical addons enabled'\n else ' critical addons disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_kubernetes_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":369,"endLineNumber":388,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_cluster_critical_pods_on_system_nodes","org":"turbot","name":"kubernetes_cluster_critical_pods_on_system_nodes","mod":"Terraform Azure Compliance","title":"Kubernetes clusters only critical system pods should run on system nodes","description":"Ensure that only critical system pods runs on system node in Kubernetes clusters.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Kubernetes clusters only critical system pods should run on system nodes","controlDescription":"Ensure that only critical system pods runs on system node in Kubernetes clusters.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KubernetesService"}},"kubernetes_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/kubernetes_azure_defender_enabled","org":"turbot","name":"kubernetes_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KubernetesService' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for KubernetesService'\n else ' Azure Defender off for KubernetesService'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kubernetes.pp","startLineNumber":112,"endLineNumber":130,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.kubernetes_azure_defender_enabled","org":"turbot","name":"kubernetes_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Kubernetes should be enabled","description":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}],"controlTitle":"Azure Defender for Kubernetes should be enabled","controlDescription":"Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KubernetesService"}}},"key_vault":{"keyvault_vault_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_vault_use_virtual_service_endpoint","org":"turbot","name":"keyvault_vault_use_virtual_service_endpoint","sql":"with key_vaults as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_key_vault'\n), key_vaults_subnet as (\n select\n distinct address\n from\n key_vaults as a,\n jsonb_array_elements(attributes_std -> 'network_acls' -> 'virtual_network_subnet_ids') as id\n)\nselect\n a.address as resource,\n case\n when (attributes_std -> 'network_acls' ->> 'default_action')::text <> 'Deny' then 'alarm'\n when s.address is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint'\n when s.address is null then ' not configured with virtual service endpoint'\n else ' configured with virtual service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n key_vaults as a\n left join key_vaults_subnet as s on a.address = s.address;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":1,"endLineNumber":35,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_vault_use_virtual_service_endpoint","org":"turbot","name":"keyvault_vault_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Key Vault should use a virtual network service endpoint","description":"This policy audits any Key Vault not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault should use a virtual network service endpoint","controlDescription":"This policy audits any Key Vault not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}},"keyvault_vault_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_vault_public_network_access_disabled","org":"turbot","name":"keyvault_vault_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'network_acls') is null then 'alarm'\n when (attributes_std -> 'network_acls' ->> 'default_action')::text != 'Deny' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'network_acls') is null then ' ''network_acls'' not set'\n when (attributes_std -> 'network_acls' ->> 'default_action')::text != 'Deny' then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":178,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_vault_public_network_access_disabled","org":"turbot","name":"keyvault_vault_public_network_access_disabled","mod":"Azure Compliance","title":"Azure Key Vault should disable public network access","description":"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.","tags":{"service":"Azure/KeyVault"}}],"controlTitle":"Azure Key Vault should disable public network access","controlDescription":"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks.","controlTags":{"service":"Azure/KeyVault"}},"keyvault_secret_expiration_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_secret_expiration_set","org":"turbot","name":"keyvault_secret_expiration_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'expiration_date') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'expiration_date') is null then ' expiration_date not set'\n else ' expiration_date is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":242,"endLineNumber":261,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_8_2","org":"turbot","name":"cis_v130_8_2","mod":"Azure Compliance","title":"8.2 Ensure that the expiration date is set on all Secrets","description":"Ensure that all Secrets in the Azure Key Vault have an expiration time set.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_secret_expiration_set","org":"turbot","name":"keyvault_secret_expiration_set","mod":"Azure Compliance","title":"Key Vault secrets should have an expiration date","description":"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault secrets should have an expiration date","controlDescription":"Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.2","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/KeyVault","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true"}},"keyvault_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_purge_protection_enabled","org":"turbot","name":"keyvault_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled') is null then ' ''purge_protection_enabled'' not set'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":155,"endLineNumber":176,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_purge_protection_enabled","org":"turbot","name":"keyvault_purge_protection_enabled","mod":"Azure Compliance","title":"Key vaults should have deletion protection enabled","description":"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/KeyVault"}}],"controlTitle":"Key vaults should have deletion protection enabled","controlDescription":"Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/KeyVault"}},"keyvault_managed_hms_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_managed_hms_purge_protection_enabled","org":"turbot","name":"keyvault_managed_hms_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled') is null then 'alarm'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled') is null then ' ''purge_protection_enabled'' not set'\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_managed_hardware_security_module';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":84,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_managed_hms_purge_protection_enabled","org":"turbot","name":"keyvault_managed_hms_purge_protection_enabled","mod":"Azure Compliance","title":"Azure Key Vault Managed HSM should have purge protection enabled","description":"Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}}],"controlTitle":"Azure Key Vault Managed HSM should have purge protection enabled","controlDescription":"Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}},"keyvault_managed_hms_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_managed_hms_logging_enabled","org":"turbot","name":"keyvault_managed_hms_logging_enabled","sql":"$6b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":37,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_managed_hms_logging_enabled","org":"turbot","name":"keyvault_managed_hms_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Azure Key Vault Managed HSM should be enabled","description":"To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}}],"controlTitle":"Resource logs in Azure Key Vault Managed HSM should be enabled","controlDescription":"To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/KeyVault"}},"keyvault_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_logging_enabled","org":"turbot","name":"keyvault_logging_enabled","sql":"$6c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":107,"endLineNumber":153,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_5_1_4","org":"turbot","name":"cis_v210_5_1_4","mod":"Azure Compliance","title":"5.1.4 Ensure that logging for Azure Key Vault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.4","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_5_1_5","org":"turbot","name":"cis_v200_5_1_5","mod":"Azure Compliance","title":"5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.5","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_5_1_5","org":"turbot","name":"cis_v150_5_1_5","mod":"Azure Compliance","title":"5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.5","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_5_1_5","org":"turbot","name":"cis_v140_5_1_5","mod":"Azure Compliance","title":"5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.5","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_5_1_5","org":"turbot","name":"cis_v130_5_1_5","mod":"Azure Compliance","title":"5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"5.1.5","cis_level":"1","cis_section_id":"5.1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_6_1_4","org":"turbot","name":"cis_v300_6_1_4","mod":"Azure Compliance","title":"6.1.4 Ensure that logging for Azure Key Vault is 'Enabled'","description":"Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.4","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_logging_enabled","org":"turbot","name":"keyvault_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Key Vault should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KeyVault"}}],"controlTitle":"Resource logs in Key Vault should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.1.4","cis_level":"1","cis_section_id":"6.1","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/KeyVault","fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"keyvault_key_expiration_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_key_expiration_set","org":"turbot","name":"keyvault_key_expiration_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'expiration_date') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'expiration_date') is null then ' expiration_date not set'\n else ' expiration_date is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":201,"endLineNumber":220,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_8_1","org":"turbot","name":"cis_v130_8_1","mod":"Azure Compliance","title":"8.1 Ensure that the expiration date is set on all keys","description":"Ensure that all keys in Azure Key Vault have an expiration time set.","tags":{"category":"Compliance","cis":"true","cis_item_id":"8.1","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/KeyVault"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.keyvault_key_expiration_set","org":"turbot","name":"keyvault_key_expiration_set","mod":"Azure Compliance","title":"Key Vault keys should have an expiration date","description":"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault keys should have an expiration date","controlDescription":"Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"8.1","cis_level":"1","cis_section_id":"8","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/KeyVault","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"keyvault_secret_content_type_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_secret_content_type_set","org":"turbot","name":"keyvault_secret_content_type_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'content_type') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'content_type') is null then ' content type not set'\n else ' content type is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_key_vault_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":263,"endLineNumber":282,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_secret_content_type_set","org":"turbot","name":"keyvault_secret_content_type_set","mod":"Terraform Azure Compliance","title":"Key Vault secrets should have a content type","description":"Secrets should have a defined content type. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set content types on secrets.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Key Vault secrets should have a content type","controlDescription":"Secrets should have a defined content type. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set content types on secrets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/KeyVault"}},"keyvault_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/keyvault_azure_defender_enabled","org":"turbot","name":"keyvault_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'KeyVaults' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for KeyVaults'\n else ' Azure Defender off for KeyVaults'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/keyvault.pp","startLineNumber":222,"endLineNumber":240,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.keyvault_azure_defender_enabled","org":"turbot","name":"keyvault_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Key Vault should be enabled","description":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}],"controlTitle":"Azure Defender for Key Vault should be enabled","controlDescription":"Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/KeyVault"}}},"io_t_hub":{"iot_hub_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iot_hub_logging_enabled","org":"turbot","name":"iot_hub_logging_enabled","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_iothub')then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'target_resource_id'), '.', 3) from terraform_resource where type = 'azurerm_monitor_diagnostic_setting' and split_part((attributes_std ->> 'target_resource_id'), '.', 2) = 'azurerm_iothub')then ' logging enabled'\n else ' logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_iothub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iot.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.iot_hub_logging_enabled","org":"turbot","name":"iot_hub_logging_enabled","mod":"Azure Compliance","title":"Resource logs in IoT Hub should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/IoTHub"}}],"controlTitle":"Resource logs in IoT Hub should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/IoTHub"}},"iot_hub_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iot_hub_restrict_public_access","org":"turbot","name":"iot_hub_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public network access not defined'\n when (attributes_std ->> 'public_network_access_enabled') = 'true' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_iothub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iot.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.iot_hub_restrict_public_access","org":"turbot","name":"iot_hub_restrict_public_access","mod":"Terraform Azure Compliance","title":"IoT Hubs should disable public network access","description":"Disabling public network access improves security by ensuring that IoT Hub isn't exposed on the public internet. Creating private endpoints can limit exposure of IoT Hub.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/IoTHub"}}],"controlTitle":"IoT Hubs should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that IoT Hub isn't exposed on the public internet. Creating private endpoints can limit exposure of IoT Hub.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/IoTHub"}}},"active_directory":{"iam_no_custom_subscription_owner_roles_created":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/iam_no_custom_subscription_owner_roles_created","org":"turbot","name":"iam_no_custom_subscription_owner_roles_created","sql":"select\n address as resource,\n case\n when (attributes_std -> 'permissions' -> 'actions') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'permissions' -> 'actions') @> '[\"*\"]' then 'has custom owner roles'\n else ' does not have custom owner roles'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_role_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/iam.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_1_20","org":"turbot","name":"cis_v140_1_20","mod":"Azure Compliance","title":"1.20 Ensure that no custom subscription owner roles are created","description":"Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.20","cis_level":"2","cis_section_id":"1","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_1_21","org":"turbot","name":"cis_v130_1_21","mod":"Azure Compliance","title":"1.21 Ensure that no custom subscription owner roles are created","description":"Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.21","cis_level":"2","cis_section_id":"1","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_1_22","org":"turbot","name":"cis_v210_1_22","mod":"Azure Compliance","title":"1.22 Ensure That No Custom Subscription Administrator Roles Exist","description":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.22","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_1_23","org":"turbot","name":"cis_v200_1_23","mod":"Azure Compliance","title":"1.23 Ensure That No Custom Subscription Administrator Roles Exist","description":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.23","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_1_23","org":"turbot","name":"cis_v150_1_23","mod":"Azure Compliance","title":"1.23 Ensure That No Custom Subscription Owner Roles Are Created","description":"Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"1.23","cis_level":"1","cis_section_id":"1","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_2_23","org":"turbot","name":"cis_v300_2_23","mod":"Azure Compliance","title":"2.23 Ensure That No Custom Subscription Administrator Roles Exist","description":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"category":"Compliance","cis":"true","cis_item_id":"2.23","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/ActiveDirectory"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.iam_no_custom_subscription_owner_roles_created","org":"turbot","name":"iam_no_custom_subscription_owner_roles_created","mod":"Azure Compliance","title":"Ensure that no Custom Subscription Administrator roles exist","description":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","tags":{"service":"Azure/ActiveDirectory"}}],"controlTitle":"Ensure that no Custom Subscription Administrator roles exist","controlDescription":"The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"2.23","cis_level":"1","cis_section_id":"2","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/ActiveDirectory"}}},"healthcare_ap_is":{"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","org":"turbot","name":"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cosmosdb_key_vault_key_versionless_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cosmosdb_key_vault_key_versionless_id') is null then ' not encrypted with CMK'\n else ' encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_healthcare_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/healthcare.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","org":"turbot","name":"healthcare_fhir_azure_api_encrypted_at_rest_with_cmk","mod":"Azure Compliance","title":"Azure API for FHIR should use a customer-managed key to encrypt data at rest","description":"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/HealthcareAPIs"}}],"controlTitle":"Azure API for FHIR should use a customer-managed key to encrypt data at rest","controlDescription":"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/HealthcareAPIs"}},"healthcare_fhir_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/healthcare_fhir_public_network_access_disabled","org":"turbot","name":"healthcare_fhir_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std -> 'public_network_access_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null then ' public access enabled'\n when (attributes_std -> 'public_network_access_enabled')::bool then ' public access disabled'\n else ' public access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_healthcare_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/healthcare.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.healthcare_fhir_public_network_access_disabled","org":"turbot","name":"healthcare_fhir_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Azure API for FHIR should disable public network access","description":"Disabling public network access improves security by ensuring that Healthcare API isn't exposed on the public internet. Creating private endpoints can limit exposure of Healthcare APIs.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/HealthcareAPIs"}}],"controlTitle":"Azure API for FHIR should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that Healthcare API isn't exposed on the public internet. Creating private endpoints can limit exposure of Healthcare APIs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/HealthcareAPIs"}}},"front_door":{"frontdoor_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/frontdoor_waf_enabled","org":"turbot","name":"frontdoor_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint') is null then 'alarm'\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint' -> 'web_application_firewall_policy_link_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint') is null then ' WAF disabled'\n when (attributes_std -> 'routing_rule' -> 'frontend_endpoint' -> 'web_application_firewall_policy_link_id') is null then ' WAF disabled'\n else ' WAF enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_frontdoor';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/frontdoor.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.frontdoor_waf_enabled","org":"turbot","name":"frontdoor_waf_enabled","mod":"Azure Compliance","title":"Web Application Firewall (WAF) should be enabled for Azure Front Door Service","description":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/FrontDoor"}}],"controlTitle":"Web Application Firewall (WAF) should be enabled for Azure Front Door Service","controlDescription":"Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/FrontDoor"}},"frontdoor_firewall_policy_restrict_message_lookup_log4j2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/frontdoor_firewall_policy_restrict_message_lookup_log4j2","org":"turbot","name":"frontdoor_firewall_policy_restrict_message_lookup_log4j2","sql":"$6d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/frontdoor.pp","startLineNumber":24,"endLineNumber":74,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.frontdoor_firewall_policy_restrict_message_lookup_log4j2","org":"turbot","name":"frontdoor_firewall_policy_restrict_message_lookup_log4j2","mod":"Terraform Azure Compliance","title":"Front Door firewall policy should restricts message lookup in Log4j2","description":"This control checks that Front Door firewall policy restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/FrontDoor"}}],"controlTitle":"Front Door firewall policy should restricts message lookup in Log4j2","controlDescription":"This control checks that Front Door firewall policy restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/FrontDoor"}}},"event_hubs":{"eventhub_namespace_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_use_virtual_service_endpoint","org":"turbot","name":"eventhub_namespace_use_virtual_service_endpoint","sql":"$6e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":1,"endLineNumber":38,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.eventhub_namespace_use_virtual_service_endpoint","org":"turbot","name":"eventhub_namespace_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Event Hub should use a virtual network service endpoint","description":"This policy audits any Event Hub not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/EventHubs"}}],"controlTitle":"Event Hub should use a virtual network service endpoint","controlDescription":"This policy audits any Event Hub not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/EventHubs"}},"eventhub_namespace_cmk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_cmk_encryption_enabled","org":"turbot","name":"eventhub_namespace_cmk_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_key_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_key_ids') is not null then ' CMK encryption enabled'\n else ' CMK encryption disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace_customer_managed_key';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":40,"endLineNumber":58,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.eventhub_namespace_cmk_encryption_enabled","org":"turbot","name":"eventhub_namespace_cmk_encryption_enabled","mod":"Azure Compliance","title":"Event Hub namespaces should use a customer-managed key for encryption","description":"Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/EventHubs"}}],"controlTitle":"Event Hub namespaces should use a customer-managed key for encryption","controlDescription":"Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/EventHubs"}}},"event_grid":{"eventgrid_domain_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_restrict_public_access","org":"turbot","name":"eventgrid_domain_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.eventgrid_domain_restrict_public_access","org":"turbot","name":"eventgrid_domain_restrict_public_access","mod":"Azure Compliance","title":"Event Grid domains should restrict public network access","description":"Ensure that Event Grid Domain public network access is disabled. This control is non-compliant if Event Grid domains have public network access enabled.","tags":{"service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should restrict public network access","controlDescription":"Ensure that Event Grid Domain public network access is disabled. This control is non-compliant if Event Grid domains have public network access enabled.","controlTags":{"service":"Azure/EventGrid"}},"eventgrid_topic_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_uses_managed_identity","org":"turbot","name":"eventgrid_topic_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_uses_managed_identity","org":"turbot","name":"eventgrid_topic_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Event Grid topics should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid topic to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid topic to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_domain_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_local_auth_disabled","org":"turbot","name":"eventgrid_domain_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_domain_local_auth_disabled","org":"turbot","name":"eventgrid_domain_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Event Grid domains should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Event Grid domain require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Event Grid domain require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_topic_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_restrict_public_access","org":"turbot","name":"eventgrid_topic_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_restrict_public_access","org":"turbot","name":"eventgrid_topic_restrict_public_access","mod":"Terraform Azure Compliance","title":"Event Grid topics should disable public network access","description":"Disabling public network access improves security by ensuring that your Event Grid topic is not exposed on the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that your Event Grid topic is not exposed on the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_topic_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_topic_local_auth_disabled","org":"turbot","name":"eventgrid_topic_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_topic_local_auth_disabled","org":"turbot","name":"eventgrid_topic_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Event Grid topics should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Event Grid topic require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid topics should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Event Grid topic require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/EventGrid"}},"eventgrid_domain_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventgrid_domain_uses_managed_identity","org":"turbot","name":"eventgrid_domain_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not uses managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventgrid_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventgrid.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventgrid_domain_uses_managed_identity","org":"turbot","name":"eventgrid_domain_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Event Grid domains should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid domain to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}],"controlTitle":"Event Grid domains should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Event Grid domain to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventGrid"}}},"data_lake_storage":{"datalake_store_account_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/datalake_store_account_encryption_enabled","org":"turbot","name":"datalake_store_account_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encryption_state') = 'Enabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encryption_state') = 'Enabled' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_lake_store';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datalakestorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.datalake_store_account_encryption_enabled","org":"turbot","name":"datalake_store_account_encryption_enabled","mod":"Azure Compliance","title":"Require encryption on Data Lake Store accounts","description":"This policy ensures encryption is enabled on all Data Lake Store accounts.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/DataLakeStorage"}}],"controlTitle":"Require encryption on Data Lake Store accounts","controlDescription":"This policy ensures encryption is enabled on all Data Lake Store accounts.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/DataLakeStorage"}}},"data_factory":{"data_factory_uses_git_repository":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_uses_git_repository","org":"turbot","name":"data_factory_uses_git_repository","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'github_configuration') is not null) or ((attributes_std -> 'vsts_configuration') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'github_configuration') is not null) or ((attributes_std -> 'vsts_configuration') is not null) then ' uses git repository'\n else ' not use git repository'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.data_factory_uses_git_repository","org":"turbot","name":"data_factory_uses_git_repository","mod":"Azure Compliance","title":"Data factories should use GitHub repository","description":"Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured.","tags":{"service":"Azure/DataFactory"}}],"controlTitle":"Data factories should use GitHub repository","controlDescription":"Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured.","controlTags":{"service":"Azure/DataFactory"}},"data_factory_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_encrypted_with_cmk","org":"turbot","name":"data_factory_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'customer_managed_key_id') is null then 'alarm'\n when (attributes_std -> 'customer_managed_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'customer_managed_key_id') is null then ' ''customer_managed_key_id'' not defined'\n when (attributes_std ->> 'customer_managed_key_id' ) is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.data_factory_encrypted_with_cmk","org":"turbot","name":"data_factory_encrypted_with_cmk","mod":"Azure Compliance","title":"Azure data factories should be encrypted with a customer-managed key","description":"Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataFactory"}}],"controlTitle":"Azure data factories should be encrypted with a customer-managed key","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/DataFactory"}},"data_factory_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/data_factory_restrict_public_access","org":"turbot","name":"data_factory_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_data_factory';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafactory.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.data_factory_restrict_public_access","org":"turbot","name":"data_factory_restrict_public_access","mod":"Terraform Azure Compliance","title":"Data factories should have public network access disabled","description":"Disable public network access on your Data factory to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}}],"controlTitle":"Data factories should have public network access disabled","controlDescription":"Disable public network access on your Data factory to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/DataFactory"}}},"cosmos_db":{"cosmosdb_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_use_virtual_service_endpoint","org":"turbot","name":"cosmosdb_use_virtual_service_endpoint","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'virtual_network_rule') is null then 'alarm'\n when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'virtual_network_rule') is null then ' ''virtual_network_rule'' not defined'\n when (attributes_std -> 'virtual_network_rule' ->> 'id') is not null then ' configured with virtual network service endpointle'\n else ' not configured with virtual network service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cosmosdb_use_virtual_service_endpoint","org":"turbot","name":"cosmosdb_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Cosmos DB should use a virtual network service endpoint","description":"This policy audits any Cosmos DB not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB should use a virtual network service endpoint","controlDescription":"This policy audits any Cosmos DB not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/CosmosDB"}},"cosmosdb_account_with_firewall_rules":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_account_with_firewall_rules","org":"turbot","name":"cosmosdb_account_with_firewall_rules","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean\n and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'\n and (attributes_std ->> 'ip_range_filter') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean\n and (attributes_std ->> 'is_virtual_network_filter_enabled' )::boolean = 'false'\n and (attributes_std ->> 'ip_range_filter') is null then ' not have firewall rules'\n else ' have firewall rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":24,"endLineNumber":47,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cosmosdb_account_with_firewall_rules","org":"turbot","name":"cosmosdb_account_with_firewall_rules","mod":"Azure Compliance","title":"Azure Cosmos DB accounts should have firewall rules","description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/CosmosDB"}}],"controlTitle":"Azure Cosmos DB accounts should have firewall rules","controlDescription":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/CosmosDB"}},"cosmosdb_account_encryption_at_rest_using_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmosdb_account_encryption_at_rest_using_cmk","org":"turbot","name":"cosmosdb_account_encryption_at_rest_using_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'key_vault_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'key_vault_key_id') is not null then ' encrypted at rest using CMK'\n else ' not encrypted at rest using CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":49,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cosmosdb_account_encryption_at_rest_using_cmk","org":"turbot","name":"cosmosdb_account_encryption_at_rest_using_cmk","mod":"Azure Compliance","title":"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest","description":"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CosmosDB"}}],"controlTitle":"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CosmosDB"}},"cosmodb_account_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_restrict_public_access","org":"turbot","name":"cosmodb_account_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n when (attributes_std ->> 'public_network_access_enabled')::boolean and (attributes_std ->> 'is_virtual_network_filter_enabled')::boolean and ((attributes_std ->> 'virtual_network_rule') is not null or (attributes_std ->> 'ip_range_filter') is not null) then ' with restricted access'\n else ' without restricted access'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":139,"endLineNumber":160,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_restrict_public_access","org":"turbot","name":"cosmodb_account_restrict_public_access","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have restricted access","description":"Ensure that Azure Cosmos DB accounts have restricted access.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have restricted access","controlDescription":"Ensure that Azure Cosmos DB accounts have restricted access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_access_key_metadata_writes_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_access_key_metadata_writes_disabled","org":"turbot","name":"cosmodb_account_access_key_metadata_writes_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then 'alarm'\n when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'access_key_metadata_writes_enabled') is null then ' access key metadata writes enabled'\n when (attributes_std ->> 'access_key_metadata_writes_enabled')::boolean then ' access key metadata writes enabled'\n else ' access key metadata writes disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":70,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_access_key_metadata_writes_disabled","org":"turbot","name":"cosmodb_account_access_key_metadata_writes_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have access key metadata writes disabled","description":"Disable access key metadata writes on your Azure Cosmos DB accounts to prevent the access key from being overwritten. This prevents the access key from being overwritten by a user or application.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have access key metadata writes disabled","controlDescription":"Disable access key metadata writes on your Azure Cosmos DB accounts to prevent the access key from being overwritten. This prevents the access key from being overwritten by a user or application.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_public_network_access_disabled","org":"turbot","name":"cosmodb_account_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') is null then ' public network access enabled'\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_public_network_access_disabled","org":"turbot","name":"cosmodb_account_public_network_access_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have public network access disabled","description":"Disable public network access on your Azure Cosmos DB accounts to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have public network access disabled","controlDescription":"Disable public network access on your Azure Cosmos DB accounts to prevent the account from being accessed from the public internet. This prevents the account from being accessed from the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}},"cosmodb_account_local_authentication_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cosmodb_account_local_authentication_disabled","org":"turbot","name":"cosmodb_account_local_authentication_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then 'skip'\n when (attributes_std ->> 'local_authentication_disabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kind') is not null and (attributes_std ->> 'kind') <> 'GlobalDocumentDB' then ' not GlobalDocumentDB'\n when (attributes_std ->> 'local_authentication_disabled')::boolean then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cosmosdb_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cosmosdb.pp","startLineNumber":116,"endLineNumber":137,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cosmodb_account_local_authentication_disabled","org":"turbot","name":"cosmodb_account_local_authentication_disabled","mod":"Terraform Azure Compliance","title":"Cosmos DB accounts should have local authentication disabled","description":"Ensure that local authentication is disabled on CosmosDB accounts.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}],"controlTitle":"Cosmos DB accounts should have local authentication disabled","controlDescription":"Ensure that local authentication is disabled on CosmosDB accounts.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/CosmosDB"}}},"container_registry":{"container_registry_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_use_virtual_service_endpoint","org":"turbot","name":"container_registry_use_virtual_service_endpoint","sql":"with container_registry as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_container_registry'\n), container_registry_subnet as (\n select\n distinct address\n from\n container_registry as a,\n jsonb_array_elements(attributes_std -> 'network_rule_set' -> 'virtual_network') as rule\n)\nselect\n a.address as resource,\n case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then 'alarm'\n when s.address is null then 'alarm'\n else 'ok'\n end as status,\n case\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text <> 'Deny' then ' not configured with virtual service endpoint'\n when s.address is null then ' not configured with virtual service endpoint'\n else ' configured with virtual service endpoint'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n container_registry as a\n left join container_registry_subnet as s on a.address = s.address;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":67,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_use_virtual_service_endpoint","org":"turbot","name":"container_registry_use_virtual_service_endpoint","mod":"Azure Compliance","title":"Container Registry should use a virtual network service endpoint","description":"This policy audits any Container Registry not configured to use a virtual network service endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container Registry should use a virtual network service endpoint","controlDescription":"This policy audits any Container Registry not configured to use a virtual network service endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/ContainerRegistry"}},"container_registry_trust_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_trust_policy_enabled","org":"turbot","name":"container_registry_trust_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'trust_policy' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'trust_policy' ->> 'enabled')::boolean then ' trust policy enabled'\n else ' trust policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":250,"endLineNumber":269,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_trust_policy_enabled","org":"turbot","name":"container_registry_trust_policy_enabled","mod":"Azure Compliance","title":"Container registries trust policy should be enabled","description":"Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries trust policy should be enabled","controlDescription":"Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_retention_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_retention_policy_enabled","org":"turbot","name":"container_registry_retention_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std -> 'retention_policy' ->> 'enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std -> 'retention_policy' ->> 'enabled')::bool then ' retention policy enabled'\n else ' retention policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":187,"endLineNumber":206,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_retention_policy_enabled","org":"turbot","name":"container_registry_retention_policy_enabled","mod":"Azure Compliance","title":"Container registries retention policy should be enabled","description":"Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries retention policy should be enabled","controlDescription":"Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_restrict_public_access","org":"turbot","name":"container_registry_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_rule_set') is null then 'alarm'\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_rule_set') is null then ' ''network_rule_set'' not defined'\n when (attributes_std -> 'network_rule_set' ->> 'default_action')::text = 'Deny' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_restrict_public_access","org":"turbot","name":"container_registry_restrict_public_access","mod":"Azure Compliance","title":"Container registries should not allow unrestricted network access","description":"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should not allow unrestricted network access","controlDescription":"Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ContainerRegistry"}},"container_registry_quarantine_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_quarantine_policy_enabled","org":"turbot","name":"container_registry_quarantine_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'quarantine_policy_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'quarantine_policy_enabled')::bool then ' quarantine policy enabled'\n else ' quarantine policy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":166,"endLineNumber":185,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_quarantine_policy_enabled","org":"turbot","name":"container_registry_quarantine_policy_enabled","mod":"Azure Compliance","title":"Container registries quarantine policy should be enabled","description":"Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries quarantine policy should be enabled","controlDescription":"Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_public_network_access_disabled","org":"turbot","name":"container_registry_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::bool or (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::bool or (attributes_std ->> 'public_network_access_enabled') is null then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":229,"endLineNumber":248,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_public_network_access_disabled","org":"turbot","name":"container_registry_public_network_access_disabled","mod":"Azure Compliance","title":"Container registries public network access should be disabled","description":"Ensure that container registries public network access is disabled.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries public network access should be disabled","controlDescription":"Ensure that container registries public network access is disabled.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_geo_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_geo_replication_enabled","org":"turbot","name":"container_registry_geo_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'georeplications') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Premium' and (attributes_std ->> 'georeplications') is not null then ' geo-replication enabled'\n else ' geo-replication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":208,"endLineNumber":227,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_geo_replication_enabled","org":"turbot","name":"container_registry_geo_replication_enabled","mod":"Azure Compliance","title":"Container registries should be geo-replicated","description":"Ensure that container registries are geo-replicated to align with multi-region container deployments.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be geo-replicated","controlDescription":"Ensure that container registries are geo-replicated to align with multi-region container deployments.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_encrypted_with_cmk","org":"turbot","name":"container_registry_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption' ) is null then 'alarm'\n when (attributes_std -> 'encryption' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption' ) is null then ' ''encryption'' not defined'\n when (attributes_std -> 'encryption' ->> 'enabled')::boolean then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_encrypted_with_cmk","org":"turbot","name":"container_registry_encrypted_with_cmk","mod":"Azure Compliance","title":"Container registries should be encrypted with a customer-managed key","description":"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be encrypted with a customer-managed key","controlDescription":"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/ContainerRegistry"}},"container_registry_admin_user_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_admin_user_disabled","org":"turbot","name":"container_registry_admin_user_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'admin_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'admin_enabled')::boolean then ' admin user enabled'\n else ' admin user disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":103,"endLineNumber":122,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_registry_admin_user_disabled","org":"turbot","name":"container_registry_admin_user_disabled","mod":"Azure Compliance","title":"Container registries admin user should be disabled","description":"Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled.","tags":{"service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries admin user should be disabled","controlDescription":"Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled.","controlTags":{"service":"Azure/ContainerRegistry"}},"container_registry_anonymous_pull_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_anonymous_pull_disabled","org":"turbot","name":"container_registry_anonymous_pull_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') and (attributes_std ->> 'anonymous_pull_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') and (attributes_std ->> 'anonymous_pull_enabled')::boolean then ' anonymous pull enabled'\n else ' anonymous pull disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":124,"endLineNumber":143,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_anonymous_pull_disabled","org":"turbot","name":"container_registry_anonymous_pull_disabled","mod":"Terraform Azure Compliance","title":"Container registries anonymous pull should be disabled","description":"This control checks whether anonymous pull is disabled. This control is non-compliant if anonymous pull is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries anonymous pull should be disabled","controlDescription":"This control checks whether anonymous pull is disabled. This control is non-compliant if anonymous pull is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_azure_defender_enabled","org":"turbot","name":"container_registry_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'ContainerRegistry' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for Container Registry'\n else ' Azure Defender off for Container Registry'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":24,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_azure_defender_enabled","org":"turbot","name":"container_registry_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for container registries should be enabled","description":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Azure Defender for container registries should be enabled","controlDescription":"Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_image_scan_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_image_scan_enabled","org":"turbot","name":"container_registry_image_scan_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') in ('Standard', 'Premium') then ' image scan enabled'\n else ' image scan disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_registry';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":145,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_image_scan_enabled","org":"turbot","name":"container_registry_image_scan_enabled","mod":"Terraform Azure Compliance","title":"Container registries image scan should be enabled","description":"This control checks whether image scan is enabled. This control is non-compliant if image scan is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries image scan should be enabled","controlDescription":"This control checks whether image scan is enabled. This control is non-compliant if image scan is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}},"container_registry_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_registry_zone_redundant_enabled","org":"turbot","name":"container_registry_zone_redundant_enabled","sql":"$6f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerregistry.pp","startLineNumber":271,"endLineNumber":306,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_registry_zone_redundant_enabled","org":"turbot","name":"container_registry_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"Container registries should be zone redundant","description":"This control ensures that Container registry is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}],"controlTitle":"Container registries should be zone redundant","controlDescription":"This control ensures that Container registry is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerRegistry"}}},"container_instance":{"container_instance_container_group_in_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_instance_container_group_in_virtual_network","org":"turbot","name":"container_instance_container_group_in_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'subnet_ids') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'subnet_ids') is null then ' in virtual network.'\n else ' not in virtual network.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_container_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerinstance.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.container_instance_container_group_in_virtual_network","org":"turbot","name":"container_instance_container_group_in_virtual_network","mod":"Azure Compliance","title":"Container instance container groups should be in virtual network","description":"This control ensures that the container group is deployed into a virtual network.","tags":{"service":"Azure/ContainerInstance"}}],"controlTitle":"Container instance container groups should be in virtual network","controlDescription":"This control ensures that the container group is deployed into a virtual network.","controlTags":{"service":"Azure/ContainerInstance"}},"container_instance_container_group_secure_environment_variable":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/container_instance_container_group_secure_environment_variable","org":"turbot","name":"container_instance_container_group_secure_environment_variable","sql":"with container_group_no_secure_environment as (\n select\n distinct name\n from\n terraform_resource,\n jsonb_array_elements(attributes_std -> 'container') as c\n where\n type = 'azurerm_container_group'\n and c -> 'environment_variables' is not null\n)\nselect\n address as resource,\n case\n when e.name is not null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when e.name is not null then ' uses environment variables'\n else ' does not use environment variables'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource as r\n left join container_group_no_secure_environment as e on e.name = r.name\nwhere\n type = 'azurerm_container_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/containerinstance.pp","startLineNumber":22,"endLineNumber":52,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.container_instance_container_group_secure_environment_variable","org":"turbot","name":"container_instance_container_group_secure_environment_variable","mod":"Terraform Azure Compliance","title":"Container instance container groups should use secure environment variable","description":"This control ensures that the container group uses secure environment variable.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}}],"controlTitle":"Container instance container groups should use secure environment variable","controlDescription":"This control ensures that the container group uses secure environment variable.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContainerInstance"}}},"cognitive_services":{"cognitive_service_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_service_local_auth_disabled","org":"turbot","name":"cognitive_service_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled')::boolean then ' account local authentication enabled'\n else ' account local authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":57,"endLineNumber":76,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_service_local_auth_disabled","org":"turbot","name":"cognitive_service_local_auth_disabled","mod":"Azure Compliance","title":"Cognitive Services accounts should have local authentication methods disabled","description":"Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should have local authentication methods disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_account_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'network_acls') is null then 'alarm'\n when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'network_acls') is null then ' ''network_acls'' not defin'\n when (attributes_std -> 'network_acls' ->> 'default_action') <> 'Deny' then ' publicly accessible.'\n else ' publicly not accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":78,"endLineNumber":99,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_restrict_public_access","org":"turbot","name":"cognitive_account_restrict_public_access","mod":"Azure Compliance","title":"Cognitive Services accounts should restrict network access","description":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should restrict network access","controlDescription":"Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_account_public_network_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean then ' public network access enabled'\n else ' public network access disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cognitive_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_public_network_access_disabled","org":"turbot","name":"cognitive_account_public_network_access_disabled","mod":"Azure Compliance","title":"Cognitive Services accounts should disable public network access","description":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","tags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should disable public network access","controlDescription":"Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account.","controlTags":{"nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}},"cognitive_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","sql":"with all_cognitive_account as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_cognitive_account'\n), cognitive_account_cmk as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_cognitive_account_customer_managed_key'\n)\nselect\n c.address as resource,\n case\n when (b.attributes_std ->> 'cognitive_account_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(c.address, '.', 2) || case\n when (b.attributes_std ->> 'cognitive_account_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , c.path || ':' || c.start_line\nfrom\n all_cognitive_account as c\n left join cognitive_account_cmk as b on c.name = (split_part((b.attributes_std ->> 'cognitive_account_id'), '.', 2))\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cognitiveservices.pp","startLineNumber":22,"endLineNumber":55,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cognitive_account_encrypted_with_cmk","org":"turbot","name":"cognitive_account_encrypted_with_cmk","mod":"Azure Compliance","title":"Cognitive Services accounts should enable data encryption with a customer-managed key","description":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}],"controlTitle":"Cognitive Services accounts should enable data encryption with a customer-managed key","controlDescription":"Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/CognitiveServices"}}},"batch":{"batch_account_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","sql":"$70","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/batch.pp","startLineNumber":22,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.batch_account_logging_enabled","org":"turbot","name":"batch_account_logging_enabled","mod":"Azure Compliance","title":"Resource logs in Batch accounts should be enabled","description":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}],"controlTitle":"Resource logs in Batch accounts should be enabled","controlDescription":"Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}},"batch_account_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'key_vault_reference') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'key_vault_reference') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_batch_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/batch.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.batch_account_encrypted_with_cmk","org":"turbot","name":"batch_account_encrypted_with_cmk","mod":"Azure Compliance","title":"Azure Batch account should use customer-managed keys to encrypt data","description":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}],"controlTitle":"Azure Batch account should use customer-managed keys to encrypt data","controlDescription":"Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/Batch"}}},"app_service":{"appservice_web_app_worker_more_than_one":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'worker_count')::int >= 2 then 'ok'\n when (attributes_std ->> 'worker_count')::int < 2 then 'alarm'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'worker_count')::int >= 2 then ' has ' || (attributes_std ->> 'worker_count') || ' number of workers'\n when (attributes_std ->> 'worker_count')::int < 2 then ' has ' || (attributes_std ->> 'worker_count') || ' number of workers'\n else ' worker count is not set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":788,"endLineNumber":809,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_worker_more_than_one","org":"turbot","name":"appservice_web_app_worker_more_than_one","mod":"Azure Compliance","title":"Web app should have more than one worker","description":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app should have more than one worker","controlDescription":"It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":460,"endLineNumber":479,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_uses_managed_identity","org":"turbot","name":"appservice_web_app_uses_managed_identity","mod":"Azure Compliance","title":"App Service apps should use managed identity","description":"Use a managed identity for enhanced authentication security.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_use_virtual_service_endpoint":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","sql":"with app_service as (\n select\n '${azurerm_app_service.' || name || '.id}' as id,\n *\n from\n terraform_resource\n where\n type = 'azurerm_app_service'\n), app_service_vnet as (\n select\n *\n from\n terraform_resource\n where\n type = 'azurerm_app_service_slot_virtual_network_swift_connection'\n and (attributes_std ->> 'subnet_id') is not null\n)\nselect\n a.address as resource,\n case\n when (s.attributes_std ->> 'app_service_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when (s.attributes_std ->> 'app_service_id') is null then ' not configured with virtual network service endpoint'\n else ' configured with virtual network service endpoint'\n end || '.' reason\n \n , a.path || ':' || a.start_line\nfrom\n app_service as a\n left join app_service_vnet as s on a.id = (s.attributes_std ->> 'app_service_id');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":619,"endLineNumber":654,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_use_virtual_service_endpoint","org":"turbot","name":"appservice_web_app_use_virtual_service_endpoint","mod":"Azure Compliance","title":"App Service apps should use a virtual network service endpoint","description":"Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should use a virtual network service endpoint","controlDescription":"Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}},"appservice_web_app_use_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'https_only')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'https_only')::boolean then ' redirects all HTTP traffic to HTTPS'\n else ' does not redirect all HTTP traffic to HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":550,"endLineNumber":569,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_1","org":"turbot","name":"cis_v300_9_1","mod":"Azure Compliance","title":"9.1 Ensure 'HTTPS Only' is set to `On`","description":"Azure App Service allows apps to run under both HTTP and HTTPS by default. Apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_2","org":"turbot","name":"cis_v210_9_2","mod":"Azure Compliance","title":"9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_2","org":"turbot","name":"cis_v200_9_2","mod":"Azure Compliance","title":"9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_2","org":"turbot","name":"cis_v150_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_2","org":"turbot","name":"cis_v140_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_2","org":"turbot","name":"cis_v130_9_2","mod":"Azure Compliance","title":"9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service","description":"Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_use_https","org":"turbot","name":"appservice_web_app_use_https","mod":"Azure Compliance","title":"Web Application should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","service":"Azure/AppService"}}],"controlTitle":"Web Application should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true"}},"appservice_web_app_slot_use_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'https_only') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'https_only') ='true' then ' accessible over HTTPS'\n else ' not accessible over HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":871,"endLineNumber":890,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_slot_use_https","org":"turbot","name":"appservice_web_app_slot_use_https","mod":"Azure Compliance","title":"Web app slot should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app slot should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then ' remote debugging enabled'\n else ' remote debugging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_12","org":"turbot","name":"cis_v300_9_12","mod":"Azure Compliance","title":"9.12 Ensure that 'Remote debugging' is set to 'Off'","description":"Remote Debugging allows Azure App Service to be debugged in real-time directly on the Azure environment. When remote debugging is enabled, it opens a communication channel that could potentially be exploited by unauthorized users if not properly secured.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.12","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_remote_debugging_disabled","mod":"Azure Compliance","title":"Remote debugging should be turned off for Web Applications","description":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Remote debugging should be turned off for Web Applications","controlDescription":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.12","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_register_with_active_directory_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' not defined'\n when (attributes_std -> 'identity' ->> 'type')::text = 'SystemAssigned' then ' register with azure active directory enabled'\n else ' register with azure active directory disabled.'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":130,"endLineNumber":151,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_4","org":"turbot","name":"cis_v210_9_4","mod":"Azure Compliance","title":"9.4 Ensure that Register with Entra ID is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_5","org":"turbot","name":"cis_v200_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_5","org":"turbot","name":"cis_v150_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_5","org":"turbot","name":"cis_v140_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_5","org":"turbot","name":"cis_v130_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_5","org":"turbot","name":"cis_v300_9_5","mod":"Azure Compliance","title":"9.5 Ensure that Register with Entra ID is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_register_with_active_directory_enabled","org":"turbot","name":"appservice_web_app_register_with_active_directory_enabled","mod":"Azure Compliance","title":"Ensure that Register with Azure Active Directory is enabled on App Service","description":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that Register with Azure Active Directory is enabled on App Service","controlDescription":"Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''min_tls_version'' not defined'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":414,"endLineNumber":435,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_3","org":"turbot","name":"cis_v210_9_3","mod":"Azure Compliance","title":"9.3 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_3","org":"turbot","name":"cis_v200_9_3","mod":"Azure Compliance","title":"9.3 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_3","org":"turbot","name":"cis_v150_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_3","org":"turbot","name":"cis_v140_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_3","org":"turbot","name":"cis_v130_9_3","mod":"Azure Compliance","title":"9.3 Ensure web app is using the latest version of TLS encryption","description":"The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_4","org":"turbot","name":"cis_v300_9_4","mod":"Azure Compliance","title":"9.4 Ensure Web App is using the latest version of TLS encryption","description":"The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_tls_version","org":"turbot","name":"appservice_web_app_latest_tls_version","mod":"Azure Compliance","title":"Latest TLS version should be used in your Web App","description":"Upgrade to the latest TLS version.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Latest TLS version should be used in your Web App","controlDescription":"Upgrade to the latest TLS version.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then' not using python version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then ' using the latest python version'\n else ' not using latest python version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":594,"endLineNumber":617,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_6","org":"turbot","name":"cis_v210_9_6","mod":"Azure Compliance","title":"9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.6","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_8","org":"turbot","name":"cis_v300_9_8","mod":"Azure Compliance","title":"9.8 Ensure that 'Python version' is currently supported (if in use)","description":"Periodically, older versions of Python may be deprecated and no longer supported. Using a supported version of Python for app services is recommended to avoid potential unpatched vulnerabilities.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_python_version","org":"turbot","name":"appservice_web_app_latest_python_version","mod":"Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_php_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PHP%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PHP%' then' not using php version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PHP|8.0' then ' using the latest php version'\n else ' not using latest php version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":230,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_5","org":"turbot","name":"cis_v210_9_5","mod":"Azure Compliance","title":"9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App","description":"Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.5","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_7","org":"turbot","name":"cis_v300_9_7","mod":"Azure Compliance","title":"9.7 Ensure that 'PHP version' is currently supported (if in use)","description":"Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for app services is recommended to avoid potential unpatched vulnerabilities.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_php_version","org":"turbot","name":"appservice_web_app_latest_php_version","mod":"Azure Compliance","title":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","description":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'PHP version' is the latest, if used as a part of the WEB app","controlDescription":"Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then' not using JAVA version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text like '%11' then ' using the latest JAVA version'\n else ' not using latest JAVA version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":656,"endLineNumber":679,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_7","org":"turbot","name":"cis_v210_9_7","mod":"Azure Compliance","title":"9.7 Ensure that 'Java version' is the latest, if used to run the Web App","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.7","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_9","org":"turbot","name":"cis_v300_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'Java version' is currently supported (if in use)","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_java_version","org":"turbot","name":"appservice_web_app_latest_java_version","mod":"Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Web app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Web app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_web_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' HTTP version not defined'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then ' HTTP version is latest'\n else ' HTTP version not latest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":301,"endLineNumber":322,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_10","org":"turbot","name":"cis_v300_9_10","mod":"Azure Compliance","title":"9.10 Ensure that 'HTTP20enabled' is set to 'true' (if in use)","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_8","org":"turbot","name":"cis_v210_9_8","mod":"Azure Compliance","title":"9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.8","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_9","org":"turbot","name":"cis_v200_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_9","org":"turbot","name":"cis_v150_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_9","org":"turbot","name":"cis_v140_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_9","org":"turbot","name":"cis_v130_9_9","mod":"Azure Compliance","title":"9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_http_version","org":"turbot","name":"appservice_web_app_latest_http_version","mod":"Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Web app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"manual","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true"}},"appservice_web_app_latest_dotnet_framework_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') is null then 'skip'\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') = 'v6.0' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') is null then ' not using dotnet framework'\n when (attributes_std -> 'site_config' ->> 'dotnet_framework_version') = 'v6.0' then ' using latest dotnet framework version'\n else ' not using latest dotnet framework version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":723,"endLineNumber":744,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_latest_dotnet_framework_version","org":"turbot","name":"appservice_web_app_latest_dotnet_framework_version","mod":"Azure Compliance","title":"Web app should use the latest 'Net Framework' version","description":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app should use the latest 'Net Framework' version","controlDescription":"Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_incoming_client_cert_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'client_cert_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'client_cert_enabled')::boolean then ' incoming client certificates set to on'\n else ' incoming client certificates set to off'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_4","org":"turbot","name":"cis_v200_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_4","org":"turbot","name":"cis_v150_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_4","org":"turbot","name":"cis_v140_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_4","org":"turbot","name":"cis_v130_9_4","mod":"Azure Compliance","title":"9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_incoming_client_cert_on","org":"turbot","name":"appservice_web_app_incoming_client_cert_on","mod":"Azure Compliance","title":"Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.4","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService","nist_sp_800_171_rev_2":"true"}},"appservice_web_app_http_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' -> 'http_logs') is not null) or ((attributes_std -> 'logs' -> 'dynamic' -> 'http_logs') is not null) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' -> 'http_logs') is not null) or ((attributes_std -> 'logs' -> 'dynamic' -> 'http_logs') is not null) then ' HTTP logs enabled'\n else ' HTTP logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":767,"endLineNumber":786,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_http_logs_enabled","org":"turbot","name":"appservice_web_app_http_logs_enabled","mod":"Azure Compliance","title":"Web app HTTP logs should be enabled","description":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app HTTP logs should be enabled","controlDescription":"Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_health_check_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' -> 'health_check_path') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' -> 'health_check_path') is not null then ' health check enabled'\n else ' health check disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":811,"endLineNumber":830,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_health_check_enabled","org":"turbot","name":"appservice_web_app_health_check_enabled","mod":"Azure Compliance","title":"Web apps should have health check enabled","description":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web apps should have health check enabled","controlDescription":"Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled'\n else ' FTPS disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":571,"endLineNumber":592,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_ftps_enabled","org":"turbot","name":"appservice_web_app_ftps_enabled","mod":"Azure Compliance","title":"FTPS should be required in your Web App","description":"Enable FTPS enforcement for enhanced security.","tags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}}],"controlTitle":"FTPS should be required in your Web App","controlDescription":"Enable FTPS enforcement for enhanced security.","controlTags":{"nist_sp_800_171_rev_2":"true","service":"Azure/AppService"}},"appservice_web_app_failed_request_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' ->> 'failed_request_tracing') = 'true') or ((attributes_std -> 'logs' ->> 'failed_request_tracing_enabled') = 'true') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' ->> 'failed_request_tracing') = 'true') or ((attributes_std -> 'logs' ->> 'failed_request_tracing_enabled') = 'true') then ' failed request tracing enabled'\n else ' failed request tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":746,"endLineNumber":765,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_failed_request_tracing_enabled","org":"turbot","name":"appservice_web_app_failed_request_tracing_enabled","mod":"Azure Compliance","title":"Web app failed request tracing should be enabled","description":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web app failed request tracing should be enabled","controlDescription":"Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled.","controlTags":{"service":"Azure/AppService"}},"appservice_web_app_diagnostic_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs') is null then 'alarm'\n when\n (attributes_std -> 'logs' ->> 'detailed_error_messages_enabled')::boolean\n and (attributes_std -> 'logs' ->> 'failed_request_tracing_enabled')::boolean\n and (attributes_std -> 'logs' -> 'http_logs') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs') is null then ' ''logs'' not defined'\n when\n (attributes_std -> 'logs' ->> 'detailed_error_messages_enabled')::boolean\n and (attributes_std -> 'logs' ->> 'failed_request_tracing_enabled')::boolean\n and (attributes_std -> 'logs' -> 'http_logs' -> 'file_system') is not null then ' diagnostic logs enabled'\n else ' diagnostic logs disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":201,"endLineNumber":228,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_diagnostic_logs_enabled","org":"turbot","name":"appservice_web_app_diagnostic_logs_enabled","mod":"Azure Compliance","title":"App Service apps should have resource logs enabled","description":"Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have resource logs enabled","controlDescription":"Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then ' CORS allow all domains to access the application'\n else ' CORS does not all domains to access the application'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":255,"endLineNumber":276,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_cors_no_star","org":"turbot","name":"appservice_web_app_cors_no_star","mod":"Azure Compliance","title":"App Service apps should not have CORS configured to allow every resource to access your apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should not have CORS configured to allow every resource to access your apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_web_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'client_cert_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'client_cert_enabled')::boolean then ' client certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_client_certificates_on","org":"turbot","name":"appservice_web_app_client_certificates_on","mod":"Azure Compliance","title":"App Service apps should have 'Client Certificates (Incoming client certificates)' enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","tags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}}],"controlTitle":"App Service apps should have 'Client Certificates (Incoming client certificates)' enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app.","controlTags":{"hipaa_hitrust_v92":"true","service":"Azure/AppService"}},"appservice_web_app_always_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'always_on') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'always_on') = 'false' then ' alwaysOn disabled'\n else ' alwaysOn enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":681,"endLineNumber":700,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_web_app_always_on","org":"turbot","name":"appservice_web_app_always_on","mod":"Azure Compliance","title":"Web apps should be configured to always be on","description":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Web apps should be configured to always be on","controlDescription":"This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods.","controlTags":{"service":"Azure/AppService"}},"appservice_plan_minimum_sku":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","sql":"select\n address as resource,\n case\n when (attributes_std ->>'sku_name') in ('F1', 'D1', 'B1', 'B2', 'B3') then 'alarm'\n else 'ok'\n end status,\n name || ' is of ' || (attributes_std ->>'sku_name') || ' SKU family.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":832,"endLineNumber":848,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_plan_minimum_sku","org":"turbot","name":"appservice_plan_minimum_sku","mod":"Azure Compliance","title":"Appservice plan should not use free, shared or basic SKU","description":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Appservice plan should not use free, shared or basic SKU","controlDescription":"The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' ''identity'' is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":481,"endLineNumber":500,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_uses_managed_identity","org":"turbot","name":"appservice_function_app_uses_managed_identity","mod":"Azure Compliance","title":"Function apps should use managed identity","description":"Use a managed identity for enhanced authentication security.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_only_https_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'https_only')::boolean then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'https_only')::boolean then ' https-only accessible enabled'\n else ' https-only accessible disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":180,"endLineNumber":199,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_only_https_accessible","org":"turbot","name":"appservice_function_app_only_https_accessible","mod":"Azure Compliance","title":"Function apps should only be accessible over HTTPS","description":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should only be accessible over HTTPS","controlDescription":"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","pci_dss_v321":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_function_app_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''min_tls_version'' not defined'\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":87,"endLineNumber":108,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_tls_version","org":"turbot","name":"appservice_function_app_latest_tls_version","mod":"Azure Compliance","title":"Function apps should use the latest TLS version","description":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should use the latest TLS version","controlDescription":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_function_app_latest_python_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'PYTHON%' then' not using python version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then ' using the latest python version'\n else ' not using latest python version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":525,"endLineNumber":548,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_python_version","org":"turbot","name":"appservice_function_app_latest_python_version","mod":"Azure Compliance","title":"Ensure that 'Python version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Python version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_latest_java_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then 'ok'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text not like 'JAVA%' then' not using JAVA version'\n when (attributes_std -> 'site_config' ->> 'linux_fx_version')::text like '%11' then ' using the latest JAVA version'\n else ' not using latest JAVA version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":368,"endLineNumber":391,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_java_version","org":"turbot","name":"appservice_function_app_latest_java_version","mod":"Azure Compliance","title":"Ensure that 'Java version' is the latest, if used as a part of the Function app","description":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure that 'Java version' is the latest, if used as a part of the Function app","controlDescription":"Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps.","controlTags":{"service":"Azure/AppService"}},"appservice_function_app_latest_http_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' HTTP version not defined'\n when (attributes_std -> 'site_config' ->> 'http2_enabled')::boolean then ' HTTP version is latest'\n else ' HTTP version not latest'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":437,"endLineNumber":458,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_latest_http_version","org":"turbot","name":"appservice_function_app_latest_http_version","mod":"Azure Compliance","title":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","description":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Ensure that 'HTTP Version' is the latest, if used to run the Function app","controlDescription":"Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_ftps_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' ->> 'ftps_state')::text = 'FtpsOnly' then ' FTPS enabled'\n else ' FTPS disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":278,"endLineNumber":299,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_ftps_enabled","org":"turbot","name":"appservice_function_app_ftps_enabled","mod":"Azure Compliance","title":"FTPS only should be required in your Function App","description":"Enable FTPS enforcement for enhanced security.","tags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"FTPS only should be required in your Function App","controlDescription":"Enable FTPS enforcement for enhanced security.","controlTags":{"nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_cors_no_star":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config') is null then 'alarm'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config') is null then ' ''site_config'' not defined'\n when (attributes_std -> 'site_config' -> 'cors' -> 'allowed_origins') @> '[\"*\"]' then ' CORS allow all domains to access the application'\n else ' CORS does not all domains to access the application'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":502,"endLineNumber":523,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_cors_no_star","org":"turbot","name":"appservice_function_app_cors_no_star","mod":"Azure Compliance","title":"Function apps should not have CORS configured to allow every resource to access your apps","description":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","tags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should not have CORS configured to allow every resource to access your apps","controlDescription":"Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app.","controlTags":{"fedramp_high":"true","hipaa_hitrust_v92":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/AppService"}},"appservice_function_app_client_certificates_on":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","sql":"select\n address as resource,\n case\n when (attributes_std -> 'client_cert_mode') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'client_cert_mode') is not null then ' cilient certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_function_app';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":393,"endLineNumber":412,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_function_app_client_certificates_on","org":"turbot","name":"appservice_function_app_client_certificates_on","mod":"Azure Compliance","title":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","description":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}}],"controlTitle":"Function apps should have 'Client Certificates (Incoming client certificates)' enabled","controlDescription":"Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","rbi_itf_nbfc_v2017":"true","service":"Azure/AppService"}},"appservice_ftp_deployment_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","sql":"$71","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":324,"endLineNumber":366,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_10","org":"turbot","name":"cis_v200_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_10","org":"turbot","name":"cis_v150_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_10","org":"turbot","name":"cis_v140_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_10","org":"turbot","name":"cis_v130_9_10","mod":"Azure Compliance","title":"9.10 Ensure FTP deployments are disabled","description":"By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.10","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_3","org":"turbot","name":"cis_v300_9_3","mod":"Azure Compliance","title":"9.3 Ensure 'FTP State' is set to 'FTPS Only' or 'Disabled'","description":"By default, App Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Services. If FTPS is not expressly required for the App, the recommended setting is Disabled.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.3","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_9","org":"turbot","name":"cis_v210_9_9","mod":"Azure Compliance","title":"9.9 Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_ftp_deployment_disabled","org":"turbot","name":"appservice_ftp_deployment_disabled","mod":"Azure Compliance","title":"Ensure FTP deployments are Disabled","description":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure FTP deployments are Disabled","controlDescription":"By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.9","cis_level":"1","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},"appservice_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auth_settings') is null then 'alarm'\n when (attributes_std -> 'auth_settings' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auth_settings') is null then ' ''auth_settings'' not defined'\n when (attributes_std -> 'auth_settings' ->> 'enabled')::boolean then ' authentication set'\n else ' authentication not set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v130_9_1","org":"turbot","name":"cis_v130_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set on Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.3.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v210_9_1","org":"turbot","name":"cis_v210_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.1.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v200_9_1","org":"turbot","name":"cis_v200_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v2.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v150_9_1","org":"turbot","name":"cis_v150_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.5.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v140_9_1","org":"turbot","name":"cis_v140_9_1","mod":"Azure Compliance","title":"9.1 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.1","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v1.4.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.cis_v300_9_2","org":"turbot","name":"cis_v300_9_2","mod":"Azure Compliance","title":"9.2 Ensure App Service Authentication is set up for apps in Azure App Service","description":"Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.appservice_authentication_enabled","org":"turbot","name":"appservice_authentication_enabled","mod":"Azure Compliance","title":"Ensure App Service authentication is set up for apps in Azure App Service","description":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","tags":{"service":"Azure/AppService"}}],"controlTitle":"Ensure App Service authentication is set up for apps in Azure App Service","controlDescription":"Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"9.2","cis_level":"2","cis_section_id":"9","cis_type":"automated","cis_version":"v3.0.0","plugin":"azure","service":"Azure/AppService"}},"appservice_environment_zone_redundant_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_environment_zone_redundant_enabled","org":"turbot","name":"appservice_environment_zone_redundant_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_redundant') is null then 'alarm'\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_redundant') is null then ' ''zone_redundant'' is not set'\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_environment_v3';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":999,"endLineNumber":1020,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_environment_zone_redundant_enabled","org":"turbot","name":"appservice_environment_zone_redundant_enabled","mod":"Terraform Azure Compliance","title":"App Service environment should be zone redundant","description":"This control ensures that App Service environment is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service environment should be zone redundant","controlDescription":"This control ensures that App Service environment is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_builtin_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_builtin_logging_enabled","org":"turbot","name":"appservice_function_app_builtin_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_builtin_logging') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_builtin_logging') = 'false' then ' builtin logging disabled'\n else ' builtin logging enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_function_app', 'azurerm_function_app_slot');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":934,"endLineNumber":953,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_builtin_logging_enabled","org":"turbot","name":"appservice_function_app_builtin_logging_enabled","mod":"Terraform Azure Compliance","title":"Function Apps builtin logging should be enabled","description":"Ensure that builtin logging is enabled for Function Apps.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function Apps builtin logging should be enabled","controlDescription":"Ensure that builtin logging is enabled for Function Apps.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_detailed_error_messages_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_detailed_error_messages_enabled","org":"turbot","name":"appservice_web_app_detailed_error_messages_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logs' ->> 'detailed_error_messages_enabled') = 'true') or ((attributes_std -> 'logs' ->> 'detailed_error_messages') = 'true') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logs' ->> 'detailed_error_messages_enabled') = 'true') or ((attributes_std -> 'logs' ->> 'detailed_error_messages') = 'true') then ' detailed error messages enabled'\n else ' detailed error messages disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":702,"endLineNumber":721,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_detailed_error_messages_enabled","org":"turbot","name":"appservice_web_app_detailed_error_messages_enabled","mod":"Terraform Azure Compliance","title":"Web apps detailed error messages should be enabled","description":"This control ensures that a web app detailed error message is enabled.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps detailed error messages should be enabled","controlDescription":"This control ensures that a web app detailed error message is enabled.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_environment_internal_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_environment_internal_encryption_enabled","org":"turbot","name":"appservice_environment_internal_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_setting') is null then 'alarm'\n when\n (attributes_std -> 'cluster_setting' ->> 'name')::text = 'InternalEncryption'\n and (attributes_std -> 'cluster_setting' ->> 'value')::text = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_setting') is null then ' ''cluster_setting'' not defined'\n when\n (attributes_std -> 'cluster_setting' ->> 'name')::text = 'InternalEncryption'\n and (attributes_std -> 'cluster_setting' ->> 'value')::text = 'true' then ' internal encryption enabled'\n else ' internal encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":153,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_environment_internal_encryption_enabled","org":"turbot","name":"appservice_environment_internal_encryption_enabled","mod":"Terraform Azure Compliance","title":"App Service Environment should enable internal encryption","description":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service Environment should enable internal encryption","controlDescription":"Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_public_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_public_access_disabled","org":"turbot","name":"appservice_web_app_public_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":978,"endLineNumber":997,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_public_access_disabled","org":"turbot","name":"appservice_web_app_public_access_disabled","mod":"Terraform Azure Compliance","title":"Web apps should restrict public network access","description":"This control checks whether Web apps are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should restrict public network access","controlDescription":"This control checks whether Web apps are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_slot_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_latest_tls_version","org":"turbot","name":"appservice_web_app_slot_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'min_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":892,"endLineNumber":911,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_slot_latest_tls_version","org":"turbot","name":"appservice_web_app_slot_latest_tls_version","mod":"Terraform Azure Compliance","title":"Web app slots should use the latest TLS version","description":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web app slots should use the latest TLS version","controlDescription":"Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_function_app_public_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_function_app_public_access_disabled","org":"turbot","name":"appservice_function_app_public_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'public_network_access_enabled') is null or (attributes_std ->> 'public_network_access_enabled')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_linux_function_app', 'azurerm_linux_function_app_slot', 'azurerm_windows_function_app', 'azurerm_windows_function_app_slot');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":1022,"endLineNumber":1041,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_function_app_public_access_disabled","org":"turbot","name":"appservice_function_app_public_access_disabled","mod":"Terraform Azure Compliance","title":"Function apps should restrict public network access","description":"This control checks whether Function apps are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Function apps should restrict public network access","controlDescription":"This control checks whether Function apps are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_plan_zone_redundant":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_plan_zone_redundant","org":"turbot","name":"appservice_plan_zone_redundant","sql":"select\n address as resource,\n case\n when (attributes_std -> 'zone_balancing_enabled') is null then 'alarm'\n when (attributes_std ->> 'zone_balancing_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'zone_balancing_enabled') is null then ' ''zone_balancing_enabled'' is not set'\n when (attributes_std ->> 'zone_balancing_enabled')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_service_plan';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":955,"endLineNumber":976,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_plan_zone_redundant","org":"turbot","name":"appservice_plan_zone_redundant","mod":"Terraform Azure Compliance","title":"App Service plans should be zone redundant","description":"This control ensures that App Service plans are zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"App Service plans should be zone redundant","controlDescription":"This control ensures that App Service plans are zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_uses_azure_file":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_uses_azure_file","org":"turbot","name":"appservice_web_app_uses_azure_file","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_account' ->> 'type') = 'AzureFiles' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_account' ->> 'type') = 'AzureFiles' then ' uses Azure files'\n else ' not uses Azure files'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_app_service', 'azurerm_linux_web_app', 'azurerm_windows_web_app');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":913,"endLineNumber":932,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_uses_azure_file","org":"turbot","name":"appservice_web_app_uses_azure_file","mod":"Terraform Azure Compliance","title":"Web apps should use Azure files","description":"Ensure that the application services are configured to utilize Azure Files.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web apps should use Azure files","controlDescription":"Ensure that the application services are configured to utilize Azure Files.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_web_app_slot_remote_debugging_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_web_app_slot_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_slot_remote_debugging_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'site_config' ->> 'remote_debugging_enabled') = 'true' then ' remote debugging enabled'\n else ' remote debugging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_service_slot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":850,"endLineNumber":869,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_web_app_slot_remote_debugging_disabled","org":"turbot","name":"appservice_web_app_slot_remote_debugging_disabled","mod":"Terraform Azure Compliance","title":"Web app slots remote debugging should be disabled","description":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Web app slots remote debugging should be disabled","controlDescription":"Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppService"}},"appservice_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/appservice_azure_defender_enabled","org":"turbot","name":"appservice_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'AppServices' and (attributes_std ->> 'tier') = 'Standard' then ' Azure Defender on for AppServices'\n else ' Azure Defender off for AppServices'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appservice.pp","startLineNumber":110,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.appservice_azure_defender_enabled","org":"turbot","name":"appservice_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for App Service should be enabled","description":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}],"controlTitle":"Azure Defender for App Service should be enabled","controlDescription":"Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/AppService"}}},"app_configuration":{"app_configuration_sku_standard":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'standard' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'standard' then ' use Standard SKU'\n else ' does not use Standard SKU'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_configuration_sku_standard","org":"turbot","name":"app_configuration_sku_standard","mod":"Azure Compliance","title":"App Configuration should use standard SKU","description":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","tags":{"service":"Azure/AppConfiguration"}}],"controlTitle":"App Configuration should use standard SKU","controlDescription":"Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU.","controlTags":{"service":"Azure/AppConfiguration"}},"app_configuration_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption' ->> 'key_vault_key_identifier') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption' ->> 'key_vault_key_identifier') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.app_configuration_encryption_enabled","org":"turbot","name":"app_configuration_encryption_enabled","mod":"Azure Compliance","title":"App Configuration encryption should be enabled","description":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"service":"Azure/AppConfiguration"}}],"controlTitle":"App Configuration encryption should be enabled","controlDescription":"Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"service":"Azure/AppConfiguration"}},"app_configuration_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_restrict_public_access","org":"turbot","name":"app_configuration_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access') = 'Enabled' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access') = 'Enabled' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_restrict_public_access","org":"turbot","name":"app_configuration_restrict_public_access","mod":"Terraform Azure Compliance","title":"App Configurations should restrict public network access","description":"This control checks whether App Configuration is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations should restrict public network access","controlDescription":"This control checks whether App Configuration is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_local_auth_disabled","org":"turbot","name":"app_configuration_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') is null or (attributes_std ->> 'local_auth_enabled')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') is null or (attributes_std ->> 'local_auth_enabled')::boolean then ' local authentication enabled'\n else ' local authentication disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_local_auth_disabled","org":"turbot","name":"app_configuration_local_auth_disabled","mod":"Terraform Azure Compliance","title":"App Configurations local authentication should be disabled","description":"This control checks whether App Configuration local authentication is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations local authentication should be disabled","controlDescription":"This control checks whether App Configuration local authentication is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}},"app_configuration_purge_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/app_configuration_purge_protection_enabled","org":"turbot","name":"app_configuration_purge_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'purge_protection_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'purge_protection_enabled')::boolean then ' purge protection enabled'\n else ' purge protection disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_app_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/appconfig.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.app_configuration_purge_protection_enabled","org":"turbot","name":"app_configuration_purge_protection_enabled","mod":"Terraform Azure Compliance","title":"App Configurations purge protection should be enabled","description":"This control checks whether App Configuration purge protection is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}],"controlTitle":"App Configurations purge protection should be enabled","controlDescription":"This control checks whether App Configuration purge protection is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/AppConfiguration"}}},"api_management":{"apimanagement_service_with_virtual_network":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","sql":"select\n address as resource,\n case\n when (attributes_std -> 'virtual_network_type') is null then 'alarm'\n when (attributes_std ->> 'virtual_network_type')::text <> 'None' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'virtual_network_type') is null then ' ''virtual_network_type'' is not set'\n else ' virtual network is set to ' || (attributes_std ->> 'virtual_network_type')\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.apimanagement_service_with_virtual_network","org":"turbot","name":"apimanagement_service_with_virtual_network","mod":"Azure Compliance","title":"API Management services should use a virtual network","description":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","tags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should use a virtual network","controlDescription":"Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.","controlTags":{"fedramp_high":"true","nist_sp_800_171_rev_2":"true","nist_sp_800_53_rev_5":"true","service":"Azure/APIManagement"}},"apimanagement_service_client_certificate_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku_name') like 'Consumption%' and (attributes_std ->> 'client_certificate_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku_name') like 'Consumption%' and (attributes_std ->> 'client_certificate_enabled')::boolean then ' client certificate enabled'\n else ' client certificate disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-azure-compliance/benchmarks/control.apimanagement_service_client_certificate_enabled","org":"turbot","name":"apimanagement_service_client_certificate_enabled","mod":"Azure Compliance","title":"API Management client certificate should be enabled","description":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","tags":{"service":"Azure/APIManagement"}}],"controlTitle":"API Management client certificate should be enabled","controlDescription":"Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled.","controlTags":{"service":"Azure/APIManagement"}},"apimanagement_service_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_uses_latest_tls_version","org":"turbot","name":"apimanagement_service_uses_latest_tls_version","sql":"$72","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":65,"endLineNumber":92,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_uses_latest_tls_version","org":"turbot","name":"apimanagement_service_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"API Management services should use at least TLS 1.2 version","description":"This control checks that the API Management service uses at least TLS 1.2 version. This control is non-compliant if API Management service uses older TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should use at least TLS 1.2 version","controlDescription":"This control checks that the API Management service uses at least TLS 1.2 version. This control is non-compliant if API Management service uses older TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"cdn_endpoint_custom_domain_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_custom_domain_uses_latest_tls_version","org":"turbot","name":"cdn_endpoint_custom_domain_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cdn_managed_https' ->> 'tls_version') in ('None', 'TLS10') then 'alarm'\n when (attributes_std -> 'user_managed_https' ->> 'tls_version') in ('None', 'TLS10') then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cdn_managed_https' ->> 'tls_version') in ('None', 'TLS10') then ' not using the latest version of TLS encryption'\n when (attributes_std -> 'user_managed_https' ->> 'tls_version') in ('None', 'TLS10') then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint_custom_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_custom_domain_uses_latest_tls_version","org":"turbot","name":"cdn_endpoint_custom_domain_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"Content Delivery Network custom domains should use at least TLS 1.2 version","description":"This control checks that the Content Delivery Network custom domains uses at least TLS 1.2 version. This control is non-compliant if Content Delivery Network custom domains uses older TLS version.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"Content Delivery Network custom domains should use at least TLS 1.2 version","controlDescription":"This control checks that the Content Delivery Network custom domains uses at least TLS 1.2 version. This control is non-compliant if Content Delivery Network custom domains uses older TLS version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_service_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_service_restrict_public_access","org":"turbot","name":"apimanagement_service_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled')::boolean or (attributes_std ->> 'public_network_access_enabled') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled')::boolean or (attributes_std ->> 'public_network_access_enabled') is null then ' publicy accessible'\n else ' not publicy accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":94,"endLineNumber":113,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_service_restrict_public_access","org":"turbot","name":"apimanagement_service_restrict_public_access","mod":"Terraform Azure Compliance","title":"API Management services should restrict public network access","description":"This control checks that the API Management service is not publicly accessible. This control is non-compliant if API Management service is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management services should restrict public network access","controlDescription":"This control checks that the API Management service is not publicly accessible. This control is non-compliant if API Management service is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}},"apimanagement_backend_uses_https":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/apimanagement_backend_uses_https","org":"turbot","name":"apimanagement_backend_uses_https","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'url') like 'https%' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'url') like 'https%' then ' backend uses HTTPS'\n else ' backend does not use HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_api_management_backend';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apimanagement.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.apimanagement_backend_uses_https","org":"turbot","name":"apimanagement_backend_uses_https","mod":"Terraform Azure Compliance","title":"API Management backends should use HTTPS","description":"This control checks that the API Management backend is configured to use HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}],"controlTitle":"API Management backends should use HTTPS","controlDescription":"This control checks that the API Management backend is configured to use HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/APIManagement"}}},"vpc":{"vpc_security_group_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vpc_security_group_restrict_ingress_ssh_all","sql":"$73","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":581,"endLineNumber":631,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-ibm-compliance/benchmarks/control.cis_v100_6_2_4","org":"turbot","name":"cis_v100_6_2_4","mod":"IBM Cloud Compliance","title":"6.2.4 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22","description":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Servers. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}}],"controlTitle":"6.2.4 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 22","controlDescription":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Servers. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.4","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}},"vpc_security_group_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vpc_security_group_restrict_ingress_rdp_all","sql":"$74","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":633,"endLineNumber":683,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-ibm-compliance/benchmarks/control.cis_v100_6_2_3","org":"turbot","name":"cis_v100_6_2_3","mod":"IBM Cloud Compliance","title":"6.2.3 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389","description":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Server Instances. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}}],"controlTitle":"6.2.3 Ensure no VPC security groups allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"VPC security groups provide stateful filtering of ingress/egress network traffic to Virtual Server Instances. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","cis_item_id":"6.2.3","cis_level":"1","cis_section_id":"6.2","cis_type":"manual","cis_version":"v1.0.0","plugin":"ibm","service":"IBM/VPC"}},"vpc_network_acl_allow_ssh_port_22_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ssh_port_22_ingress","org":"turbot","name":"vpc_network_acl_allow_ssh_port_22_ingress","sql":"$75","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":450,"endLineNumber":492,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ssh_port_22_ingress","org":"turbot","name":"vpc_network_acl_allow_ssh_port_22_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted SSH port 22 access","description":"This control checks whether the Network ACL allows unrestricted ingress on SSH port 22.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted SSH port 22 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on SSH port 22.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","org":"turbot","name":"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_accept_shared_attachments') = 'enable' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_accept_shared_attachments') = 'enable' then ' automatically accept VPC attachment requests'\n else ' do not automatically accept VPC attachment requests'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ec2_transit_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":341,"endLineNumber":360,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","org":"turbot","name":"vpc_ec2_transit_gateway_auto_accept_attachment_requests_disabled","mod":"Terraform AWS Compliance","title":"VPC EC2 transit gateway should not automatically accept VPC attachment requests","description":"This control checks whether the EC2 Transit Gateway has auto-accept attachment requests disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC EC2 transit gateway should not automatically accept VPC attachment requests","controlDescription":"This control checks whether the EC2 Transit Gateway has auto-accept attachment requests disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_policy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_policy_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_policy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":298,"endLineNumber":317,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_policy_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_policy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall policy should define a encryption configuration that uses KMS CMK","description":"This control checks whether the Network Firewall Policy is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall policy should define a encryption configuration that uses KMS CMK","controlDescription":"This control checks whether the Network Firewall Policy is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_allow_ftp_port_21_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ftp_port_21_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_21_ingress","sql":"$76","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":406,"endLineNumber":448,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ftp_port_21_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_21_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted FTP port 21 access","description":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 21.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted FTP port 21 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 21.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_security_group_associated_to_eni":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_associated_to_eni","org":"turbot","name":"vpc_security_group_associated_to_eni","sql":"select\n address as resource,\n case\n when name in (select split_part((jsonb_array_elements(attributes_std -> 'security_groups')::text), '.', 2) from terraform_resource where type = 'aws_network_interface') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((jsonb_array_elements(attributes_std -> 'security_groups')::text), '.', 2) from terraform_resource where type = 'aws_network_interface') then ' has attached ENI(s)'\n else ' has no attached ENI(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":124,"endLineNumber":143,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_associated_to_eni","org":"turbot","name":"vpc_security_group_associated_to_eni","mod":"Terraform AWS Compliance","title":"VPC security groups should be associated with at least one ENI","description":"This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitor unused security groups in the inventory and the management of your environment.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security groups should be associated with at least one ENI","controlDescription":"This rule ensures the security groups are attached to an Amazon Elastic Compute Cloud (Amazon EC2) instance or to an ENI. This rule helps monitor unused security groups in the inventory and the management of your environment.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_unused":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_unused","org":"turbot","name":"vpc_network_acl_unused","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_ids') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_ids') is null then ' not associated with subnets'\n else ' associated with ' || (jsonb_array_length(attributes_std -> 'subnet_ids')) || ' subnet(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_network_acl';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":103,"endLineNumber":122,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_unused","org":"turbot","name":"vpc_network_acl_unused","mod":"Terraform AWS Compliance","title":"Unused network access control lists should be removed","description":"This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Unused network access control lists should be removed","controlDescription":"This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_endpoint_service_acceptance_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_endpoint_service_acceptance_enabled","org":"turbot","name":"vpc_endpoint_service_acceptance_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'acceptance_required') is null then 'alarm'\n when (attributes_std ->> 'acceptance_required')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'acceptance_required') is null then ' ''acceptance_required'' not defined'\n when (attributes_std ->> 'acceptance_required')::boolean then ' ''acceptance_required'' enabled'\n else ' ''acceptance_required'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_vpc_endpoint_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":209,"endLineNumber":230,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_endpoint_service_acceptance_enabled","org":"turbot","name":"vpc_endpoint_service_acceptance_enabled","mod":"Terraform AWS Compliance","title":"VPC endpoint service acceptance should be enabled","description":"This control checks whether the VPC endpoint service acceptance is enabled for manual acceptance.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC endpoint service acceptance should be enabled","controlDescription":"This control checks whether the VPC endpoint service acceptance is enabled for manual acceptance.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_transfer_server_not_publicly_accesible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_transfer_server_not_publicly_accesible","org":"turbot","name":"vpc_transfer_server_not_publicly_accesible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'endpoint_type') is null then 'alarm'\n when (attributes_std ->> 'endpoint_type') in ('VPC', 'VPC_ENDPOINT') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'endpoint_type') is null then ' publicly accessible'\n when (attributes_std ->> 'endpoint_type') in ('VPC', 'VPC_ENDPOINT') then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_transfer_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":232,"endLineNumber":253,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_transfer_server_not_publicly_accesible","org":"turbot","name":"vpc_transfer_server_not_publicly_accesible","mod":"Terraform AWS Compliance","title":"VPC transfer server should not be publicly accessible","description":"This control checks whether the VPC transfer server is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC transfer server should not be publicly accessible","controlDescription":"This control checks whether the VPC transfer server is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_eip_associated":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_eip_associated","org":"turbot","name":"vpc_eip_associated","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc') is null then 'skip'\n when (attributes_std -> 'instance') is not null or (attributes_std -> 'network_interface') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc') is null then ' not associated with VPC'\n when (attributes_std -> 'instance') is not null or (attributes_std -> 'network_interface') is not null then ' associated with an instance or network interface'\n else ' not associated with an instance or network interface'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eip';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":24,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_eip_associated","org":"turbot","name":"vpc_eip_associated","mod":"Terraform AWS Compliance","title":"VPC EIPs should be associated with an EC2 instance or ENI","description":"This rule ensures Elastic IPs allocated to an Amazon Virtual Private Cloud (Amazon VPC) are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or in-use Elastic Network Interfaces.","tags":{"category":"Compliance","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC EIPs should be associated with an EC2 instance or ENI","controlDescription":"This rule ensures Elastic IPs allocated to an Amazon Virtual Private Cloud (Amazon VPC) are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances or in-use Elastic Network Interfaces.","controlTags":{"category":"Compliance","nist_csf":"true","pci":"true","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_rule_group_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_rule_group_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_rule_group_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_rule_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":277,"endLineNumber":296,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_rule_group_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_rule_group_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall rule group should be encrypted with KMS CMK","description":"This control checks whether the Network Firewall Rule Group is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall rule group should be encrypted with KMS CMK","controlDescription":"This control checks whether the Network Firewall Rule Group is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_security_group_rule_description_for_rules":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_rule_description_for_rules","org":"turbot","name":"vpc_security_group_rule_description_for_rules","sql":"select\n address as resource,\n case\n when (attributes_std -> 'description') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'description') is null then ' no description defined'\n else ' description defined'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":166,"endLineNumber":184,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_rule_description_for_rules","org":"turbot","name":"vpc_security_group_rule_description_for_rules","mod":"Terraform AWS Compliance","title":"VPC security group rule should have description for rules","description":"One of the best practices when creating security group rules in AWS is to add a description to the group and each of its rules for better clarity.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security group rule should have description for rules","controlDescription":"One of the best practices when creating security group rules in AWS is to add a description to the group and each of its rules for better clarity.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_subnet_auto_assign_public_ip_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_subnet_auto_assign_public_ip_disabled","org":"turbot","name":"vpc_subnet_auto_assign_public_ip_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'map_public_ip_on_launch') is null then 'ok'\n when (attributes_std ->> 'map_public_ip_on_launch')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'map_public_ip_on_launch') is null then ' ''map_public_ip_on_launch'' disabled'\n when (attributes_std ->> 'map_public_ip_on_launch')::boolean then ' ''map_public_ip_on_launch'' enabled'\n else ' ''map_public_ip_on_launch'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_subnet';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":186,"endLineNumber":207,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_subnet_auto_assign_public_ip_disabled","org":"turbot","name":"vpc_subnet_auto_assign_public_ip_disabled","mod":"Terraform AWS Compliance","title":"VPC subnet auto-assign public IP should be disabled","description":"Ensure that Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC subnet auto-assign public IP should be disabled","controlDescription":"Ensure that Amazon Virtual Private Cloud (Amazon VPC) subnets are assigned a public IP address. The control is complaint if Amazon VPC does not have subnets that are assigned a public IP address.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}},"vpc_network_firewall_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_deletion_protection_enabled","org":"turbot","name":"vpc_network_firewall_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'delete_protection')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'delete_protection')::boolean is null then ' deletion protection not set'\n when (attributes_std ->> 'delete_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":319,"endLineNumber":339,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_deletion_protection_enabled","org":"turbot","name":"vpc_network_firewall_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"VPC network firewall should have deletion protection enabled","description":"This control checks whether the Network Firewall has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall should have deletion protection enabled","controlDescription":"This control checks whether the Network Firewall has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_firewall_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_firewall_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_configuration' ->> 'key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_networkfirewall_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":256,"endLineNumber":275,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_firewall_encrypted_with_kms_cmk","org":"turbot","name":"vpc_network_firewall_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"VPC network firewall should be encrypted with KMS CMK","description":"This control checks whether the Network Firewall is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC network firewall should be encrypted with KMS CMK","controlDescription":"This control checks whether the Network Firewall is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_security_group_description_for_rules":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_security_group_description_for_rules","org":"turbot","name":"vpc_security_group_description_for_rules","sql":"select\n address as resource,\n case\n when (attributes_std -> 'description') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'description') is null then ' no description defined'\n else ' description defined'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":145,"endLineNumber":164,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_security_group_description_for_rules","org":"turbot","name":"vpc_security_group_description_for_rules","mod":"Terraform AWS Compliance","title":"VPC security group should have description for rules","description":"One of the best practices when creating security groups in AWS is to add a description to the group for better clarity.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC security group should have description for rules","controlDescription":"One of the best practices when creating security groups in AWS is to add a description to the group for better clarity.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_flow_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_flow_logs_enabled","org":"turbot","name":"vpc_flow_logs_enabled","sql":"with flow_logs as (\n select\n attributes_std ->> 'vpc_id' as flow_log_vpc_id\n from\n terraform_resource\n where\n type = 'aws_flow_log'\n), all_vpc as (\n select\n '\\$\\{aws_vpc.' || name || '.id}' as vpc_id,\n *\n from\n terraform_resource\n where\n type = 'aws_vpc'\n)\nselect\n a.address as resource,\n case\n when b.flow_log_vpc_id is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(a.address, '.', 2) || case\n when b.flow_log_vpc_id is not null then ' flow logging enabled'\n else ' flow logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_vpc as a\n left join flow_logs as b on a.vpc_id = b.flow_log_vpc_id;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":46,"endLineNumber":80,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_flow_logs_enabled","org":"turbot","name":"vpc_flow_logs_enabled","mod":"Terraform AWS Compliance","title":"VPC flow logs should be enabled","description":"The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC","soc_2":"true"}}],"controlTitle":"VPC flow logs should be enabled","controlDescription":"The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC","soc_2":"true"}},"vpc_transfer_server_allows_only_secure_protocols":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_transfer_server_allows_only_secure_protocols","org":"turbot","name":"vpc_transfer_server_allows_only_secure_protocols","sql":"select\n address as resource,\n case\n when (attributes_std -> 'protocols') @> '[\"FTP\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'protocols') @> '[\"FTP\"]' then ' allows unsecure protocols'\n else ' allows only secure protocols'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_transfer_server';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":560,"endLineNumber":579,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_transfer_server_allows_only_secure_protocols","org":"turbot","name":"vpc_transfer_server_allows_only_secure_protocols","mod":"Terraform AWS Compliance","title":"VPC transfer server should allow only secure protocols","description":"This control checks whether the VPC transfer server allows only secure protocols.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"VPC transfer server should allow only secure protocols","controlDescription":"This control checks whether the VPC transfer server allows only secure protocols.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_igw_attached_to_authorized_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_igw_attached_to_authorized_vpc","org":"turbot","name":"vpc_igw_attached_to_authorized_vpc","sql":"select\n address as resource,\n case\n when name in (select split_part((attributes_std ->> 'vpc_id')::text, '.', 2) from terraform_resource where type = 'aws_internet_gateway') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when name in (select split_part((attributes_std ->> 'vpc_id')::text, '.', 2) from terraform_resource where type = 'aws_internet_gateway') then ' has internet gateway attachment(s)'\n else ' has no internet gateway attachment(s)'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_vpc';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":82,"endLineNumber":101,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_igw_attached_to_authorized_vpc","org":"turbot","name":"vpc_igw_attached_to_authorized_vpc","mod":"Terraform AWS Compliance","title":"VPC internet gateways should be attached to authorized VPC","description":"Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC internet gateways should be attached to authorized VPC","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}},"vpc_network_acl_allow_ftp_port_20_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_ftp_port_20_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_20_ingress","sql":"$77","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":362,"endLineNumber":404,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_ftp_port_20_ingress","org":"turbot","name":"vpc_network_acl_allow_ftp_port_20_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted FTP port 20 access","description":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 20.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted FTP port 20 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on FTP port 20.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_rule_restrict_ingress_ports_all":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_rule_restrict_ingress_ports_all","org":"turbot","name":"vpc_network_acl_rule_restrict_ingress_ports_all","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'egress') = 'true' then 'skip'\n when (attributes_std ->> 'rule_action') = 'allow' and (attributes_std -> 'from_port') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'egress') = 'true' then ' is egress rule'\n when (attributes_std ->> 'rule_action') = 'allow' and (attributes_std -> 'from_port') is null then ' allows access to all ports'\n else ' restricts access to all ports'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_network_acl_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":538,"endLineNumber":558,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_rule_restrict_ingress_ports_all","org":"turbot","name":"vpc_network_acl_rule_restrict_ingress_ports_all","mod":"Terraform AWS Compliance","title":"Network ACL ingress rule should not allow access to all ports","description":"This control checks whether the Network ACL ingress rule does not allow access to all ports.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL ingress rule should not allow access to all ports","controlDescription":"This control checks whether the Network ACL ingress rule does not allow access to all ports.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_network_acl_allow_rdp_port_3389_ingress":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_network_acl_allow_rdp_port_3389_ingress","org":"turbot","name":"vpc_network_acl_allow_rdp_port_3389_ingress","sql":"$78","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":494,"endLineNumber":536,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_network_acl_allow_rdp_port_3389_ingress","org":"turbot","name":"vpc_network_acl_allow_rdp_port_3389_ingress","mod":"Terraform AWS Compliance","title":"Network ACL should not allow unrestricted RDP port 3389 access","description":"This control checks whether the Network ACL allows unrestricted ingress on RDP port 3389.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}}],"controlTitle":"Network ACL should not allow unrestricted RDP port 3389 access","controlDescription":"This control checks whether the Network ACL allows unrestricted ingress on RDP port 3389.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/VPC"}},"vpc_default_security_group_restricts_all_traffic":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/vpc_default_security_group_restricts_all_traffic","org":"turbot","name":"vpc_default_security_group_restricts_all_traffic","sql":"select\n address as resource,\n case\n when (attributes_std -> 'egress') is null and (attributes_std -> 'ingress') is null then 'ok'\n else 'alarm'\n end as status,\n case\n when (attributes_std -> 'ingress') is not null and (attributes_std -> 'egress') is not null then 'Default security group ' || split_part(address, '.', 2) || ' has inbound and outbound rules'\n when (attributes_std -> 'ingress') is not null and (attributes_std -> 'egress') is null then 'Default security group ' || split_part(address, '.', 2) || ' has inbound rules'\n when (attributes_std -> 'ingress') is null and (attributes_std -> 'egress') is not null then 'Default security group ' || split_part(address, '.', 2) || ' has outbound rules'\n else 'Default security group ' || split_part(address, '.', 2) || ' has no inbound or outbound rules'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_default_security_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vpc.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.vpc_default_security_group_restricts_all_traffic","org":"turbot","name":"vpc_default_security_group_restricts_all_traffic","mod":"Terraform AWS Compliance","title":"VPC default security group should not allow inbound and outbound traffic","description":"Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}],"controlTitle":"VPC default security group should not allow inbound and outbound traffic","controlDescription":"Amazon Elastic Compute Cloud (Amazon EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/VPC"}}},"database":{"database_db_home_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_home_encryption_enabled","org":"turbot","name":"database_db_home_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_db_home';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_home_encryption_enabled","org":"turbot","name":"database_db_home_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database home encryption should be enabled","description":"Ensure database homes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database home encryption should be enabled","controlDescription":"Ensure database homes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}},"database_db_system_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_system_encryption_enabled","org":"turbot","name":"database_db_system_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_db_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_system_encryption_enabled","org":"turbot","name":"database_db_system_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database system encryption should be enabled","description":"Ensure database systems are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database system encryption should be enabled","controlDescription":"Ensure database systems are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}},"database_db_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/database_db_encryption_enabled","org":"turbot","name":"database_db_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_database_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/database.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.database_db_encryption_enabled","org":"turbot","name":"database_db_encryption_enabled","mod":"Terraform OCI Compliance","title":"Database encryption should be enabled","description":"Ensure databases are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}],"controlTitle":"Database encryption should be enabled","controlDescription":"Ensure databases are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/Database"}}},"vcn":{"vcn_network_security_group_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_network_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_rdp_all","sql":"$79","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":1,"endLineNumber":52,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_network_security_group_restrict_ingress_rdp_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_rdp_all","mod":"Terraform OCI Compliance","title":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389","description":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_group_has_stateless_ingress_security_rules":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_group_has_stateless_ingress_security_rules","org":"turbot","name":"vcn_security_group_has_stateless_ingress_security_rules","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'direction' = 'INGRESS') and (attributes_std ->> 'stateless' is null or (attributes_std ->> 'stateless')::bool is not true) then 'alarm'\n when (attributes_std ->> 'direction' is null) or (attributes_std ->> 'direction' <> 'INGRESS') then 'info'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'direction' = 'INGRESS') and (attributes_std ->> 'stateless' is null or (attributes_std ->> 'stateless')::bool is not true) then ' does not have stateless ingress security rules'\n when (attributes_std ->> 'direction' is null) or (attributes_std ->> 'direction' <> 'INGRESS') then ' has no ingress security rules'\n else ' has stateless ingress security rules'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_network_security_group_security_rule';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":337,"endLineNumber":358,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_group_has_stateless_ingress_security_rules","org":"turbot","name":"vcn_security_group_has_stateless_ingress_security_rules","mod":"Terraform OCI Compliance","title":"Ensure Network Security Group has stateless ingress security rules","description":"This control checks if a Network Security Group has stateless ingress security rules.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure Network Security Group has stateless ingress security rules","controlDescription":"This control checks if a Network Security Group has stateless ingress security rules.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_default_security_group_allow_icmp_only":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_default_security_group_allow_icmp_only","org":"turbot","name":"vcn_default_security_group_allow_icmp_only","sql":"with all_security_rules as (\n select\n *\n from\n terraform_resource\n where\n type = 'oci_core_security_list'\n), non_complaint as (\n select\n name,\n count(name) as count\n from\n all_security_rules,\n jsonb_array_elements(\n case jsonb_typeof(attributes_std -> 'ingress_security_rules')\n when 'array' then (attributes_std -> 'ingress_security_rules')\n else null end\n ) as p\n where\n p ->> 'protocol' != '1'\n group by name\n)\nselect\n a.address as resource,\n case\n when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then 'alarm'\n else 'ok'\n end as status,\n split_part(a.address, '.', 2) || case\n when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'protocol' != '1') then ' configured with non ICMP ports'\n else ' configured with ICMP ports only'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n all_security_rules as a\n left join non_complaint as b on a.name = b.name;\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":274,"endLineNumber":314,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_default_security_group_allow_icmp_only","org":"turbot","name":"vcn_default_security_group_allow_icmp_only","mod":"Terraform OCI Compliance","title":"Ensure the Network default security list of every VCN restricts all traffic except ICMP","description":"A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure the Network default security list of every VCN restricts all traffic except ICMP","controlDescription":"A default security list is created when a Virtual Cloud Network (VCN) is created. Security lists provide stateful filtering of ingress and egress network traffic to OCI resources. It is recommended no security list allows unrestricted ingress access to Secure Shell (SSH) via port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_list_restrict_ingress_rdp_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_list_restrict_ingress_rdp_all","org":"turbot","name":"vcn_security_list_restrict_ingress_rdp_all","sql":"$7a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":178,"endLineNumber":247,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_list_restrict_ingress_rdp_all","org":"turbot","name":"vcn_security_list_restrict_ingress_rdp_all","mod":"Terraform OCI Compliance","title":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389","description":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 3389","controlDescription":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 3389.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_network_security_group_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_network_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_ssh_all","sql":"$7b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":54,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_network_security_group_restrict_ingress_ssh_all","org":"turbot","name":"vcn_network_security_group_restrict_ingress_ssh_all","mod":"Terraform OCI Compliance","title":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22","description":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no Network security groups allow ingress from 0.0.0.0/0 to port 22","controlDescription":"Network security groups provide stateful filtering of ingress/egress network traffic to OCI resources. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_subnet_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_subnet_public_access_blocked","org":"turbot","name":"vcn_subnet_public_access_blocked","sql":"select\n type || ' ' || name as resource,\n case\n when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and\n (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)\n then 'ok'\n else 'alarm'\n end as status,\n name || case\n when ((attributes_std ->> 'prohibit_public_ip_on_vnic') is not null and\n (attributes_std ->> 'prohibit_public_ip_on_vnic')::boolean)\n then ' is not publicly accessible'\n else ' is publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_subnet';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":249,"endLineNumber":272,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_subnet_public_access_blocked","org":"turbot","name":"vcn_subnet_public_access_blocked","mod":"Terraform OCI Compliance","title":"Ensure subnets are not publicly accessible","description":"Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure subnets are not publicly accessible","controlDescription":"Public access to a Network's subnet increases resource attack surface and unnecessarily raises the risk of resource compromise. A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After you create a network source, you can reference it in policy or in your tenancy's authentication settings to control access based on the originating IP address.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_security_list_restrict_ingress_ssh_all":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_security_list_restrict_ingress_ssh_all","org":"turbot","name":"vcn_security_list_restrict_ingress_ssh_all","sql":"$7c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":107,"endLineNumber":176,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_security_list_restrict_ingress_ssh_all","org":"turbot","name":"vcn_security_list_restrict_ingress_ssh_all","mod":"Terraform OCI Compliance","title":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 22","description":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure no security lists allow ingress from 0.0.0.0/0 to port 22","controlDescription":"Security lists provide stateful or stateless filtering of ingress/egress network traffic to OCI resources on a subnet level. It is recommended that no security group allows unrestricted ingress access to port 22.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"OCI/VCN"}},"vcn_inbound_security_lists_are_stateless":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_inbound_security_lists_are_stateless","org":"turbot","name":"vcn_inbound_security_lists_are_stateless","sql":"$7d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":360,"endLineNumber":402,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_inbound_security_lists_are_stateless","org":"turbot","name":"vcn_inbound_security_lists_are_stateless","mod":"Terraform OCI Compliance","title":"Ensure VCN inbound security lists are stateless","description":"This control checks if a VCN has inbound security lists that are stateless.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure VCN inbound security lists are stateless","controlDescription":"This control checks if a VCN has inbound security lists that are stateless.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}},"vcn_has_inbound_security_list_configured":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/vcn_has_inbound_security_list_configured","org":"turbot","name":"vcn_has_inbound_security_list_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'ingress_security_rules' ->> 'protocol') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ingress_security_rules' ->> 'protocol') is not null then ' has inbound security list configured'\n else ' has no inbound security list configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_security_list';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vcn.pp","startLineNumber":316,"endLineNumber":335,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.vcn_has_inbound_security_list_configured","org":"turbot","name":"vcn_has_inbound_security_list_configured","mod":"Terraform OCI Compliance","title":"Ensure VCN has at least one inbound security list configured","description":"This control checks if a VCN has at least one inbound security list configured.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}],"controlTitle":"Ensure VCN has at least one inbound security list configured","controlDescription":"This control checks if a VCN has at least one inbound security list configured.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/VCN"}}},"block_storage":{"blockstorage_boot_volume_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_boot_volume_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_boot_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_boot_volume_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage boot volume encryption should be enabled","description":"Ensure Block Storage boot volumes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage boot volume encryption should be enabled","controlDescription":"Ensure Block Storage boot volumes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_block_volume_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_block_volume_backup_enabled","org":"turbot","name":"blockstorage_block_volume_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'backup_policy_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'backup_policy_id') is null then ' backup disabled'\n else ' backup enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_block_volume_backup_enabled","org":"turbot","name":"blockstorage_block_volume_backup_enabled","mod":"Terraform OCI Compliance","title":"Block Storage block volume backup should be enabled","description":"This control checks whether block volume backups are enabled. Block volume backups are used to create point-in-time copies of block volumes that can be used to create new block volumes or overwrite existing block volumes.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage block volume backup should be enabled","controlDescription":"This control checks whether block volume backups are enabled. Block volume backups are used to create point-in-time copies of block volumes that can be used to create new block volumes or overwrite existing block volumes.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_block_volume_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_block_volume_encryption_enabled","org":"turbot","name":"blockstorage_block_volume_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_volume';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_block_volume_encryption_enabled","org":"turbot","name":"blockstorage_block_volume_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage block volume encryption should be enabled","description":"Ensure Block Storage block volumes are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage block volume encryption should be enabled","controlDescription":"Ensure Block Storage block volumes are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}},"blockstorage_boot_volume_backup_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/blockstorage_boot_volume_backup_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_backup_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'source_details') is null then 'alarm'\n when (attributes_std -> 'source_details' -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'source_details') is null then ' encryption disabled'\n when (attributes_std -> 'source_details' -> 'kms_key_id') is null then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_core_boot_volume_backup';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/blockstorage.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.blockstorage_boot_volume_backup_encryption_enabled","org":"turbot","name":"blockstorage_boot_volume_backup_encryption_enabled","mod":"Terraform OCI Compliance","title":"Block Storage boot volume backup encryption should be enabled","description":"Ensure Block Storage boot volume backups are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}],"controlTitle":"Block Storage boot volume backup encryption should be enabled","controlDescription":"Ensure Block Storage boot volume backups are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/BlockStorage"}}},"vertex_ai":{"vertex_ai_notebook_instance_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/vertex_ai_notebook_instance_restrict_public_access","org":"turbot","name":"vertex_ai_notebook_instance_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'no_public_ip') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'no_public_ip') = 'true' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_notebooks_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vertexai.pp","startLineNumber":21,"endLineNumber":40,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.vertex_ai_notebook_instance_restrict_public_access","org":"turbot","name":"vertex_ai_notebook_instance_restrict_public_access","mod":"Terraform GCP Compliance","title":"Vertex AI notebook instances should restrict public access","description":"This control checks whether Vertex AI notebook instances are public.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}],"controlTitle":"Vertex AI notebook instances should restrict public access","controlDescription":"This control checks whether Vertex AI notebook instances are public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}},"vertex_ai_dataset_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/vertex_ai_dataset_encrypted_with_cmk","org":"turbot","name":"vertex_ai_dataset_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_spec' -> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_spec' -> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_vertex_ai_dataset';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/vertexai.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.vertex_ai_dataset_encrypted_with_cmk","org":"turbot","name":"vertex_ai_dataset_encrypted_with_cmk","mod":"Terraform GCP Compliance","title":"Vertex AI datasets should be encrypted with KMS CMK","description":"This control checks whether a Vertex AI dataset is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}],"controlTitle":"Vertex AI datasets should be encrypted with KMS CMK","controlDescription":"This control checks whether a Vertex AI dataset is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/VertexAI"}}},"service_bus":{"service_bus_namespace_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_uses_managed_identity","org":"turbot","name":"service_bus_namespace_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity' ->> 'type') = 'SystemAssigned' then ' uses managed identity'\n else ' not use managed identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_uses_managed_identity","org":"turbot","name":"service_bus_namespace_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Service bus namespaces should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your namespace to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your namespace to easily access other Azure AD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_restrict_public_access","org":"turbot","name":"service_bus_namespace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_restrict_public_access","org":"turbot","name":"service_bus_namespace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Service bus namespaces should restrict public access","description":"Disabling public network access improves security by ensuring that your Service bus namespace is not exposed on the public internet.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should restrict public access","controlDescription":"Disabling public network access improves security by ensuring that your Service bus namespace is not exposed on the public internet.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_local_auth_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_local_auth_disabled","org":"turbot","name":"service_bus_namespace_local_auth_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'local_auth_enabled') = 'false' then ' local authentication disabled'\n else ' local authentication enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_local_auth_disabled","org":"turbot","name":"service_bus_namespace_local_auth_disabled","mod":"Terraform Azure Compliance","title":"Service bus namespaces should have local authentication disabled","description":"Disabling local authentication methods improves security by ensuring that Service bus namespaces require Azure Active Directory identities exclusively for authentication.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should have local authentication disabled","controlDescription":"Disabling local authentication methods improves security by ensuring that Service bus namespaces require Azure Active Directory identities exclusively for authentication.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_encrypted_with_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_encrypted_with_cmk","org":"turbot","name":"service_bus_namespace_encrypted_with_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key' -> 'key_vault_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key' -> 'key_vault_key_id') is not null then ' encrypted with CMK'\n else ' not encrypted with CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_encrypted_with_cmk","org":"turbot","name":"service_bus_namespace_encrypted_with_cmk","mod":"Terraform Azure Compliance","title":"Service Bus namespaces should use a customer-managed key for encryption","description":"Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service Bus namespaces should use a customer-managed key for encryption","controlDescription":"Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_latest_tls_version","org":"turbot","name":"service_bus_namespace_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version')::float < 1.2 then ' not using the latest version of TLS encryption'\n else ' using the latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_latest_tls_version","org":"turbot","name":"service_bus_namespace_latest_tls_version","mod":"Terraform Azure Compliance","title":"Service bus namespaces should use the latest TLS version","description":"It is highly recommended to use the latest TLS 1.2 version for Service bus namespaces secure connections.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service bus namespaces should use the latest TLS version","controlDescription":"It is highly recommended to use the latest TLS 1.2 version for Service bus namespaces secure connections.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}},"service_bus_namespace_infrastructure_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/service_bus_namespace_infrastructure_encryption_enabled","org":"turbot","name":"service_bus_namespace_infrastructure_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'customer_managed_key' -> 'infrastructure_encryption_enabled')::bool is true then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'customer_managed_key' -> 'infrastructure_encryption_enabled')::bool is true then ' infrastructure encryption enabled'\n else ' infrastructure encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_servicebus_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/servicebus.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.service_bus_namespace_infrastructure_encryption_enabled","org":"turbot","name":"service_bus_namespace_infrastructure_encryption_enabled","mod":"Terraform Azure Compliance","title":"Service Bus namespaces should have infrastructure encryption enabled","description":"Ensure Service Bus namespace infrastructure encryption is enabled. This control is non-complaint if namespace infrastructure encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}],"controlTitle":"Service Bus namespaces should have infrastructure encryption enabled","controlDescription":"Ensure Service Bus namespace infrastructure encryption is enabled. This control is non-complaint if namespace infrastructure encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ServiceBus"}}},"artifact_registry_repository":{"artifact_registry_repository_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/artifact_registry_repository_not_publicly_accessible","org":"turbot","name":"artifact_registry_repository_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm' \n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_artifact_registry_repository_iam_member','google_artifact_registry_repository_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/artificaterepository.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.artifact_registry_repository_not_publicly_accessible","org":"turbot","name":"artifact_registry_repository_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Artifact Registry Repository should not be publicly accessible","description":"This control checks whether Artifact Registry Repository is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}],"controlTitle":"Artifact Registry Repository should not be publicly accessible","controlDescription":"This control checks whether Artifact Registry Repository is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}},"artifact_registry_repository_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/artifact_registry_repository_encrypted_with_kms_cmk","org":"turbot","name":"artifact_registry_repository_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is null then 'alarm' \n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is null then ' not encrypted with KMS CMK' \n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_artifact_registry_repository';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/artificaterepository.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.artifact_registry_repository_encrypted_with_kms_cmk","org":"turbot","name":"artifact_registry_repository_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Artifact Registry Repository should be encrypted with KMS CMK","description":"This control checks whether Artifact Registry Repository is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}],"controlTitle":"Artifact Registry Repository should be encrypted with KMS CMK","controlDescription":"This control checks whether Artifact Registry Repository is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/ArtifactRegistryRepository"}}},"databricks":{"databricks_workspace_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/databricks_workspace_restrict_public_access","org":"turbot","name":"databricks_workspace_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'public_network_access_enabled') = 'false' then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_databricks_workspace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/databricks.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.databricks_workspace_restrict_public_access","org":"turbot","name":"databricks_workspace_restrict_public_access","mod":"Terraform Azure Compliance","title":"Databricks should disable restric public network access","description":"Disabling public network access improves security by ensuring that your Databricks is not exposed on the public internet. Creating private endpoints can limit exposure of your Databricks.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Databricks"}}],"controlTitle":"Databricks should disable restric public network access","controlDescription":"Disabling public network access improves security by ensuring that your Databricks is not exposed on the public internet. Creating private endpoints can limit exposure of your Databricks.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Databricks"}}},"firewall":{"firewall_has_firewall_policy_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_has_firewall_policy_set","org":"turbot","name":"firewall_has_firewall_policy_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'firewall_policy_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'firewall_policy_id') is null then ' firewall policy is not set'\n else ' firewall policy is set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_has_firewall_policy_set","org":"turbot","name":"firewall_has_firewall_policy_set","mod":"Terraform Azure Compliance","title":"Firewall has firewall policy set","description":"This control checks whether a firewall policy is set for the firewall.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall has firewall policy set","controlDescription":"This control checks whether a firewall policy is set for the firewall.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}},"firewall_policy_intrusion_detection_mode_set_to_deny":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_policy_intrusion_detection_mode_set_to_deny","org":"turbot","name":"firewall_policy_intrusion_detection_mode_set_to_deny","sql":"select\n address as resource,\n case\n when (attributes_std -> 'intrusion_detection' ->> 'mode') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'intrusion_detection' ->> 'mode') = 'Deny' then ' intrusion detection mode is set to deny'\n else ' intrusion detection mode is not set to deny'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_policy_intrusion_detection_mode_set_to_deny","org":"turbot","name":"firewall_policy_intrusion_detection_mode_set_to_deny","mod":"Terraform Azure Compliance","title":"Firewall policy intrusion detection mode set to deny","description":"This control checks whether the firewall policy intrusion detection mode is set to deny.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall policy intrusion detection mode set to deny","controlDescription":"This control checks whether the firewall policy intrusion detection mode is set to deny.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}},"firewall_threat_intel_mode_set_to_deny":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/firewall_threat_intel_mode_set_to_deny","org":"turbot","name":"firewall_threat_intel_mode_set_to_deny","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'threat_intel_mode') = 'Deny' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'threat_intel_mode') = 'Deny' then ' threat intel mode is set to deny'\n else ' threat intel mode is not set to deny'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_firewall';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/firewall.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.firewall_threat_intel_mode_set_to_deny","org":"turbot","name":"firewall_threat_intel_mode_set_to_deny","mod":"Terraform Azure Compliance","title":"Firewall threat intel mode set to deny","description":"This control checks whether the firewall threat intel mode is set to deny.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}],"controlTitle":"Firewall threat intel mode set to deny","controlDescription":"This control checks whether the firewall threat intel mode is set to deny.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Firewall"}}},"content_delivery_network":{"cdn_endpoint_http_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_http_disabled","org":"turbot","name":"cdn_endpoint_http_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'is_http_allowed') = 'false' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'is_http_allowed') = 'false' then ' HTTP not allowed'\n else ' HTTP allowed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_http_disabled","org":"turbot","name":"cdn_endpoint_http_disabled","mod":"Terraform Azure Compliance","title":"Content Delivery Networks HTTP endpoint should be disabled","description":"This control checks whether Content Delivery Network HTTP endpoint is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}],"controlTitle":"Content Delivery Networks HTTP endpoint should be disabled","controlDescription":"This control checks whether Content Delivery Network HTTP endpoint is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}},"cdn_endpoint_https_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/cdn_endpoint_https_enabled","org":"turbot","name":"cdn_endpoint_https_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'is_https_allowed') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'is_https_allowed') = 'false' then ' HTTPS not allowed'\n else ' HTTPS allowed'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_cdn_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cdn.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.cdn_endpoint_https_enabled","org":"turbot","name":"cdn_endpoint_https_enabled","mod":"Terraform Azure Compliance","title":"Content Delivery Networks HTTPS endpoint should be enabled","description":"This control checks whether Content Delivery Network HTTPS endpoint is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}],"controlTitle":"Content Delivery Networks HTTPS endpoint should be enabled","controlDescription":"This control checks whether Content Delivery Network HTTPS endpoint is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ContentDeliveryNetwork"}}},"event_hub":{"eventhub_namespace_zone_redundant":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_zone_redundant","org":"turbot","name":"eventhub_namespace_zone_redundant","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'zone_redundant')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'zone_redundant')::bool then ' zone redundant'\n else ' not zone redundant'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":83,"endLineNumber":102,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_zone_redundant","org":"turbot","name":"eventhub_namespace_zone_redundant","mod":"Terraform Azure Compliance","title":"Event Hub namespaces should be zone redundant","description":"This control ensures that Event Hub namespace is zone redundant.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub namespaces should be zone redundant","controlDescription":"This control ensures that Event Hub namespace is zone redundant.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}},"eventhub_namespace_uses_latest_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/eventhub_namespace_uses_latest_tls_version","org":"turbot","name":"eventhub_namespace_uses_latest_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'minimum_tls_version') is null then 'ok'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'minimum_tls_version') is null then ' TLS version not defined by default uses 1.2'\n when (attributes_std ->> 'minimum_tls_version')::text = '1.2' then ' use TLS version 1.2'\n else ' does not use TLS version 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_eventhub_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eventhub.pp","startLineNumber":60,"endLineNumber":81,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.eventhub_namespace_uses_latest_tls_version","org":"turbot","name":"eventhub_namespace_uses_latest_tls_version","mod":"Terraform Azure Compliance","title":"Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'","description":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}],"controlTitle":"Event Hub namespaces 'Minimum TLS version' should be set to 'Version 1.2'","controlDescription":"This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/EventHub"}}},"data_fusion":{"datafusion_instance_stackdriver_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_stackdriver_monitoring_enabled","org":"turbot","name":"datafusion_instance_stackdriver_monitoring_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_stackdriver_monitoring')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_stackdriver_monitoring')::boolean then ' has stackdriver monitoring enabled'\n else ' has stackdriver monitoring disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_stackdriver_monitoring_enabled","org":"turbot","name":"datafusion_instance_stackdriver_monitoring_enabled","mod":"Terraform GCP Compliance","title":"Data Fusion instance should have Stackdriver Monitoring enabled","description":"This control checks whether Data Fusion instance has Stackdriver Monitoring enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should have Stackdriver Monitoring enabled","controlDescription":"This control checks whether Data Fusion instance has Stackdriver Monitoring enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}},"datafusion_instance_stackdriver_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_stackdriver_logging_enabled","org":"turbot","name":"datafusion_instance_stackdriver_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'enable_stackdriver_logging')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'enable_stackdriver_logging')::boolean then ' has stackdriver logging enabled'\n else ' has stackdriver logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_stackdriver_logging_enabled","org":"turbot","name":"datafusion_instance_stackdriver_logging_enabled","mod":"Terraform GCP Compliance","title":"Data Fusion instance should have Stackdriver Logging enabled","description":"This control checks whether Data Fusion instance has Stackdriver Logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should have Stackdriver Logging enabled","controlDescription":"This control checks whether Data Fusion instance has Stackdriver Logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}},"datafusion_instance_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/datafusion_instance_not_publicly_accessible","org":"turbot","name":"datafusion_instance_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'private_instance')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'private_instance')::boolean then ' is not publicly accessible'\n else ' is publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_data_fusion_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/datafusion.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.datafusion_instance_not_publicly_accessible","org":"turbot","name":"datafusion_instance_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Data Fusion instance should not be publicly accessible","description":"This control checks whether Data Fusion instance is not public.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}],"controlTitle":"Data Fusion instance should not be publicly accessible","controlDescription":"This control checks whether Data Fusion instance is not public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/DataFusion"}}},"spanner":{"spanner_database_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_deletion_protection_enabled","org":"turbot","name":"spanner_database_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":22,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_deletion_protection_enabled","org":"turbot","name":"spanner_database_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Spanner databases deletion protection should be enabled","description":"This rule ensures that Spanner database has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases deletion protection should be enabled","controlDescription":"This rule ensures that Spanner database has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}},"spanner_database_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_encrypted_with_kms_cmk","org":"turbot","name":"spanner_database_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_config' ->> 'kms_key_name') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_config' ->> 'kms_key_name') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_encrypted_with_kms_cmk","org":"turbot","name":"spanner_database_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Spanner databases should be encrypted with a KMS CMK","description":"This control checks whether Spanner databases are encrypted with a KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases should be encrypted with a KMS CMK","controlDescription":"This control checks whether Spanner databases are encrypted with a KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}},"spanner_database_drop_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/spanner_database_drop_protection_enabled","org":"turbot","name":"spanner_database_drop_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_drop_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_drop_protection')::boolean then ' drop protection enabled'\n else ' drop protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_spanner_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/spanner.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.spanner_database_drop_protection_enabled","org":"turbot","name":"spanner_database_drop_protection_enabled","mod":"Terraform GCP Compliance","title":"Spanner databases drop protection should be enabled","description":"This rule ensures that Spanner database has drop protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}],"controlTitle":"Spanner databases drop protection should be enabled","controlDescription":"This rule ensures that Spanner database has drop protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Spanner"}}},"pub_sub":{"pubsub_topic_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/pubsub_topic_encrypted_with_kms_cmk","org":"turbot","name":"pubsub_topic_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_pubsub_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/pubsub.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.pubsub_topic_encrypted_with_kms_cmk","org":"turbot","name":"pubsub_topic_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"PubSub Topic encrypted with KMS CMK","description":"This control checks whether PubSub topics are encrypted with a KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}],"controlTitle":"PubSub Topic encrypted with KMS CMK","controlDescription":"This control checks whether PubSub topics are encrypted with a KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}},"pubsub_topic_repository_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/pubsub_topic_repository_not_publicly_accessible","org":"turbot","name":"pubsub_topic_repository_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_pubsub_topic_iam_member', 'google_pubsub_topic_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/pubsub.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.pubsub_topic_repository_not_publicly_accessible","org":"turbot","name":"pubsub_topic_repository_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"PubSub Topic Repository not publicly accessible","description":"This control checks whether PubSub topics are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}],"controlTitle":"PubSub Topic Repository not publicly accessible","controlDescription":"This control checks whether PubSub topics are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/PubSub"}}},"file_storage":{"file_storage_file_system_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/queries/file_storage_file_system_encryption_enabled","org":"turbot","name":"file_storage_file_system_encryption_enabled","sql":"select\n address as resource,\n case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce((attributes_std ->> 'kms_key_id'), '') = '' then ' encryption disabled'\n else ' encryption enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'oci_file_storage_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/filestorage.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-oci-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-oci-compliance/benchmarks/control.file_storage_file_system_encryption_enabled","org":"turbot","name":"file_storage_file_system_encryption_enabled","mod":"Terraform OCI Compliance","title":"File Storage file system encryption should be enabled","description":"Ensure File Storage file systems are encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"OCI/FileStorage"}}],"controlTitle":"File Storage file system encryption should be enabled","controlDescription":"Ensure File Storage file systems are encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"OCI/FileStorage"}}},"dataflow":{"dataflow_job_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataflow_job_not_publicly_accessible","org":"turbot","name":"dataflow_job_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ip_configuration') = 'WORKER_IP_PRIVATE' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ip_configuration') = 'WORKER_IP_PRIVATE' then ' is private'\n else ' is public'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataflow_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataflow.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataflow_job_not_publicly_accessible","org":"turbot","name":"dataflow_job_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Dataflow job should not be publicly accessible","description":"This control checks whether Dataflow job is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}],"controlTitle":"Dataflow job should not be publicly accessible","controlDescription":"This control checks whether Dataflow job is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}},"dataflow_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataflow_encrypted_with_kms_cmk","org":"turbot","name":"dataflow_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataflow_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataflow.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataflow_encrypted_with_kms_cmk","org":"turbot","name":"dataflow_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Dataflow should be encrypted with KMS CMK","description":"This control checks whether Dataflow is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}],"controlTitle":"Dataflow should be encrypted with KMS CMK","controlDescription":"This control checks whether Dataflow is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataflow"}}},"web_pub_sub":{"web_pubsub_sku_with_sla":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/web_pubsub_sku_with_sla","org":"turbot","name":"web_pubsub_sku_with_sla","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'sku') = 'Free_F1' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'sku') = 'Free_F1' then ' using SKU tier without SLA'\n else ' using SKU tier with SLA'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_web_pubsub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/webpubsub.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.web_pubsub_sku_with_sla","org":"turbot","name":"web_pubsub_sku_with_sla","mod":"Terraform Azure Compliance","title":"Web PubSubs should use SKU with an SLA","description":"This control checks if Web PubSubs use SKU with an SLA. This control is considered non-compliant if Web PubSub uses SKUs without an SLA.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}],"controlTitle":"Web PubSubs should use SKU with an SLA","controlDescription":"This control checks if Web PubSubs use SKU with an SLA. This control is considered non-compliant if Web PubSub uses SKUs without an SLA.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}},"web_pubsub_uses_managed_identity":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/web_pubsub_uses_managed_identity","org":"turbot","name":"web_pubsub_uses_managed_identity","sql":"select\n address as resource,\n case\n when (attributes_std -> 'identity') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'identity') is null then ' identity is not defined'\n else ' uses ' || (attributes_std -> 'identity' ->> 'type') || ' identity'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_web_pubsub';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/webpubsub.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.web_pubsub_uses_managed_identity","org":"turbot","name":"web_pubsub_uses_managed_identity","mod":"Terraform Azure Compliance","title":"Web PubSubs should use managed identity","description":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Web PubSub to easily access other Azure AD-protected resources such as Azure Key Vault.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}],"controlTitle":"Web PubSubs should use managed identity","controlDescription":"Use a managed identity for enhanced authentication security. A managed identity from Azure Active Directory (Azure AD) allows your Web PubSub to easily access other Azure AD-protected resources such as Azure Key Vault.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/WebPubSub"}}},"dataproc":{"dataproc_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_encrypted_with_kms_cmk","org":"turbot","name":"dataproc_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'encryption_config' ->> 'kms_key_name') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'encryption_config' ->> 'kms_key_name') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataproc_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_encrypted_with_kms_cmk","org":"turbot","name":"dataproc_cluster_encrypted_with_kms_cmk","mod":"Terraform GCP Compliance","title":"Dataproc cluster should be encrypted with KMS CMK","description":"This control checks whether Dataproc cluster is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should be encrypted with KMS CMK","controlDescription":"This control checks whether Dataproc cluster is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}},"dataproc_cluster_public_ip_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_public_ip_disabled","org":"turbot","name":"dataproc_cluster_public_ip_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'gce_cluster_config' ->> 'internal_ip_only') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'gce_cluster_config' ->> 'internal_ip_only') = 'true' then ' is not accessible from the public internet'\n else ' is accessible from the public internet'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_dataproc_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_public_ip_disabled","org":"turbot","name":"dataproc_cluster_public_ip_disabled","mod":"Terraform GCP Compliance","title":"Dataproc cluster should not have public IP","description":"This control checks whether Dataproc cluster has public IP.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should not have public IP","controlDescription":"This control checks whether Dataproc cluster has public IP.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}},"dataproc_cluster_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/dataproc_cluster_not_publicly_accessible","org":"turbot","name":"dataproc_cluster_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers','allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_dataproc_cluster_iam_binding', 'google_dataproc_cluster_iam_member');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/dataproc.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.dataproc_cluster_not_publicly_accessible","org":"turbot","name":"dataproc_cluster_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Dataproc cluster should not be publicly accessible","description":"This control checks whether Dataproc cluster is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}],"controlTitle":"Dataproc cluster should not be publicly accessible","controlDescription":"This control checks whether Dataproc cluster is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Dataproc"}}},"cloud_run":{"cloudrun_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudrun_not_publicly_accessible","org":"turbot","name":"cloudrun_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') in ('allUsers', 'allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') in ('allUsers', 'allAuthenticatedUsers') or (attributes_std -> 'members') @> '[\"allUsers\"]' or (attributes_std -> 'members') @> '[\"allAuthenticatedUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_cloud_run_service_iam_member','google_cloud_run_service_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudrun.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudrun_not_publicly_accessible","org":"turbot","name":"cloudrun_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Cloud Run services should not be publicly accessible","description":"This control checks whether Cloud Run services are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudRun"}}],"controlTitle":"Cloud Run services should not be publicly accessible","controlDescription":"This control checks whether Cloud Run services are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudRun"}}},"application_gateway":{"application_gateway_uses_https_listener":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_uses_https_listener","org":"turbot","name":"application_gateway_uses_https_listener","sql":"select\n address as resource,\n case\n when (attributes_std -> 'http_listener' ->> 'protocol') = 'Https' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'http_listener' ->> 'protocol') = 'Https' then ' uses HTTPS listener'\n else ' does not use HTTPS listener'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_application_gateway';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_uses_https_listener","org":"turbot","name":"application_gateway_uses_https_listener","mod":"Terraform Azure Compliance","title":"Application Gateway should use HTTPS Listener","description":"This control checks whether Application Gateway uses HTTPS Listener.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should use HTTPS Listener","controlDescription":"This control checks whether Application Gateway uses HTTPS Listener.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}},"application_gateway_restrict_message_lookup_log4j2":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_restrict_message_lookup_log4j2","org":"turbot","name":"application_gateway_restrict_message_lookup_log4j2","sql":"$7e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":90,"endLineNumber":152,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_restrict_message_lookup_log4j2","org":"turbot","name":"application_gateway_restrict_message_lookup_log4j2","mod":"Terraform Azure Compliance","title":"Application Gateway should restrict message lookup in Log4j2","description":"This control checks that Application Gateway restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should restrict message lookup in Log4j2","controlDescription":"This control checks that Application Gateway restricts message lookup in Log4j2 due to the CVE-2021-44228 vulnerability, also known as log4jshell.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}},"application_gateway_use_secure_ssl_cipher":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/application_gateway_use_secure_ssl_cipher","org":"turbot","name":"application_gateway_use_secure_ssl_cipher","sql":"$7f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/applicationgateway.pp","startLineNumber":43,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.application_gateway_use_secure_ssl_cipher","org":"turbot","name":"application_gateway_use_secure_ssl_cipher","mod":"Terraform Azure Compliance","title":"Application Gateway should use secure SSL cipher","description":"This control checks whether Application Gateway uses secure SSL cipher.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}],"controlTitle":"Application Gateway should use secure SSL cipher","controlDescription":"This control checks whether Application Gateway uses secure SSL cipher.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/ApplicationGateway"}}},"resource_manager":{"resource_manager_azure_defender_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/resource_manager_azure_defender_enabled","org":"turbot","name":"resource_manager_azure_defender_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'resource_type') = 'Arm' and (attributes_std ->> 'tier') = 'Standard' then 'ok'\n else 'info'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'resource_type') = 'Arm' and (attributes_std ->> 'tier') = 'Standard' then ' Arm azure defender enabled'\n else 'Arm azure defender disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_security_center_subscription_pricing';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/resourcemanagement.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.resource_manager_azure_defender_enabled","org":"turbot","name":"resource_manager_azure_defender_enabled","mod":"Terraform Azure Compliance","title":"Azure Defender for Resource Manager should be enabled","description":"Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.","tags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ResourceManager"}}],"controlTitle":"Azure Defender for Resource Manager should be enabled","controlDescription":"Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.","controlTags":{"category":"Compliance","nist_sp_800_53_rev_5":"true","plugin":"terraform","service":"Azure/ResourceManager"}}},"terraform":{"storage_account_replication_type_set":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_replication_type_set","org":"turbot","name":"storage_account_replication_type_set","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'account_replication_type') in ('GRS', 'RAGRS', 'GZRS', 'RAGZRS') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'account_replication_type') in ('GRS', 'RAGRS', 'GZRS', 'RAGZRS') then ' replication type set correctly'\n when (attributes_std ->> 'account_replication_type') is null then ' replication type not set'\n else ' replication type not set correctly'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":403,"endLineNumber":423,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_replication_type_set","org":"turbot","name":"storage_account_replication_type_set","mod":"Terraform Azure Compliance","title":"Storage accounts should have replication type set","description":"This control checks whether the replication type is set to GRS or RAGRS or GZRS or RAGZRS for the storage account.","tags":{}}],"controlTitle":"Storage accounts should have replication type set","controlDescription":"This control checks whether the replication type is set to GRS or RAGRS or GZRS or RAGZRS for the storage account.","controlTags":{}},"storage_container_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_container_restrict_public_access","org":"turbot","name":"storage_container_restrict_public_access","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'container_access_type') = 'private' or (attributes_std ->> 'container_access_type') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'container_access_type') = 'private' or (attributes_std ->> 'container_access_type') is null then ' not publicly accessible'\n else ' publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_container';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":425,"endLineNumber":444,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_container_restrict_public_access","org":"turbot","name":"storage_container_restrict_public_access","mod":"Terraform Azure Compliance","title":"Storage container public access should be disabled","description":"This control checks whether the public access level is set to private for the storage container.","tags":{}}],"controlTitle":"Storage container public access should be disabled","controlDescription":"This control checks whether the public access level is set to private for the storage container.","controlTags":{}},"storage_account_uses_latest_minimum_tls_version":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/storage_account_uses_latest_minimum_tls_version","org":"turbot","name":"storage_account_uses_latest_minimum_tls_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'min_tls_version') in ('TLS1_2', 'TLS1_3') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'min_tls_version') in ('TLS1_2', 'TLS1_3') then ' use latest version of TLS encryption'\n when (attributes_std ->> 'min_tls_version') is null then ' version of TLS encryption is not set'\n else ' does not uses latest version of TLS encryption'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_storage_account';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/storage.pp","startLineNumber":381,"endLineNumber":401,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.storage_account_uses_latest_minimum_tls_version","org":"turbot","name":"storage_account_uses_latest_minimum_tls_version","mod":"Terraform Azure Compliance","title":"Storage accounts should use latest minimum TLS version","description":"Use the latest minimum TLS version for your storage accounts to ensure that your data is encrypted in transit.","tags":{}}],"controlTitle":"Storage accounts should use latest minimum TLS version","controlDescription":"Use the latest minimum TLS version for your storage accounts to ensure that your data is encrypted in transit.","controlTags":{}}},"cloud_build":{"cloudbuild_workers_use_private_ip":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudbuild_workers_use_private_ip","org":"turbot","name":"cloudbuild_workers_use_private_ip","sql":"select\n address as resource,\n case\n when (attributes_std -> 'worker_config' ->> 'no_external_ip') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'worker_config' ->> 'no_external_ip') = 'true' then ' no external IP configured'\n else ' external IP configured'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_cloudbuild_worker_pool';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudbuild.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudbuild_workers_use_private_ip","org":"turbot","name":"cloudbuild_workers_use_private_ip","mod":"Terraform GCP Compliance","title":"Cloud Build workers should use private IP addresses","description":"This control checks whether Cloud Build workers are configured to use private IP addresses.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudBuild"}}],"controlTitle":"Cloud Build workers should use private IP addresses","controlDescription":"This control checks whether Cloud Build workers are configured to use private IP addresses.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudBuild"}}},"bigtable":{"bigtable_instance_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/bigtable_instance_deletion_protection_enabled","org":"turbot","name":"bigtable_instance_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' not defined'\n when (attributes_std -> 'deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'google_bigtable_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/bigtable.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.bigtable_instance_deletion_protection_enabled","org":"turbot","name":"bigtable_instance_deletion_protection_enabled","mod":"Terraform GCP Compliance","title":"Bigtable Instance deletion protection should be enabled","description":"This rule ensures that Big Table Instance has deletion protection enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/Bigtable"}}],"controlTitle":"Bigtable Instance deletion protection should be enabled","controlDescription":"This rule ensures that Big Table Instance has deletion protection enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/Bigtable"}}},"cloud_function":{"cloudfunction_not_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/queries/cloudfunction_not_publicly_accessible","org":"turbot","name":"cloudfunction_not_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'member') = 'allUsers' or (attributes_std -> 'members') @> '[\"allUsers\"]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'member') = 'allUsers' or (attributes_std -> 'members') @> '[\"allUsers\"]' then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('google_cloudfunctions_function_iam_member', 'google_cloudfunctions_function_iam_binding', 'google_cloudfunctions2_function_iam_member', 'google_cloudfunctions2_function_iam_binding');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/cloudfunction.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-gcp-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-gcp-compliance/benchmarks/control.cloudfunction_not_publicly_accessible","org":"turbot","name":"cloudfunction_not_publicly_accessible","mod":"Terraform GCP Compliance","title":"Cloud Function should not be publicly accessible","description":"This control checks whether Cloud Function is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudFunction"}}],"controlTitle":"Cloud Function should not be publicly accessible","controlDescription":"This control checks whether Cloud Function is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"GCP/CloudFunction"}}},"signal_r":{"signalr_services_uses_paid_sku":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/signalr_services_uses_paid_sku","org":"turbot","name":"signalr_services_uses_paid_sku","sql":"select\n address as resource,\n case\n when (attributes_std -> 'sku' ->> 'name') = 'Free_F1' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'sku' ->> 'name') = 'Free_F1' then ' is not using paid SKU'\n else ' is using paid SKU'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'azurerm_signalr_service';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/signalr.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.signalr_services_uses_paid_sku","org":"turbot","name":"signalr_services_uses_paid_sku","mod":"Terraform Azure Compliance","title":"SignalR services should use paid SKU","description":"SignalR services should use paid SKU to enable advanced features such as auto-scaling, hybrid connections, and zone redundancy.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/SignalR"}}],"controlTitle":"SignalR services should use paid SKU","controlDescription":"SignalR services should use paid SKU to enable advanced features such as auto-scaling, hybrid connections, and zone redundancy.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/SignalR"}}},"automation":{"automation_account_variables_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/queries/automation_account_variables_encryption_enabled","org":"turbot","name":"automation_account_variables_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encrypted') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encrypted') = 'true' then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('azurerm_automation_variable_bool', 'azurerm_automation_variable_string', 'azurerm_automation_variable_int', 'azurerm_automation_variable_datetime');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/automation.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-azure-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-azure-compliance/benchmarks/control.automation_account_variables_encryption_enabled","org":"turbot","name":"automation_account_variables_encryption_enabled","mod":"Terraform Azure Compliance","title":"Automation account variables encryption should be enabled","description":"Enabling Automation account variables encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","tags":{"category":"Compliance","plugin":"terraform","service":"Azure/Automation"}}],"controlTitle":"Automation account variables encryption should be enabled","controlDescription":"Enabling Automation account variables encryption helps protect and safeguard your data to meet your organizational security and compliance commitments.","controlTags":{"category":"Compliance","plugin":"terraform","service":"Azure/Automation"}}},"api_gateway":{"apigateway_method_restricts_open_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_restricts_open_access","org":"turbot","name":"apigateway_method_restricts_open_access","sql":"$80","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":283,"endLineNumber":304,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_restricts_open_access","org":"turbot","name":"apigateway_method_restricts_open_access","mod":"Terraform AWS Compliance","title":"API Gateway Method should have restrictive access","description":"This control checks whether the API Gateway Method is not open to broad unrestricted access.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method should have restrictive access","controlDescription":"This control checks whether the API Gateway Method is not open to broad unrestricted access.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_deployment_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_deployment_create_before_destroy_enabled","org":"turbot","name":"apigateway_deployment_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_deployment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":180,"endLineNumber":197,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_deployment_create_before_destroy_enabled","org":"turbot","name":"apigateway_deployment_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Deployment should have create_before_destroy enabled","description":"This control checks whether AWS API Gateway Deployment has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Deployment should have create_before_destroy enabled","controlDescription":"This control checks whether AWS API Gateway Deployment has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_rest_api_stage_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_stage_xray_tracing_enabled","org":"turbot","name":"apigateway_rest_api_stage_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tracing_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tracing_enabled')::boolean then ' X-Ray tracing enabled'\n else ' X-Ray tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_stage';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_stage_xray_tracing_enabled","org":"turbot","name":"apigateway_rest_api_stage_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API stages should have AWS X-Ray tracing enabled","description":"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API stages should have AWS X-Ray tracing enabled","controlDescription":"This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_settings_data_trace_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_data_trace_enabled","org":"turbot","name":"apigateway_method_settings_data_trace_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'data_trace_enabled') = 'true' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'data_trace_enabled') = 'true' then ' data trace enabled'\n else ' data trace disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":241,"endLineNumber":260,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_data_trace_enabled","org":"turbot","name":"apigateway_method_settings_data_trace_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have data trace disabled","description":"This control checks whether AWS API Gateway Method Settings has data trace disabled. It is recommended to disable data trace for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have data trace disabled","controlDescription":"This control checks whether AWS API Gateway Method Settings has data trace disabled. It is recommended to disable data trace for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_rest_api_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_create_before_destroy_enabled","org":"turbot","name":"apigateway_rest_api_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_rest_api';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":159,"endLineNumber":178,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_create_before_destroy_enabled","org":"turbot","name":"apigateway_rest_api_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API should have create_before_destroy enabled","description":"This control checks whether AWS API Gateway REST API has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API should have create_before_destroy enabled","controlDescription":"This control checks whether AWS API Gateway REST API has create_before_destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this API, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_method_settings_cache_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_cache_enabled","org":"turbot","name":"apigateway_method_settings_cache_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'caching_enabled') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'caching_enabled') = 'true' then ' caching enabled'\n else ' caching disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":199,"endLineNumber":218,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_cache_enabled","org":"turbot","name":"apigateway_method_settings_cache_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have cache enabled","description":"This control checks whether AWS API Gateway Method Settings has cache enabled. It is recommended to enable cache for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have cache enabled","controlDescription":"This control checks whether AWS API Gateway Method Settings has cache enabled. It is recommended to enable cache for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_domain_name_use_latest_tls":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_domain_name_use_latest_tls","org":"turbot","name":"apigateway_domain_name_use_latest_tls","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'security_policy') is null or (attributes_std ->> 'security_policy') = 'TLS_1_2' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'security_policy') is null or (attributes_std ->> 'security_policy') = 'TLS_1_2' then ' uses latest TLS security policy'\n else ' does not use latest TLS security policy'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_domain_name';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":306,"endLineNumber":325,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_domain_name_use_latest_tls","org":"turbot","name":"apigateway_domain_name_use_latest_tls","mod":"Terraform AWS Compliance","title":"API Gateway Domain should have latest TLS security policy configured","description":"This control checks whether the API Gateway Domain is configured with latest Transport Layer Security (TLS) version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Domain should have latest TLS security policy configured","controlDescription":"This control checks whether the API Gateway Domain is configured with latest Transport Layer Security (TLS) version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_stage_cache_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_stage_cache_encryption_at_rest_enabled","org":"turbot","name":"apigateway_stage_cache_encryption_at_rest_enabled","sql":"$81","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":43,"endLineNumber":82,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_stage_cache_encryption_at_rest_enabled","org":"turbot","name":"apigateway_stage_cache_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST API cache data should be encrypted at rest","description":"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway REST API cache data should be encrypted at rest","controlDescription":"This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}},"apigateway_rest_api_stage_use_ssl_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_rest_api_stage_use_ssl_certificate","org":"turbot","name":"apigateway_rest_api_stage_use_ssl_certificate","sql":"select\n address as resource,\n case\n when (attributes_std -> 'client_certificate_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'client_certificate_id') is null then ' does not use SSL certificate'\n else ' uses SSL certificate'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_stage';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_rest_api_stage_use_ssl_certificate","org":"turbot","name":"apigateway_rest_api_stage_use_ssl_certificate","mod":"Terraform AWS Compliance","title":"API Gateway stage should uses SSL certificate","description":"Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway stage should uses SSL certificate","controlDescription":"Ensure if a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is complaint if the REST API stage does not have an associated SSL certificate.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway"}},"apigateway_method_settings_cache_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_method_settings_cache_encryption_enabled","org":"turbot","name":"apigateway_method_settings_cache_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'settings' ->> 'cache_data_encrypted') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'settings' ->> 'cache_data_encrypted') = 'true' then ' cache encryption enabled'\n else ' cache encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_api_gateway_method_settings';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":220,"endLineNumber":239,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_method_settings_cache_encryption_enabled","org":"turbot","name":"apigateway_method_settings_cache_encryption_enabled","mod":"Terraform AWS Compliance","title":"API Gateway Method Settings should have cache encrypted","description":"This control checks whether AWS API Gateway Method Settings has cache encrypted. It is recommended to enable cache encryption for all methods in API Gateway.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway Method Settings should have cache encrypted","controlDescription":"This control checks whether AWS API Gateway Method Settings has cache encrypted. It is recommended to enable cache encryption for all methods in API Gateway.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigatewayv2_route_set_authorization_type":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigatewayv2_route_set_authorization_type","org":"turbot","name":"apigatewayv2_route_set_authorization_type","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'authorization_type') in ('AWS_IAM', 'CUSTOM', 'JWT') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'authorization_type') in ('AWS_IAM', 'CUSTOM', 'JWT') then ' defines an authorization type'\n else ' does not define an authorization type'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_apigatewayv2_route';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":262,"endLineNumber":281,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigatewayv2_route_set_authorization_type","org":"turbot","name":"apigatewayv2_route_set_authorization_type","mod":"Terraform AWS Compliance","title":"API Gateway V2 Route should have authorization type set","description":"This control checks whether API Gateway V2 Route has authorization type set. It is recommended to set authorization type for all routes in API Gateway V2.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}}],"controlTitle":"API Gateway V2 Route should have authorization type set","controlDescription":"This control checks whether API Gateway V2 Route has authorization type set. It is recommended to set authorization type for all routes in API Gateway V2.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/APIGateway"}},"apigateway_stage_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/apigateway_stage_logging_enabled","org":"turbot","name":"apigateway_stage_logging_enabled","sql":"$82","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/apigateway.pp","startLineNumber":84,"endLineNumber":157,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.apigateway_stage_logging_enabled","org":"turbot","name":"apigateway_stage_logging_enabled","mod":"Terraform AWS Compliance","title":"API Gateway REST and WebSocket API logging should be enabled","description":"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway","soc_2":"true"}}],"controlTitle":"API Gateway REST and WebSocket API logging should be enabled","controlDescription":"This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/APIGateway","soc_2":"true"}}},"acm":{"acm_certificate_transparency_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/acm_certificate_transparency_logging_enabled","org":"turbot","name":"acm_certificate_transparency_logging_enabled","sql":" select\n address as resource,\n case\n when (attributes_std -> 'options' ->> 'certificate_transparency_logging_preference')::text = 'ENABLED' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'options' ->> 'certificate_transparency_logging_preference')::text = 'ENABLED' then ' certificate transparency logging preference enabled'\n else ' certificate transparency logging preference disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_acm_certificate';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/acm.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.acm_certificate_transparency_logging_enabled","org":"turbot","name":"acm_certificate_transparency_logging_enabled","mod":"Terraform AWS Compliance","title":"ACM certificates should have transparency logging preference enabled","description":"This control checks whether ACM certificates transparency logging preference is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority.","tags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/ACM"}}],"controlTitle":"ACM certificates should have transparency logging preference enabled","controlDescription":"This control checks whether ACM certificates transparency logging preference is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority.","controlTags":{"category":"Compliance","other_checks":"true","plugin":"terraform","service":"AWS/ACM"}},"acm_certificate_create_before_destroy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/acm_certificate_create_before_destroy_enabled","org":"turbot","name":"acm_certificate_create_before_destroy_enabled","sql":"select\n address as resource,\n case\n when (lifecycle ->> 'create_before_destroy') = 'true' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (lifecycle ->> 'create_before_destroy') = 'true' then ' create before destroy enabled'\n else ' create before destroy disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_acm_certificate';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/acm.pp","startLineNumber":2,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.acm_certificate_create_before_destroy_enabled","org":"turbot","name":"acm_certificate_create_before_destroy_enabled","mod":"Terraform AWS Compliance","title":"ACM certificate should have create before destroy enabled","description":"This control checks whether ACM certificate has create before destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this certificate, avoiding an outage.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ACM"}}],"controlTitle":"ACM certificate should have create before destroy enabled","controlDescription":"This control checks whether ACM certificate has create before destroy enabled. It is recommended to enable the resource lifecycle configuration block create_before_destroy argument in this resource configuration to manage all requests that use this certificate, avoiding an outage.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ACM"}}},"ssm":{"ssm_parameter_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ssm_parameter_encrypted_with_kms_cmk","org":"turbot","name":"ssm_parameter_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ssm_parameter';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ssm.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ssm_parameter_encrypted_with_kms_cmk","org":"turbot","name":"ssm_parameter_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"SSM parameter should be encypted using KMS CMK","description":"To help protect data at rest, ensure encryption is enabled for your SSM parameter using KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}],"controlTitle":"SSM parameter should be encypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption is enabled for your SSM parameter using KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}},"ssm_document_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ssm_document_prohibit_public_access","org":"turbot","name":"ssm_document_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'permissions' ->> 'account_ids') = 'All' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'permissions' ->> 'account_ids') = 'All' then ' is publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ssm_document';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ssm.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ssm_document_prohibit_public_access","org":"turbot","name":"ssm_document_prohibit_public_access","mod":"Terraform AWS Compliance","title":"SSM documents should not be publicly accessible","description":"This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}],"controlTitle":"SSM documents should not be publicly accessible","controlDescription":"This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SSM"}}},"redshift":{"redshift_serverless_namespace_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_serverless_namespace_encrypted_with_kms_cmk","org":"turbot","name":"redshift_serverless_namespace_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshiftserverless_namespace';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":252,"endLineNumber":271,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_serverless_namespace_encrypted_with_kms_cmk","org":"turbot","name":"redshift_serverless_namespace_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Redshift serverless namespaces should be encrypted with KMS CMK","description":"Ensure that Redshift serverless namespaces are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift serverless namespaces should be encrypted with KMS CMK","controlDescription":"Ensure that Redshift serverless namespaces are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_kms_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_kms_enabled","org":"turbot","name":"redshift_cluster_kms_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is not null and (attributes_std -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is not null and (attributes_std -> 'kms_key_id') is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":116,"endLineNumber":135,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_kms_enabled","org":"turbot","name":"redshift_cluster_kms_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should be encrypted with KMS","description":"Ensure if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is complaint if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non complaint if the cluster is not encrypted or encrypted with another key.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should be encrypted with KMS","controlDescription":"Ensure if Amazon Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is complaint if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non complaint if the cluster is not encrypted or encrypted with another key.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}},"redshift_cluster_automatic_upgrade_major_versions_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_automatic_upgrade_major_versions_enabled","org":"turbot","name":"redshift_cluster_automatic_upgrade_major_versions_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'allow_version_upgrade') is null then 'ok'\n when (attributes_std -> 'allow_version_upgrade')::bool then 'ok'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'allow_version_upgrade') is null then ' ''allow_version_upgrade'' set to true by default'\n when (attributes_std -> 'allow_version_upgrade')::bool then ' ''allow_version_upgrade'' set to true'\n else ' ''allow_version_upgrade'' set to false'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_automatic_upgrade_major_versions_enabled","org":"turbot","name":"redshift_cluster_automatic_upgrade_major_versions_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift should have automatic upgrades to major versions enabled","description":"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift should have automatic upgrades to major versions enabled","controlDescription":"This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_encryption_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_encryption_logging_enabled","org":"turbot","name":"redshift_cluster_encryption_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypted') is null then 'alarm'\n when (attributes_std -> 'logging') is null then 'alarm'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypted') is null then ' not encrypted'\n when (attributes_std -> 'logging') is null then ' audit logging disabled'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":68,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_encryption_logging_enabled","org":"turbot","name":"redshift_cluster_encryption_logging_enabled","mod":"Terraform AWS Compliance","title":"Redshift cluster audit logging and encryption should be enabled","description":"To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift","soc_2":"true"}}],"controlTitle":"Redshift cluster audit logging and encryption should be enabled","controlDescription":"To protect data at rest, ensure that encryption is enabled for your Amazon Redshift clusters. You must also ensure that required configurations are deployed on Amazon Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift","soc_2":"true"}},"redshift_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_encryption_enabled","org":"turbot","name":"redshift_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encrypted') is null then 'alarm'\n when (attributes_std ->> 'encrypted')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encrypted') is null then ' encryption disabled'\n when (attributes_std ->> 'encrypted')::bool then ' encryption enabled'\n else ' encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":229,"endLineNumber":250,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_encryption_enabled","org":"turbot","name":"redshift_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"Redshift clusters should be encrypted","description":"Ensure that Redshift clusters are encrypted.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should be encrypted","controlDescription":"Ensure that Redshift clusters are encrypted.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_deployed_in_ec2_classic_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_deployed_in_ec2_classic_mode","org":"turbot","name":"redshift_cluster_deployed_in_ec2_classic_mode","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_subnet_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_subnet_group_name') is not null then ' deployed inside VPC'\n else ' not deployed inside VPC'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_deployed_in_ec2_classic_mode","org":"turbot","name":"redshift_cluster_deployed_in_ec2_classic_mode","mod":"Terraform AWS Compliance","title":"Redshift clusters should not be using EC2 classic mode","description":"Ensure EC2-Classic mode is not used for the deployment of redshift clusters","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should not be using EC2 classic mode","controlDescription":"Ensure EC2-Classic mode is not used for the deployment of redshift clusters","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_no_default_database_name":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_no_default_database_name","org":"turbot","name":"redshift_cluster_no_default_database_name","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'database_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'database_name') is not null then ' database name defined'\n else ' no database name defined'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":208,"endLineNumber":227,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_no_default_database_name","org":"turbot","name":"redshift_cluster_no_default_database_name","mod":"Terraform AWS Compliance","title":"Redshift clusters should not use the default database name","description":"This control checks whether a Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should not use the default database name","controlDescription":"This control checks whether a Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_automatic_snapshots_min_7_days":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_automatic_snapshots_min_7_days","org":"turbot","name":"redshift_cluster_automatic_snapshots_min_7_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'automated_snapshot_retention_period') is null then 'ok'\n when (attributes_std -> 'automated_snapshot_retention_period')::integer > 7 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'automated_snapshot_retention_period') is null then ' ''automated_snapshot_retention_period'' set to 1 day by default'\n when (attributes_std -> 'automated_snapshot_retention_period')::integer > 7 then ' ''automated_snapshot_retention_period'' set to ' || (attributes_std ->> 'automated_snapshot_retention_period')::integer || ' day(s)'\n else ' ''automated_snapshot_retention_period'' set to 0 days'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_automatic_snapshots_min_7_days","org":"turbot","name":"redshift_cluster_automatic_snapshots_min_7_days","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should have automatic snapshots enabled","description":"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift","soc_2":"true"}}],"controlTitle":"Amazon Redshift clusters should have automatic snapshots enabled","controlDescription":"This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift","soc_2":"true"}},"redshift_snapshot_copy_grant_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_snapshot_copy_grant_encrypted_with_kms_cmk","org":"turbot","name":"redshift_snapshot_copy_grant_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_snapshot_copy_grant';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":273,"endLineNumber":292,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_snapshot_copy_grant_encrypted_with_kms_cmk","org":"turbot","name":"redshift_snapshot_copy_grant_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Redshift snapshot copy grant should be encrypted with KMS CMK","description":"Ensure that Redshift snapshot copy grant is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Redshift snapshot copy grant should be encrypted with KMS CMK","controlDescription":"Ensure that Redshift snapshot copy grant is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_maintenance_settings_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_maintenance_settings_check","org":"turbot","name":"redshift_cluster_maintenance_settings_check","sql":"$83","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":160,"endLineNumber":183,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_maintenance_settings_check","org":"turbot","name":"redshift_cluster_maintenance_settings_check","mod":"Terraform AWS Compliance","title":"Amazon Redshift should have required maintenance settings","description":"Ensure whether Amazon Redshift clusters have the specified maintenance settings. Redshift clusters 'allowVersionUpgrade' should be set to 'true' and 'automatedSnapshotRetentionPeriod' should be greater than 7.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift should have required maintenance settings","controlDescription":"Ensure whether Amazon Redshift clusters have the specified maintenance settings. Redshift clusters 'allowVersionUpgrade' should be set to 'true' and 'automatedSnapshotRetentionPeriod' should be greater than 7.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}},"redshift_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_logging_enabled","org":"turbot","name":"redshift_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging') is null then 'alarm'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging') is null then ' audit logging disabled'\n when (attributes_std -> 'logging' ->> 'enabled')::boolean then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":137,"endLineNumber":158,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_logging_enabled","org":"turbot","name":"redshift_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should have logging enabled","description":"Ensure that Amazon Redshift clusters have logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should have logging enabled","controlDescription":"Ensure that Amazon Redshift clusters have logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_enhanced_vpc_routing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_enhanced_vpc_routing_enabled","org":"turbot","name":"redshift_cluster_enhanced_vpc_routing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enhanced_vpc_routing') is null then 'alarm'\n when (attributes_std -> 'enhanced_vpc_routing')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enhanced_vpc_routing') is null then ' ''enhanced_vpc_routing'' set to false by default'\n when (attributes_std -> 'enhanced_vpc_routing')::bool then ' ''enhanced_vpc_routing'' set to true'\n else ' ''allow_version_upgrade'' set to false'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_enhanced_vpc_routing_enabled","org":"turbot","name":"redshift_cluster_enhanced_vpc_routing_enabled","mod":"Terraform AWS Compliance","title":"Amazon Redshift clusters should use enhanced VPC routing","description":"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}}],"controlTitle":"Amazon Redshift clusters should use enhanced VPC routing","controlDescription":"This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Redshift"}},"redshift_cluster_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/redshift_cluster_prohibit_public_access","org":"turbot","name":"redshift_cluster_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'publicly_accessible') is null then 'alarm'\n when (attributes_std -> 'publicly_accessible')::bool then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'publicly_accessible') is null then ' publicly accessible'\n when (attributes_std -> 'publicly_accessible')::bool then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_redshift_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/redshift.pp","startLineNumber":185,"endLineNumber":206,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.redshift_cluster_prohibit_public_access","org":"turbot","name":"redshift_cluster_prohibit_public_access","mod":"Terraform AWS Compliance","title":"Redshift clusters should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}],"controlTitle":"Redshift clusters should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Redshift clusters are not public.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Redshift"}}},"sqs":{"sqs_queue_encrypted_at_rest":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_encrypted_at_rest","org":"turbot","name":"sqs_queue_encrypted_at_rest","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_master_key_id') is null then 'alarm'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_master_key_id') is null then ' ''kms_master_key_id'' is not defined'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') <> '' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_encrypted_at_rest","org":"turbot","name":"sqs_queue_encrypted_at_rest","mod":"Terraform AWS Compliance","title":"Amazon SQS queues should be encrypted at rest","description":"This control checks whether Amazon SQS queues are encrypted at rest.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"Amazon SQS queues should be encrypted at rest","controlDescription":"This control checks whether Amazon SQS queues are encrypted at rest.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_queue_policy_no_principal_star":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_policy_no_principal_star","org":"turbot","name":"sqs_queue_policy_no_principal_star","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Principal\": \"*\"}]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Principal\": \"*\"}]' then ' policy allow all principal'\n else ' policy is ok'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":69,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_policy_no_principal_star","org":"turbot","name":"sqs_queue_policy_no_principal_star","mod":"Terraform AWS Compliance","title":"SQS queue policies should not allow ALL (*) principal","description":"Ensure that the SQS queue policy restricts access to specific services or principals, ensuring that it is not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"SQS queue policies should not allow ALL (*) principal","controlDescription":"Ensure that the SQS queue policy restricts access to specific services or principals, ensuring that it is not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_queue_policy_no_action_star":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_queue_policy_no_action_star","org":"turbot","name":"sqs_queue_policy_no_action_star","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Action\": \"*\"}]' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'policy')::jsonb ) -> 'Statement' @> '[{\"Action\": \"*\"}]' then ' policy allow wildcard action'\n else ' policy is ok'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sqs_queue_policy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":48,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_queue_policy_no_action_star","org":"turbot","name":"sqs_queue_policy_no_action_star","mod":"Terraform AWS Compliance","title":"SQS queue policies should not allow ALL (*) actions","description":"SQS CloudWatch Logs destination policy should avoid wildcard in 'actions'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"SQS queue policies should not allow ALL (*) actions","controlDescription":"SQS CloudWatch Logs destination policy should avoid wildcard in 'actions'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}},"sqs_vpc_endpoint_without_dns_resolution":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sqs_vpc_endpoint_without_dns_resolution","org":"turbot","name":"sqs_vpc_endpoint_without_dns_resolution","sql":"$84","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sqs.pp","startLineNumber":24,"endLineNumber":46,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sqs_vpc_endpoint_without_dns_resolution","org":"turbot","name":"sqs_vpc_endpoint_without_dns_resolution","mod":"Terraform AWS Compliance","title":"VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC","description":"Using VPC endpoints helps secure traffic by ensuring the data does not traverse the Internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}],"controlTitle":"VPC Endpoint for SQS should be enabled in all Availability Zones in use a VPC","controlDescription":"Using VPC endpoints helps secure traffic by ensuring the data does not traverse the Internet or access public networks. It also helps keep private subnets private. Setting up VPC endpoints can be complicated.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SQS"}}},"timestream":{"timestream_database_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/timestream_database_encrypted_with_kms_cmk","org":"turbot","name":"timestream_database_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_timestreamwrite_database';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/timestream.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.timestream_database_encrypted_with_kms_cmk","org":"turbot","name":"timestream_database_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Timestream databases should be encrypted using KMS CMK","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Timestream database.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Timestream"}}],"controlTitle":"Timestream databases should be encrypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your Timestream database.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Timestream"}}},"s_3":{"s3_bucket_cross_region_replication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_cross_region_replication_enabled","org":"turbot","name":"s3_bucket_cross_region_replication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cors_rule')::jsonb ?& array['allowed_methods', 'allowed_origins'] then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cors_rule') is null then ' ''cors_rule'' is not defined'\n when (attributes_std -> 'cors_rule')::jsonb ?& array['allowed_methods', 'allowed_origins'] then ' enabled with cross-region replication'\n else ' not enabled with cross-region replication'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_cross_region_replication_enabled","org":"turbot","name":"s3_bucket_cross_region_replication_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket cross-region replication should enabled","description":"Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket cross-region replication should enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}},"s3_bucket_ignore_public_acls_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_ignore_public_acls_enabled","org":"turbot","name":"s3_bucket_ignore_public_acls_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ignore_public_acls')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'ignore_public_acls') is null then ' ignore_public_acls not defined'\n when (attributes_std ->> 'ignore_public_acls')::boolean then ' ignore_public_acls enabled'\n else ' ignore_public_acls disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_public_access_block';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":293,"endLineNumber":312,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_ignore_public_acls_enabled","org":"turbot","name":"s3_bucket_ignore_public_acls_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket should ignore public ACLs","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets should ignore public ACLs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket should ignore public ACLs","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets should ignore public ACLs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_default_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_default_encryption_enabled","org":"turbot","name":"s3_bucket_default_encryption_enabled","sql":"$85","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":46,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_default_encryption_enabled","org":"turbot","name":"s3_bucket_default_encryption_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket default encryption should be enabled","description":"To help protect data at rest, ensure default encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}}],"controlTitle":"S3 bucket default encryption should be enabled","controlDescription":"To help protect data at rest, ensure default encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}},"s3_bucket_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_logging_enabled","org":"turbot","name":"s3_bucket_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging' -> 'target_bucket') is null then 'alarm'\n when coalesce(trim(attributes_std -> 'logging' ->> 'target_bucket'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging' -> 'target_bucket') is null then ' ''target_bucket'' is not defined'\n when coalesce(trim(attributes_std -> 'logging' ->> 'target_bucket'), '') = '' then ' logging disabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":69,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_logging_enabled","org":"turbot","name":"s3_bucket_logging_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket logging should be enabled","description":"Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket logging should be enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) server access logging provides a method to monitor the network for potential cybersecurity events.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}},"s3_public_access_block_account":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_public_access_block_account","org":"turbot","name":"s3_public_access_block_account","sql":"$86","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":205,"endLineNumber":250,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_public_access_block_account","org":"turbot","name":"s3_public_access_block_account","mod":"Terraform AWS Compliance","title":"S3 public access should be blocked at account level","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 public access should be blocked at account level","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_mfa_delete_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_mfa_delete_enabled","org":"turbot","name":"s3_bucket_mfa_delete_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'mfa_delete')), '') in ('true', 'false') and (attributes_std -> 'versioning' ->> 'mfa_delete')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'versioning' ->> 'mfa_delete')::bool then ' MFA delete enabled'\n else ' MFA delete disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_mfa_delete_enabled","org":"turbot","name":"s3_bucket_mfa_delete_enabled","mod":"Terraform AWS Compliance","title":"Ensure MFA Delete is enabled on S3 buckets","description":"Once MFA delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","tags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"Ensure MFA Delete is enabled on S3 buckets","controlDescription":"Once MFA delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.","controlTags":{"category":"Compliance","cis":"true","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_object_lock_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_lock_enabled","org":"turbot","name":"s3_bucket_object_lock_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std -> 'object_lock_configuration' ->> 'object_lock_enabled'), '') = 'Enabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'object_lock_configuration' -> 'object_lock_enabled') is null then ' ''object_lock_enabled'' is not defined'\n when (attributes_std -> 'object_lock_configuration' ->> 'object_lock_enabled') = 'Enabled' then ' object lock enabled'\n else ' object lock not enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":113,"endLineNumber":133,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_lock_enabled","org":"turbot","name":"s3_bucket_object_lock_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket object lock should be enabled","description":"Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket object lock should be enabled","controlDescription":"Ensure that your Amazon Simple Storage Service (Amazon S3) bucket has lock enabled, by default.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/S3","soc_2":"true"}},"s3_bucket_default_encryption_enabled_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_default_encryption_enabled_kms","org":"turbot","name":"s3_bucket_default_encryption_enabled_kms","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm'), '') <> 'aws:kms'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm'), '') = '' then ' ''sse_algorithm'' is not defined'\n when trim(attributes_std -> 'server_side_encryption_configuration' -> 'rule' -> 'apply_server_side_encryption_by_default' ->> 'sse_algorithm') = 'aws:kms' then ' default encryption with KMS enabled'\n else ' default encryption with KMS disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":23,"endLineNumber":44,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_default_encryption_enabled_kms","org":"turbot","name":"s3_bucket_default_encryption_enabled_kms","mod":"Terraform AWS Compliance","title":"S3 bucket default encryption should be enabled with KMS","description":"To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets using KMS.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}}],"controlTitle":"S3 bucket default encryption should be enabled with KMS","controlDescription":"To help protect data at rest, ensure encryption is enabled for your Amazon Simple Storage Service (Amazon S3) buckets using KMS.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3"}},"s3_bucket_block_public_policy_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_block_public_policy_enabled","org":"turbot","name":"s3_bucket_block_public_policy_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'block_public_policy')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'block_public_policy') is null then ' block_public_acls not defined'\n when (attributes_std ->> 'block_public_policy')::boolean then ' block_public_policy enabled'\n else ' block_public_policy disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_public_access_block';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":252,"endLineNumber":271,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_block_public_policy_enabled","org":"turbot","name":"s3_bucket_block_public_policy_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket should have block public policy enabled","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket should have block public policy enabled","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon Simple Storage Service (Amazon S3) buckets cannot be publicly accessed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_object_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_copy_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_object_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":314,"endLineNumber":332,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_copy_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"S3 bucket object copy should be encrypted with KMS CMK","description":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket object copy should be encrypted with KMS CMK","controlDescription":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_versioning_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_versioning_enabled","org":"turbot","name":"s3_bucket_versioning_enabled","sql":"select\n address as resource,\n case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'enabled')), '') in ('true', 'false') and (attributes_std -> 'versioning' -> 'enabled')::bool\n then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when coalesce(trim(lower(attributes_std -> 'versioning' ->> 'enabled')), '') not in ('true', 'false') then ' versioning disabled'\n when (attributes_std -> 'versioning' ->> 'enabled')::bool then ' versioning enabled'\n else ' versioning disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":182,"endLineNumber":203,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_versioning_enabled","org":"turbot","name":"s3_bucket_versioning_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket versioning should be enabled","description":"Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.","tags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}}],"controlTitle":"S3 bucket versioning should be enabled","controlDescription":"Amazon Simple Storage Service (Amazon S3) bucket versioning helps keep multiple variants of an object in the same Amazon S3 bucket.","controlTags":{"category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/S3","soc_2":"true"}},"s3_bucket_object_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_object_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_s3_bucket_object';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":273,"endLineNumber":291,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_object_encrypted_with_kms_cmk","org":"turbot","name":"s3_bucket_object_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"S3 bucket object should be encrypted with KMS CMK","description":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket object should be encrypted with KMS CMK","controlDescription":"Make sure that the object in the S3 bucket is encrypted using a customer managed Key (CMK) from KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_public_access_blocked":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_public_access_blocked","org":"turbot","name":"s3_bucket_public_access_blocked","sql":"$87","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":135,"endLineNumber":180,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_public_access_blocked","org":"turbot","name":"s3_bucket_public_access_blocked","mod":"Terraform AWS Compliance","title":"S3 Block Public Access setting should be enabled at the bucket level","description":"This control checks whether S3 buckets have bucket-level public access blocks applied.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 Block Public Access setting should be enabled at the bucket level","controlDescription":"This control checks whether S3 buckets have bucket-level public access blocks applied.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/S3"}},"s3_bucket_abort_incomplete_multipart_upload_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/s3_bucket_abort_incomplete_multipart_upload_enabled","org":"turbot","name":"s3_bucket_abort_incomplete_multipart_upload_enabled","sql":"with lifecycle_configuration_with_abort_incomplete_multipart_upload as (\n select\n concat(address) as name\n from\n terraform_resource,\n jsonb_array_elements(attributes_std -> 'rule') as r\n where\n r ->> 'id' = 'AbortIncompleteMultipartUploadRule'\n and r ->> 'status' = 'Enabled'\n and type = 'aws_s3_bucket_lifecycle_configuration'\n)\nselect\n r.address as resource,\n case\n when u.name is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(r.address, '.', 2) || case\n when u.name is not null then ' has abort incomplete multipart upload enabled'\n else ' has abort incomplete multipart upload disabled'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource as r\n left join lifecycle_configuration_with_abort_incomplete_multipart_upload as u on u.name = r.address\nwhere\n r.type = 'aws_s3_bucket_lifecycle_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/s3.pp","startLineNumber":334,"endLineNumber":364,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.s3_bucket_abort_incomplete_multipart_upload_enabled","org":"turbot","name":"s3_bucket_abort_incomplete_multipart_upload_enabled","mod":"Terraform AWS Compliance","title":"S3 bucket lifecycle configuration should abort incomplete multipart uploads","description":"Ensure that the S3 lifecycle configuration includes a rule to set a specific period for automatically aborting failed uploads.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}],"controlTitle":"S3 bucket lifecycle configuration should abort incomplete multipart uploads","controlDescription":"Ensure that the S3 lifecycle configuration includes a rule to set a specific period for automatically aborting failed uploads.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/S3"}}},"kinesis":{"kinesis_firehose_delivery_stream_server_side_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_firehose_delivery_stream_server_side_encryption_enabled","org":"turbot","name":"kinesis_firehose_delivery_stream_server_side_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption' ->> 'enabled') = 'true' then ' server side encryption enabled'\n else ' server side encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_firehose_delivery_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_firehose_delivery_stream_server_side_encryption_enabled","org":"turbot","name":"kinesis_firehose_delivery_stream_server_side_encryption_enabled","mod":"Terraform AWS Compliance","title":"Kinesis firehose delivery streams should have server side encryption enabled","description":"Enable server-side-encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis firehose delivery streams should have server side encryption enabled","controlDescription":"Enable server-side-encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption' ->> 'key_type') = 'CUSTOMER_MANAGED_CMK' and (attributes_std -> 'server_side_encryption' ->> 'key_arn') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption' ->> 'key_type') = 'CUSTOMER_MANAGED_CMK' and (attributes_std -> 'server_side_encryption' ->> 'key_arn') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_firehose_delivery_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_firehose_delivery_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis firehose delivery streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Firehose Delivery Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis firehose delivery streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Firehose Delivery Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_stream_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_stream_encryption_at_rest_enabled","org":"turbot","name":"kinesis_stream_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'encryption_type') = 'KMS' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'encryption_type') = 'KMS' then ' encrypted aty rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_stream_encryption_at_rest_enabled","org":"turbot","name":"kinesis_stream_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Kinesis stream encryption at rest should be enabled","description":"Ensure Kinesis streams are set to be encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis stream encryption at rest should be enabled","controlDescription":"Ensure Kinesis streams are set to be encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}},"kinesis_video_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kinesis_video_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_video_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kinesis_video_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kinesis.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kinesis_video_stream_encrypted_with_kms_cmk","org":"turbot","name":"kinesis_video_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Kinesis vidoe streams should be encrypted with KMS CMK","description":"This control checks whether Kinesis Video Streams are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}],"controlTitle":"Kinesis vidoe streams should be encrypted with KMS CMK","controlDescription":"This control checks whether Kinesis Video Streams are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kinesis"}}},"rds":{"rds_db_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":346,"endLineNumber":365,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be encrypted using KMS CMK","description":"This control checks whether RDS DB clusters are encrypted using KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be encrypted using KMS CMK","controlDescription":"This control checks whether RDS DB clusters are encrypted using KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_global_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_global_cluster_encryption_enabled","org":"turbot","name":"rds_global_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n when (attributes_std ->> 'source_db_cluster_identifier') is null then 'info'\n when (attributes_std ->> 'storage_encrypted')::boolean and (attributes_std ->> 'source_db_cluster_identifier') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' enccryption enabled'\n when (attributes_std ->> 'source_db_cluster_identifier') is null then ' DB cluster identifier is not provided of the primary global cluster creation'\n when (attributes_std ->> 'storage_encrypted')::boolean and (attributes_std ->> 'source_db_cluster_identifier') is not null then ' enccryption enabled'\n else ' enccryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_global_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":887,"endLineNumber":910,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_global_cluster_encryption_enabled","org":"turbot","name":"rds_global_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled","description":"This control checks whether RDS Global Cluster (MySQl & PostgreSQL) encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS Global Cluster (MySQl & PostgreSQL) should have encryption enabled","controlDescription":"This control checks whether RDS Global Cluster (MySQl & PostgreSQL) encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_backup_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_backup_enabled","org":"turbot","name":"rds_db_instance_backup_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'backup_retention_period') is null then 'alarm'\n when (attributes_std -> 'backup_retention_period')::integer < 1 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'backup_retention_period') is null then ' backup disabled'\n when (attributes_std -> 'backup_retention_period')::integer < 1 then ' backup disabled'\n else ' backup enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":390,"endLineNumber":411,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_backup_enabled","org":"turbot","name":"rds_db_instance_backup_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance backup should be enabled","description":"The backup feature of Amazon RDS creates backups of your databases and transaction logs.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instance backup should be enabled","controlDescription":"The backup feature of Amazon RDS creates backups of your databases and transaction logs.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_mysql_db_cluster_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_mysql_db_cluster_audit_logging_enabled","org":"turbot","name":"rds_mysql_db_cluster_audit_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'engine')::text not like '%mysql' then 'skip'\n when (attributes_std ->> 'engine')::text like '%mysql' and (attributes_std -> 'enabled_cloudwatch_logs_exports') @> '[\"audit\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'engine')::text not like '%mysql' then ' not a MySQL cluster'\n when (attributes_std ->> 'engine')::text like '%mysql' and (attributes_std -> 'enabled_cloudwatch_logs_exports') @> '[\"audit\"]' then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":864,"endLineNumber":885,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_mysql_db_cluster_audit_logging_enabled","org":"turbot","name":"rds_mysql_db_cluster_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"RDS MySQL DB clusters should have audit logging enabled","description":"This control checks whether Relational Database Service MySQL DB clusters have audit logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS MySQL DB clusters should have audit logging enabled","controlDescription":"This control checks whether Relational Database Service MySQL DB clusters have audit logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_performance_insights_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_instance_performance_insights_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'performance_insights_kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'performance_insights_kms_key_id') is null then ' performance insights not encrypted with kms key'\n else ' performance insights encrypted with kms key'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":183,"endLineNumber":202,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_instance_performance_insights_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB instances should have performance insights encrypted with KMS CMK","description":"This control checks whether Relational Database instances have performance insights encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should have performance insights encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database instances have performance insights encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_multiple_az_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_multiple_az_enabled","org":"turbot","name":"rds_db_cluster_multiple_az_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'multi_az') is null then 'alarm'\n when (attributes_std -> 'multi_az')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'multi_az') is null then ' ''multi_az'' disabled'\n when (attributes_std -> 'multi_az')::boolean then ' ''multi_az'' enabled'\n else ' ''multi_az'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":116,"endLineNumber":137,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_multiple_az_enabled","org":"turbot","name":"rds_db_cluster_multiple_az_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be configured for multiple Availability Zones","description":"This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be configured for multiple Availability Zones","controlDescription":"This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_iam_authentication_enabled","org":"turbot","name":"rds_db_instance_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' ''iam_database_authentication_enabled'' disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' ''iam_database_authentication_enabled'' enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":505,"endLineNumber":526,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_iam_authentication_enabled","org":"turbot","name":"rds_db_instance_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have iam authentication enabled","description":"Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should have iam authentication enabled","controlDescription":"Checks if an Amazon Relational Database Service (Amazon RDS) instance has AWS Identity and Access Management (IAM) authentication enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}},"rds_db_security_group_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_security_group_events_subscription","org":"turbot","name":"rds_db_security_group_events_subscription","sql":"$88","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":664,"endLineNumber":692,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_security_group_events_subscription","org":"turbot","name":"rds_db_security_group_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database security group events","description":"This control checks whether RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database security group events","controlDescription":"This control checks whether RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_events_subscription","org":"turbot","name":"rds_db_instance_events_subscription","sql":"$89","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":482,"endLineNumber":503,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_events_subscription","org":"turbot","name":"rds_db_instance_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database instance events","description":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database instance events","controlDescription":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_iam_authentication_enabled","org":"turbot","name":"rds_db_cluster_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' ''iam_database_authentication_enabled'' disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' ''iam_database_authentication_enabled'' enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":93,"endLineNumber":114,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_iam_authentication_enabled","org":"turbot","name":"rds_db_cluster_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"IAM authentication should be configured for RDS clusters","description":"This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"IAM authentication should be configured for RDS clusters","controlDescription":"This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_snapshot_copy_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_snapshot_copy_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_snapshot_copy';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":801,"endLineNumber":820,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_snapshot_copy_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_snapshot_copy_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB snapshots should be encrypted with KMS CMK","description":"This control checks whether Relational Database Service snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB snapshots should be encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database Service snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_deletion_protection_enabled","org":"turbot","name":"rds_db_instance_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' disabled'\n when (attributes_std -> 'deletion_protection')::bool then ' ''deletion_protection'' enabled'\n else ' ''deletion_protection'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":436,"endLineNumber":457,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_deletion_protection_enabled","org":"turbot","name":"rds_db_instance_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have deletion protection enabled","description":"Ensure Relational Database Service (RDS) instances have deletion protection enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should have deletion protection enabled","controlDescription":"Ensure Relational Database Service (RDS) instances have deletion protection enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_800_53_rev_4":"true","plugin":"terraform","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_prohibit_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_prohibit_public_access","org":"turbot","name":"rds_db_instance_prohibit_public_access","sql":"select\n address as resource,\n case\n when (attributes_std -> 'publicly_accessible') is null then 'ok'\n when (attributes_std -> 'publicly_accessible')::boolean then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'publicly_accessible') is null then ' not publicly accessible'\n when (attributes_std -> 'publicly_accessible')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":618,"endLineNumber":639,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_prohibit_public_access","org":"turbot","name":"rds_db_instance_prohibit_public_access","mod":"Terraform AWS Compliance","title":"RDS DB instances should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring that Relational Database Service (RDS) instances are not public.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB instances should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Relational Database Service (RDS) instances are not public.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_performance_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_performance_insights_enabled","org":"turbot","name":"rds_db_instance_performance_insights_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'performance_insights_enabled') is null then 'alarm'\n when (attributes_std ->> 'performance_insights_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'performance_insights_enabled') is null then ' performance insights disabled'\n when (attributes_std ->> 'performance_insights_enabled')::boolean then ' performance insights enabled'\n else ' performance insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":204,"endLineNumber":225,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_performance_insights_enabled","org":"turbot","name":"rds_db_instance_performance_insights_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should have performance insights enabled","description":"This control checks whether Relational Database Service (RDS) instances have performance insights enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should have performance insights enabled","controlDescription":"This control checks whether Relational Database Service (RDS) instances have performance insights enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_snapshot_not_publicly_accesible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_snapshot_not_publicly_accesible","org":"turbot","name":"rds_db_snapshot_not_publicly_accesible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'shared_accounts') @> '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'shared_accounts') @> '[\"all\"]' then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":780,"endLineNumber":799,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_snapshot_not_publicly_accesible","org":"turbot","name":"rds_db_snapshot_not_publicly_accesible","mod":"Terraform AWS Compliance","title":"RDS DB snapshots should not be publicly accessible","description":"This control checks whether Relational Database Service snapshots are not publicly accessible.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"RDS DB snapshots should not be publicly accessible","controlDescription":"This control checks whether Relational Database Service snapshots are not publicly accessible.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_instance_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_encryption_at_rest_enabled","org":"turbot","name":"rds_db_instance_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'storage_encrypted') is null then 'alarm'\n when (attributes_std -> 'storage_encrypted')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'storage_encrypted') is null then ' not encrypted'\n when (attributes_std -> 'storage_encrypted')::bool then ' encrypted'\n else ' not encrypted'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":459,"endLineNumber":480,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_encryption_at_rest_enabled","org":"turbot","name":"rds_db_instance_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance encryption at rest should be enabled","description":"To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.","tags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance encryption at rest should be enabled","controlDescription":"To help protect data at rest, ensure that encryption is enabled for your Amazon Relational Database Service (Amazon RDS) instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","cis":"true","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}},"rds_db_parameter_group_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_parameter_group_events_subscription","org":"turbot","name":"rds_db_parameter_group_events_subscription","sql":"$8a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":641,"endLineNumber":662,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_parameter_group_events_subscription","org":"turbot","name":"rds_db_parameter_group_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical database parameter group events","description":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical database parameter group events","controlDescription":"This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_instance_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' disabled'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":413,"endLineNumber":434,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_instance_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instances should be configured to copy tags to snapshots","description":"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should be configured to copy tags to snapshots","controlDescription":"This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_and_cluster_no_default_port":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_and_cluster_no_default_port","org":"turbot","name":"rds_db_instance_and_cluster_no_default_port","sql":"$8b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":290,"endLineNumber":344,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_and_cluster_no_default_port","org":"turbot","name":"rds_db_instance_and_cluster_no_default_port","mod":"Terraform AWS Compliance","title":"RDS databases and clusters should not use a database engine default port","description":"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS databases and clusters should not use a database engine default port","controlDescription":"This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_uses_recent_ca_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_uses_recent_ca_certificate","org":"turbot","name":"rds_db_instance_uses_recent_ca_certificate","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'ca_cert_identifier') in ('rds-ca-rsa2048-g1', 'rds-ca-rsa4096-g1', 'rds-ca-ecc384-g1') then 'ok'\n when (attributes_std ->> 'ca_cert_identifier') is null then 'skip'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'ca_cert_identifier') in ('rds-ca-rsa2048-g1', 'rds-ca-rsa4096-g1', 'rds-ca-ecc384-g1') then ' uses recent CA certificate'\n when (attributes_std ->> 'ca_cert_identifier') is null then ' CA certificate not defined'\n else ' uses an old CA certificate'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":694,"endLineNumber":715,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_uses_recent_ca_certificate","org":"turbot","name":"rds_db_instance_uses_recent_ca_certificate","mod":"Terraform AWS Compliance","title":"RDS DB instances should use recent CA certificates","description":"This control checks whether Relational Database Service (RDS) instances use recent CA certificate(s).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instances should use recent CA certificates","controlDescription":"This control checks whether Relational Database Service (RDS) instances use recent CA certificate(s).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_aurora_backtracking_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_aurora_backtracking_enabled","org":"turbot","name":"rds_db_cluster_aurora_backtracking_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'engine') not like any (array ['%aurora%', '%aurora-mysql%']) then 'skip'\n when (attributes_std -> 'backtrack_window') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'engine') not like any (array ['%aurora%', '%aurora-mysql%']) then ' not Aurora MySQL-compatible edition'\n when (attributes_std -> 'backtrack_window') is not null then ' backtracking enabled'\n else ' backtracking disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_aurora_backtracking_enabled","org":"turbot","name":"rds_db_cluster_aurora_backtracking_enabled","mod":"Terraform AWS Compliance","title":"Amazon Aurora clusters should have backtracking enabled","description":"This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"Amazon Aurora clusters should have backtracking enabled","controlDescription":"This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to do so.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_cluster_activity_stream_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_cluster_activity_stream_encrypted_with_kms_cmk","org":"turbot","name":"rds_cluster_activity_stream_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_activity_stream';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":269,"endLineNumber":288,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_cluster_activity_stream_encrypted_with_kms_cmk","org":"turbot","name":"rds_cluster_activity_stream_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB cluster activity stream should be encrypted with KMS CMK","description":"This control checks whether Relational Database Service cluster activity stream is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster activity stream should be encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database Service cluster activity stream is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_automatic_minor_version_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_instance_automatic_minor_version_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'auto_minor_version_upgrade') is null then 'ok'\n when (attributes_std -> 'auto_minor_version_upgrade')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'auto_minor_version_upgrade') is null then ' ''auto_minor_version_upgrade'' enabled'\n when (attributes_std -> 'deletion_protection')::boolean then ' ''auto_minor_version_upgrade'' enabled'\n else ' ''auto_minor_version_upgrade'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":367,"endLineNumber":388,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_instance_automatic_minor_version_upgrade_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance automatic minor version upgrade should be enabled","description":"Ensure if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance automatic minor version upgrade should be enabled","controlDescription":"Ensure if Amazon Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is NON_COMPLIANT if the value of 'autoMinorVersionUpgrade' is false.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS"}},"rds_db_instance_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_logging_enabled","org":"turbot","name":"rds_db_instance_logging_enabled","sql":"$8c","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":528,"endLineNumber":593,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_logging_enabled","org":"turbot","name":"rds_db_instance_logging_enabled","mod":"Terraform AWS Compliance","title":"Database logging should be enabled","description":"To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}}],"controlTitle":"Database logging should be enabled","controlDescription":"To help with logging and monitoring within your environment, ensure Amazon Relational Database Service (Amazon RDS) logging is enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/RDS","soc_2":"true"}},"rds_db_cluster_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_encryption_enabled","org":"turbot","name":"rds_db_cluster_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted') = 'true' or (attributes_std ->> 'engine_mode') = 'serverless' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted') = 'true' or (attributes_std ->> 'engine_mode') = 'serverless' then ' encryption enabled'\n else ' encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":843,"endLineNumber":862,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_encryption_enabled","org":"turbot","name":"rds_db_cluster_encryption_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should have encryption at rest enabled","description":"This control checks whether Relational Database Service clusters have encryption at rest enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should have encryption at rest enabled","controlDescription":"This control checks whether Relational Database Service clusters have encryption at rest enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_and_cluster_enhanced_monitoring_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_and_cluster_enhanced_monitoring_enabled","org":"turbot","name":"rds_db_instance_and_cluster_enhanced_monitoring_enabled","sql":"$8d","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":227,"endLineNumber":267,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_and_cluster_enhanced_monitoring_enabled","org":"turbot","name":"rds_db_instance_and_cluster_enhanced_monitoring_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance and cluster enhanced monitoring should be enabled","description":"Enable Amazon Relational Database Service (Amazon RDS) to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.","tags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance and cluster enhanced monitoring should be enabled","controlDescription":"Enable Amazon Relational Database Service (Amazon RDS) to help monitor Amazon RDS availability. This provides detailed visibility into the health of your Amazon RDS database instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}},"memorydb_cluster_transit_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_cluster_transit_encryption_enabled","org":"turbot","name":"memorydb_cluster_transit_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'tls_enabled') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'tls_enabled') = 'false' then ' encryption at transit disabled'\n else ' encryption at transit enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":759,"endLineNumber":778,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_cluster_transit_encryption_enabled","org":"turbot","name":"memorydb_cluster_transit_encryption_enabled","mod":"Terraform AWS Compliance","title":"MemoryDB clusters should have encryption in transit enabled","description":"This control checks whether MemoryDB clusters have encryption in transit enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB clusters should have encryption in transit enabled","controlDescription":"This control checks whether MemoryDB clusters have encryption in transit enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"memorydb_snapshot_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_snapshot_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":717,"endLineNumber":736,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_snapshot_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MemoryDB snapshots should be encrypted with KMS CMK","description":"This control checks whether MemoryDB snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB snapshots should be encrypted with KMS CMK","controlDescription":"This control checks whether MemoryDB snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_instance_multiple_az_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_instance_multiple_az_enabled","org":"turbot","name":"rds_db_instance_multiple_az_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'multi_az') is null then 'alarm'\n when (attributes_std -> 'multi_az')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'multi_az') is null then ' ''multi_az'' disabled'\n when (attributes_std -> 'multi_az')::boolean then ' ''multi_az'' enabled'\n else ' ''multi_az'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_db_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":595,"endLineNumber":616,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_instance_multiple_az_enabled","org":"turbot","name":"rds_db_instance_multiple_az_enabled","mod":"Terraform AWS Compliance","title":"RDS DB instance multiple az should be enabled","description":"Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB instance multiple az should be enabled","controlDescription":"Multi-AZ support in Amazon Relational Database Service (Amazon RDS) provides enhanced availability and durability for database instances.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'performance_insights_kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'performance_insights_kms_key_id') is null then ' performance insights not encrypted with KMS CMK'\n else ' performance insights encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":162,"endLineNumber":181,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","org":"turbot","name":"rds_db_cluster_instance_performance_insights_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have performance insights encrypted with KMS CMK","description":"This control checks whether Relational Database cluster instances have performance insights encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have performance insights encrypted with KMS CMK","controlDescription":"This control checks whether Relational Database cluster instances have performance insights encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"memorydb_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/memorydb_cluster_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_memorydb_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":738,"endLineNumber":757,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.memorydb_cluster_encrypted_with_kms_cmk","org":"turbot","name":"memorydb_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MemoryDB clusters should be encrypted with KMS CMK","description":"This control checks whether MemoryDB clusters are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"MemoryDB clusters should be encrypted with KMS CMK","controlDescription":"This control checks whether MemoryDB clusters are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_deletion_protection_enabled","org":"turbot","name":"rds_db_cluster_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'deletion_protection') is null then 'alarm'\n when (attributes_std -> 'deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'deletion_protection') is null then ' ''deletion_protection'' disabled'\n when (attributes_std -> 'deletion_protection')::boolean then ' ''deletion_protection'' enabled'\n else ' ''deletion_protection'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":47,"endLineNumber":68,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_deletion_protection_enabled","org":"turbot","name":"rds_db_cluster_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"RDS clusters should have deletion protection enabled","description":"This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS clusters should have deletion protection enabled","controlDescription":"This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_instance_performance_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_performance_insights_enabled","org":"turbot","name":"rds_db_cluster_instance_performance_insights_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'performance_insights_enabled') is null then 'alarm'\n when (attributes_std -> 'performance_insights_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'performance_insights_enabled') is null then ' performance insights disabled'\n when (attributes_std -> 'performance_insights_enabled')::boolean then ' performance insights enabled'\n else ' performance insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":139,"endLineNumber":160,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_performance_insights_enabled","org":"turbot","name":"rds_db_cluster_instance_performance_insights_enabled","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have performance insights enabled","description":"This control checks whether Relational Database cluster instances have performance insights enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have performance insights enabled","controlDescription":"This control checks whether Relational Database cluster instances have performance insights enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_cluster_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' disabled'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":24,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"rds_db_cluster_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"RDS DB clusters should be configured to copy tags to snapshots","description":"This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB clusters should be configured to copy tags to snapshots","controlDescription":"This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade') = 'false' then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade') = 'false' then ' auto minor version upgrade disabled'\n else ' auto minor version upgrade enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_rds_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":822,"endLineNumber":841,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","org":"turbot","name":"rds_db_cluster_instance_automatic_minor_version_upgrade_enabled","mod":"Terraform AWS Compliance","title":"RDS DB cluster instances should have auto minor version upgrade enabled","description":"This control checks whether Relational Database Service cluster instances have auto minor version upgrade is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"RDS DB cluster instances should have auto minor version upgrade enabled","controlDescription":"This control checks whether Relational Database Service cluster instances have auto minor version upgrade is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/RDS"}},"rds_db_cluster_events_subscription":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/rds_db_cluster_events_subscription","org":"turbot","name":"rds_db_cluster_events_subscription","sql":"$8e","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/rds.pp","startLineNumber":70,"endLineNumber":91,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.rds_db_cluster_events_subscription","org":"turbot","name":"rds_db_cluster_events_subscription","mod":"Terraform AWS Compliance","title":"An RDS event notifications subscription should be configured for critical cluster events","description":"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}],"controlTitle":"An RDS event notifications subscription should be configured for critical cluster events","controlDescription":"This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/RDS"}}},"sns":{"sns_topic_encrypted_at_rest":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sns_topic_encrypted_at_rest","org":"turbot","name":"sns_topic_encrypted_at_rest","sql":"select\n address as resource,\n case\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') = '' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_master_key_id') is null then ' ''kms_master_key_id'' is not defined'\n when coalesce(trim(attributes_std ->> 'kms_master_key_id'), '') <> '' then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sns_topic';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sns.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sns_topic_encrypted_at_rest","org":"turbot","name":"sns_topic_encrypted_at_rest","mod":"Terraform AWS Compliance","title":"SNS topics should be encrypted at rest","description":"To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SNS"}}],"controlTitle":"SNS topics should be encrypted at rest","controlDescription":"To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS).","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SNS"}},"sns_topic_policy_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sns_topic_policy_restrict_public_access","org":"turbot","name":"sns_topic_policy_restrict_public_access","sql":"$8f","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sns.pp","startLineNumber":23,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sns_topic_policy_restrict_public_access","org":"turbot","name":"sns_topic_policy_restrict_public_access","mod":"Terraform AWS Compliance","title":"SNS topic policies should prohibit public access","description":"Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SNS"}}],"controlTitle":"SNS topic policies should prohibit public access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SNS"}}},"f_sx":{"fsx_lustre_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_lustre_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_lustre_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_lustre_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_lustre_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_lustre_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx Lustre File System should be encrypted with KMS CMK","description":"This control checks whether FSx lustre file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx Lustre File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx lustre file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_ontap_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_ontap_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_ontap_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_ontap_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_ontap_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_ontap_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx ONTAP File System should be encrypted with KMS CMK","description":"This control checks whether FSx ontap file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx ONTAP File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx ontap file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_openzfs_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_openzfs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_openzfs_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_openzfs_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_openzfs_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_openzfs_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx OpenZFS File System should be encrypted with KMS CMK","description":"This control checks whether FSx openzfs file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx OpenZFS File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx openzfs file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}},"fsx_windows_file_system_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/fsx_windows_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_windows_file_system_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' is not encrypted with KMS CMK'\n else ' is encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_fsx_windows_file_system';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/fsx.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.fsx_windows_file_system_encrypted_with_kms_cmk","org":"turbot","name":"fsx_windows_file_system_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"FSx Windows File System should be encrypted with KMS CMK","description":"This control checks whether FSx windows file system is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}],"controlTitle":"FSx Windows File System should be encrypted with KMS CMK","controlDescription":"This control checks whether FSx windows file system is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/FSx"}}},"step_functions":{"sfn_state_machine_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sfn_state_machine_xray_tracing_enabled","org":"turbot","name":"sfn_state_machine_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'tracing_configuration' ->> 'enabled') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'tracing_configuration' ->> 'enabled') = 'true' then ' has tracing enabled'\n else ' has tracing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sfn_state_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sfn.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sfn_state_machine_xray_tracing_enabled","org":"turbot","name":"sfn_state_machine_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"Step Functions state machine should have X-Ray tracing enabled","description":"Ensure State Machine has X-Ray tracing enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}],"controlTitle":"Step Functions state machine should have X-Ray tracing enabled","controlDescription":"Ensure State Machine has X-Ray tracing enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}},"sfn_state_machine_execution_history_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sfn_state_machine_execution_history_logging_enabled","org":"turbot","name":"sfn_state_machine_execution_history_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' ->> 'include_execution_data') = 'true' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' ->> 'include_execution_data') = 'true' then ' execution history logging enabled'\n else ' execution history logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sfn_state_machine';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sfn.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sfn_state_machine_execution_history_logging_enabled","org":"turbot","name":"sfn_state_machine_execution_history_logging_enabled","mod":"Terraform AWS Compliance","title":"Step Functions state machine should have execution history logging enabled","description":"Ensure State Machine have execution history logging enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}],"controlTitle":"Step Functions state machine should have execution history logging enabled","controlDescription":"Ensure State Machine have execution history logging enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/StepFunctions"}}},"mwaa":{"mwaa_environment_webserver_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_webserver_logs_enabled","org":"turbot","name":"mwaa_environment_webserver_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'webserver_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'webserver_logs' ->> 'enabled')::boolean then ' webserver logs enabled'\n else ' webserver logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_webserver_logs_enabled","org":"turbot","name":"mwaa_environment_webserver_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have webserver logs enabled","description":"This control checks whether MWAA environment has webserver logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have webserver logs enabled","controlDescription":"This control checks whether MWAA environment has webserver logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}},"mwaa_environment_scheduler_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_scheduler_logs_enabled","org":"turbot","name":"mwaa_environment_scheduler_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'scheduler_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'scheduler_logs' ->> 'enabled')::boolean then ' scheduler logs enabled'\n else ' scheduler logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_scheduler_logs_enabled","org":"turbot","name":"mwaa_environment_scheduler_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have scheduler logs enabled","description":"This control checks whether MWAA environment has scheduler logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have scheduler logs enabled","controlDescription":"This control checks whether MWAA environment has scheduler logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}},"mwaa_environment_worker_logs_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mwaa_environment_worker_logs_enabled","org":"turbot","name":"mwaa_environment_worker_logs_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logging_configuration' -> 'worker_logs' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logging_configuration' -> 'worker_logs' ->> 'enabled')::boolean then ' worker logs enabled'\n else ' worker logs disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mwaa_environment';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mwaa.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mwaa_environment_worker_logs_enabled","org":"turbot","name":"mwaa_environment_worker_logs_enabled","mod":"Terraform AWS Compliance","title":"MWAA environment should have worker logs enabled","description":"This control checks whether MWAA environment has worker logs enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}],"controlTitle":"MWAA environment should have worker logs enabled","controlDescription":"This control checks whether MWAA environment has worker logs enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MWAA"}}},"secrets_manager":{"secretsmanager_secret_automatic_rotation_lambda_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_automatic_rotation_lambda_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_lambda_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rotation_rules') is not null and (attributes_std -> 'rotation_lambda_arn') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rotation_rules') is not null and (attributes_std -> 'rotation_lambda_arn') is not null then ' scheduled for rotation using Lambda function'\n else ' automatic rotation using Lambda function disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_automatic_rotation_lambda_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_lambda_enabled","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should be rotated within a specified number of days","description":"This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should be rotated within a specified number of days","controlDescription":"This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}},"secretsmanager_secret_automatic_rotation_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_automatic_rotation_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'rotation_rules') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'rotation_rules') is null then ' automatic rotation disabled'\n else ' automatic rotation enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_automatic_rotation_enabled","org":"turbot","name":"secretsmanager_secret_automatic_rotation_enabled","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should have automatic rotation enabled","description":"This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should have automatic rotation enabled","controlDescription":"This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/SecretsManager"}},"secretsmanager_secret_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/secretsmanager_secret_encrypted_with_kms_cmk","org":"turbot","name":"secretsmanager_secret_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when coalesce(trim((attributes_std ->> 'kms_key_id')), '') = '' or\n (attributes_std ->> 'kms_key_id') = 'aws/secretsmanager'\n then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when coalesce(trim((attributes_std ->> 'kms_key_id')), '') = '' or\n (attributes_std ->> 'kms_key_id') = 'aws/secretsmanager'\n then ' is encrypted at rest default KMS key'\n else ' is encrypted at rest using KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_secretsmanager_secret';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/secretsmanager.pp","startLineNumber":44,"endLineNumber":67,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.secretsmanager_secret_encrypted_with_kms_cmk","org":"turbot","name":"secretsmanager_secret_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Secrets Manager secrets should be encrypted with KMS CMK","description":"Ensure Secrets Manager secrets are encrypted at rest with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}],"controlTitle":"Secrets Manager secrets should be encrypted with KMS CMK","controlDescription":"Ensure Secrets Manager secrets are encrypted at rest with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SecretsManager"}}},"sage_maker":{"sagemaker_notebook_instance_direct_internet_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_direct_internet_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_direct_internet_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'direct_internet_access') is null or (attributes_std ->> 'direct_internet_access') = 'Disabled' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when trim(attributes_std ->> 'direct_internet_access') = '' then ' ''direct_internet_access'' is not defined'\n when (attributes_std -> 'direct_internet_access') is null or (attributes_std ->> 'direct_internet_access') = 'Disabled' then ' direct internet access disabled'\n else ' direct internet access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":22,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_direct_internet_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_direct_internet_access_disabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances should not have direct internet access","description":"Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances should not have direct internet access","controlDescription":"Manage access to resources in the AWS Cloud by ensuring that Amazon SageMaker notebooks do not allow direct internet access.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_notebook_instance_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' encryption at rest disabled'\n else ' encryption at rest enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_notebook_instance_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instance encryption should be enabled","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instance encryption should be enabled","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_root_access_disabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_root_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_root_access_disabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'root_access') = 'Disabled' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'root_access') = 'Disabled' then ' root access disabled'\n else ' root access enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":86,"endLineNumber":105,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_root_access_disabled","org":"turbot","name":"sagemaker_notebook_instance_root_access_disabled","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances root access should be disabled","description":"Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances root access should be disabled","controlDescription":"Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_notebook_instance_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_notebook_instance_in_vpc","org":"turbot","name":"sagemaker_notebook_instance_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'subnet_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'subnet_id') is not null then ' in VPC'\n else ' not in VPC'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_notebook_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":65,"endLineNumber":84,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_notebook_instance_in_vpc","org":"turbot","name":"sagemaker_notebook_instance_in_vpc","mod":"Terraform AWS Compliance","title":"SageMaker notebook instances should be in a VPC","description":"Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an Amazon Virtual Private Cloud (Amazon VPC).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker notebook instances should be in a VPC","controlDescription":"Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_domain_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_domain_encrypted_with_kms_cmk","org":"turbot","name":"sagemaker_domain_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when attributes_std -> 'kms_key_id' is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when attributes_std -> 'kms_key_id' is not null then ' encrypted with KMS'\n else ' not encrypted with KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":107,"endLineNumber":126,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_domain_encrypted_with_kms_cmk","org":"turbot","name":"sagemaker_domain_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"SageMaker domain should be encypted using KMS CMK","description":"To help protect data at rest, ensure encryption is enabled for your SageMaker domain using KMS CMKs.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker domain should be encypted using KMS CMK","controlDescription":"To help protect data at rest, ensure encryption is enabled for your SageMaker domain using KMS CMKs.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SageMaker"}},"sagemaker_endpoint_configuration_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/sagemaker_endpoint_configuration_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_endpoint_configuration_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' encryption at rest not enabled'\n else ' encryption at rest enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_sagemaker_endpoint_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/sagemaker.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.sagemaker_endpoint_configuration_encryption_at_rest_enabled","org":"turbot","name":"sagemaker_endpoint_configuration_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"SageMaker endpoint configuration encryption should be enabled","description":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}],"controlTitle":"SageMaker endpoint configuration encryption should be enabled","controlDescription":"To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/SageMaker"}}},"elasticsearch":{"es_domain_data_nodes_min_3":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_data_nodes_min_3","org":"turbot","name":"es_domain_data_nodes_min_3","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool = false then 'alarm'\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool and (attributes_std -> 'cluster_config' ->> 'instance_count')::int >= 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'zone_awareness_enabled')::bool = false then ' zone awareness disabled'\n else ' has ' || (attributes_std -> 'cluster_config' ->> 'instance_count') || ' data node(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":27,"endLineNumber":47,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_data_nodes_min_3","org":"turbot","name":"es_domain_data_nodes_min_3","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should have at least three data nodes","description":"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is set to true.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should have at least three data nodes","controlDescription":"This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is set to true.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"opensearch_domain_enforce_https":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/opensearch_domain_enforce_https","org":"turbot","name":"opensearch_domain_enforce_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean then ' enforces HTTPS'\n else ' does not enforce HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_opensearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/opensearch.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.opensearch_domain_enforce_https","org":"turbot","name":"opensearch_domain_enforce_https","mod":"Terraform AWS Compliance","title":"OpenSearch domain should enforces HTTPS","description":"This control checks whether OpenSearch domains are configured to enforces HTTPS. This control fails if the OpenSearch domain does not enforces HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"OpenSearch domain should enforces HTTPS","controlDescription":"This control checks whether OpenSearch domains are configured to enforces HTTPS. This control fails if the OpenSearch domain does not enforces HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encryption_at_rest_enabled","org":"turbot","name":"es_domain_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' ->> 'enabled')::boolean then ' encryption at rest enabled'\n else ' encryption at rest disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":92,"endLineNumber":111,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encryption_at_rest_enabled","org":"turbot","name":"es_domain_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"ES domain encryption at rest should be enabled","description":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"ES domain encryption at rest should be enabled","controlDescription":"Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your Amazon Elasticsearch Service (Amazon ES) domains.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_encrypted_using_tls_1_2":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encrypted_using_tls_1_2","org":"turbot","name":"es_domain_encrypted_using_tls_1_2","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'tls_security_policy') = 'Policy-Min-TLS-1-2-2019-07' then ' encrypted using TLS 1.2'\n else ' not encrypted using TLS 1.2'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":71,"endLineNumber":90,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encrypted_using_tls_1_2","org":"turbot","name":"es_domain_encrypted_using_tls_1_2","mod":"Terraform AWS Compliance","title":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","description":"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Connections to Elasticsearch domains should be encrypted using TLS 1.2","controlDescription":"This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_audit_logging_enabled","org":"turbot","name":"es_domain_audit_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'AUDIT_LOGS')\n or\n ((attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"AUDIT_LOGS\"}]') then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'AUDIT_LOGS')\n or\n ((attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"AUDIT_LOGS\"}]') then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":1,"endLineNumber":25,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_audit_logging_enabled","org":"turbot","name":"es_domain_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should have audit logging enabled","description":"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should have audit logging enabled","controlDescription":"This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_error_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_error_logging_enabled","org":"turbot","name":"es_domain_error_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'ES_APPLICATION_LOGS') or\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'log_publishing_options' ->> 'cloudwatch_log_group_arn') is not null\n and (attributes_std -> 'log_publishing_options' ->> 'log_type')::text = 'ES_APPLICATION_LOGS') or (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then ' error logging enabled'\n else ' error logging disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":113,"endLineNumber":135,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_error_logging_enabled","org":"turbot","name":"es_domain_error_logging_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","description":"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain error logging to CloudWatch Logs should be enabled","controlDescription":"This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"opensearch_domain_encrpted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/opensearch_domain_encrpted_with_kms_cmk","org":"turbot","name":"opensearch_domain_encrpted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' ->> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_opensearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/opensearch.pp","startLineNumber":44,"endLineNumber":63,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.opensearch_domain_encrpted_with_kms_cmk","org":"turbot","name":"opensearch_domain_encrpted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"OpenSearch domain should be encrypted with KMS CMK","description":"This control checks whether OpenSearch domains are configured to use KMS CMK for encryption at rest. This control fails if the OpenSearch domain does not use KMS CMK for encryption at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"OpenSearch domain should be encrypted with KMS CMK","controlDescription":"This control checks whether OpenSearch domains are configured to use KMS CMK for encryption at rest. This control fails if the OpenSearch domain does not use KMS CMK for encryption at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_logs_to_cloudwatch":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_logs_to_cloudwatch","org":"turbot","name":"es_domain_logs_to_cloudwatch","sql":"select\n address as resource,\n case\n when (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' and\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' and\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' and\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' and\n (attributes_std -> 'log_publishing_options') @> '[{\"log_type\": \"ES_APPLICATION_LOGS\"}]' then ' logging enabled for search , index and error'\n else ' logging not enabled for all search, index and error'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":158,"endLineNumber":182,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_logs_to_cloudwatch","org":"turbot","name":"es_domain_logs_to_cloudwatch","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should send logs to cloudWatch","description":"Ensure if Amazon OpenSearch Service (OpenSearch Service) domains are configured to send logs to Amazon CloudWatch Logs. The rule is complaint if a log is enabled for an OpenSearch Service domain. This rule is non complain if logging is not configured.","tags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should send logs to cloudWatch","controlDescription":"Ensure if Amazon OpenSearch Service (OpenSearch Service) domains are configured to send logs to Amazon CloudWatch Logs. The rule is complaint if a log is enabled for an OpenSearch Service domain. This rule is non complain if logging is not configured.","controlTags":{"category":"Compliance","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_node_to_node_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_node_to_node_encryption_enabled","org":"turbot","name":"es_domain_node_to_node_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'node_to_node_encryption' ->> 'enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'node_to_node_encryption' ->> 'enabled')::boolean then ' node-to-node encryption enabled'\n else ' node-to-node encryption disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":184,"endLineNumber":203,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_node_to_node_encryption_enabled","org":"turbot","name":"es_domain_node_to_node_encryption_enabled","mod":"Terraform AWS Compliance","title":"Elasticsearch domain node-to-node encryption should be enabled","description":"Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain node-to-node encryption should be enabled","controlDescription":"Ensure node-to-node encryption for Amazon Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the Amazon Virtual Private Cloud (Amazon VPC).","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_encrypted_with_kms_cmk","org":"turbot","name":"es_domain_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encrypt_at_rest' -> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encrypt_at_rest' -> 'kms_key_id') is not null then ' encrypted with KMS CMK'\n else ' not encrypted with KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":247,"endLineNumber":266,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_encrypted_with_kms_cmk","org":"turbot","name":"es_domain_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should be encrypted with KMS CMK","description":"This control checks whether Elasticsearch domains are configured to use KMS CMK for encryption at rest. This control fails if the Elasticsearch domain does not use KMS CMK for encryption at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should be encrypted with KMS CMK","controlDescription":"This control checks whether Elasticsearch domains are configured to use KMS CMK for encryption at rest. This control fails if the Elasticsearch domain does not use KMS CMK for encryption at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_in_vpc","org":"turbot","name":"es_domain_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_options' -> 'subnet_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_options' -> 'subnet_ids') is not null then ' in VPC'\n else ' not in VPC'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":137,"endLineNumber":156,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_in_vpc","org":"turbot","name":"es_domain_in_vpc","mod":"Terraform AWS Compliance","title":"Amazon Elasticsearch Service domains should be in a VPC","description":"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon Elasticsearch domains are not attached to public subnets.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}}],"controlTitle":"Amazon Elasticsearch Service domains should be in a VPC","controlDescription":"This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon Elasticsearch domains are not attached to public subnets.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Elasticsearch"}},"es_domain_dedicated_master_nodes_min_3":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_dedicated_master_nodes_min_3","org":"turbot","name":"es_domain_dedicated_master_nodes_min_3","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool = false then 'alarm'\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool and (attributes_std -> 'cluster_config' ->> 'instance_count')::int >= 3 then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cluster_config' -> 'dedicated_master_enabled')::bool = false then ' dedicated master nodes disabled'\n else ' has ' || (attributes_std -> 'cluster_config' ->> 'instance_count') || ' data node(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":49,"endLineNumber":69,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_dedicated_master_nodes_min_3","org":"turbot","name":"es_domain_dedicated_master_nodes_min_3","mod":"Terraform AWS Compliance","title":"Elasticsearch domains should be configured with at least three dedicated master nodes","description":"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domains should be configured with at least three dedicated master nodes","controlDescription":"This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_use_default_security_group":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_use_default_security_group","org":"turbot","name":"es_domain_use_default_security_group","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_options' ->> 'security_group_ids') is not null then ' default security group not set'\n else ' default security group set'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":205,"endLineNumber":224,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_use_default_security_group","org":"turbot","name":"es_domain_use_default_security_group","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should not use the default security group","description":"This control checks whether Elasticsearch domains are configured to use the default security group. This control fails if the Elasticsearch domain uses the default security group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should not use the default security group","controlDescription":"This control checks whether Elasticsearch domains are configured to use the default security group. This control fails if the Elasticsearch domain uses the default security group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}},"es_domain_enforce_https":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/es_domain_enforce_https","org":"turbot","name":"es_domain_enforce_https","sql":"select\n address as resource,\n case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean or (attributes_std -> 'domain_endpoint_options') is null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'domain_endpoint_options' ->> 'enforce_https')::boolean or (attributes_std -> 'domain_endpoint_options') is null then ' enforces HTTPS'\n else ' does not enforces HTTPS'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticsearch_domain';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/es.pp","startLineNumber":226,"endLineNumber":245,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.es_domain_enforce_https","org":"turbot","name":"es_domain_enforce_https","mod":"Terraform AWS Compliance","title":"Elasticsearch domain should enforces HTTPS","description":"This control checks whether Elasticsearch domains are configured to enforces HTTPS. This control fails if the Elasticsearch domain does not enforces HTTPS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}],"controlTitle":"Elasticsearch domain should enforces HTTPS","controlDescription":"This control checks whether Elasticsearch domains are configured to enforces HTTPS. This control fails if the Elasticsearch domain does not enforces HTTPS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Elasticsearch"}}},"msk":{"msk_cluster_nodes_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_nodes_publicly_accessible","org":"turbot","name":"msk_cluster_nodes_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std -> 'broker_node_group_info' -> 'connectivity_info' -> 'public_access' ->> 'type') = 'SERVICE_PROVIDED_EIPS' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'broker_node_group_info' -> 'connectivity_info' -> 'public_access' ->> 'type') = 'SERVICE_PROVIDED_EIPS' then ' cluster nodes are public'\n else ' cluster nodes are private'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_nodes_publicly_accessible","org":"turbot","name":"msk_cluster_nodes_publicly_accessible","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should not be publicly accessible","description":"This control checks whether MSK Cluster Nodes are private. This control fails if MSK Cluster Nodes are publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should not be publicly accessible","controlDescription":"This control checks whether MSK Cluster Nodes are private. This control fails if MSK Cluster Nodes are publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_encrypted_with_kms_cmk","org":"turbot","name":"msk_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_at_rest_kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_at_rest_kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":66,"endLineNumber":85,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_encrypted_with_kms_cmk","org":"turbot","name":"msk_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have be encrypted with KMS CMK","description":"This control checks whether the MSK Cluster is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have be encrypted with KMS CMK","controlDescription":"This control checks whether the MSK Cluster is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_encryption_in_transit_enabled","org":"turbot","name":"msk_cluster_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_info') is null then 'alarm'\n when ((attributes_std -> 'encryption_info' ->> 'client_broker') = 'TLS' and (attributes_std -> 'encryption_info' ->> 'in_cluster')::bool) then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_info') is null then ' not encrypted'\n when ((attributes_std -> 'encryption_info' ->> 'client_broker') = 'TLS' and (attributes_std -> 'encryption_info' ->> 'in_cluster')::bool) then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":43,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_encryption_in_transit_enabled","org":"turbot","name":"msk_cluster_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have encryption in transt enabled","description":"This control checks whether the MSK Cluster has encryption in transit enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have encryption in transt enabled","controlDescription":"This control checks whether the MSK Cluster has encryption in transit enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}},"msk_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/msk_cluster_logging_enabled","org":"turbot","name":"msk_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'logging_info' -> 'broker_logs' -> 'cloudwatch_logs' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 'firehose' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 's3' ->> 'enabled')::bool) then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'logging_info' -> 'broker_logs' -> 'cloudwatch_logs' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 'firehose' ->> 'enabled')::bool or (attributes_std -> 'logging_info' -> 'broker_logs' -> 's3' ->> 'enabled')::bool) then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_msk_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/msk.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.msk_cluster_logging_enabled","org":"turbot","name":"msk_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"MSK Cluster Nodes should have logging enabled","description":"This control checks whether logging is enabled for the MSK Cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}],"controlTitle":"MSK Cluster Nodes should have logging enabled","controlDescription":"This control checks whether logging is enabled for the MSK Cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MSK"}}},"lambda":{"lambda_function_dead_letter_queue_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_dead_letter_queue_configured","org":"turbot","name":"lambda_function_dead_letter_queue_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'dead_letter_config') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'dead_letter_config') is null then ' not configured with dead-letter queue'\n else ' configured with dead-letter queue'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":24,"endLineNumber":43,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_dead_letter_queue_configured","org":"turbot","name":"lambda_function_dead_letter_queue_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should be configured with a dead-letter queue","description":"Enable this rule to help notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}}],"controlTitle":"Lambda functions should be configured with a dead-letter queue","controlDescription":"Enable this rule to help notify the appropriate personnel through Amazon Simple Queue Service (Amazon SQS) or Amazon Simple Notification Service (Amazon SNS) when a function has failed.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}},"lambda_function_environment_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_environment_encryption_enabled","org":"turbot","name":"lambda_function_environment_encryption_enabled","sql":"$90","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":191,"endLineNumber":214,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_environment_encryption_enabled","org":"turbot","name":"lambda_function_environment_encryption_enabled","mod":"Terraform AWS Compliance","title":"Lambda functions variable encryption should be enabled","description":"Ensure that functions environment variables encryption is enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions variable encryption should be enabled","controlDescription":"Ensure that functions environment variables encryption is enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_in_vpc":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_in_vpc","org":"turbot","name":"lambda_function_in_vpc","sql":"select\n address as resource,\n case\n when (attributes_std -> 'vpc_config') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'vpc_config') is null then ' is not in VPC'\n else ' is in VPC'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":45,"endLineNumber":64,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_in_vpc","org":"turbot","name":"lambda_function_in_vpc","mod":"Terraform AWS Compliance","title":"Lambda functions should be in a VPC","description":"Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should be in a VPC","controlDescription":"Deploy AWS Lambda functions within an Amazon Virtual Private Cloud (Amazon VPC) for a secure communication between a function and other services within the Amazon VPC.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","pci":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/Lambda"}},"lambda_function_concurrent_execution_limit_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_concurrent_execution_limit_configured","org":"turbot","name":"lambda_function_concurrent_execution_limit_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'reserved_concurrent_executions') is null then 'alarm'\n when (attributes_std -> 'reserved_concurrent_executions')::integer = -1 then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'reserved_concurrent_executions') is null then ' function-level concurrent execution limit not configured'\n when (attributes_std -> 'reserved_concurrent_executions')::integer = -1 then ' function-level concurrent execution limit not configured'\n else ' function-level concurrent execution limit configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_concurrent_execution_limit_configured","org":"turbot","name":"lambda_function_concurrent_execution_limit_configured","mod":"Terraform AWS Compliance","title":"Lambda functions concurrent execution limit configured","description":"Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non complaint if the Lambda function is not configured with function-level concurrent execution limit.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}}],"controlTitle":"Lambda functions concurrent execution limit configured","controlDescription":"Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non complaint if the Lambda function is not configured with function-level concurrent execution limit.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/Lambda","soc_2":"true"}},"lambda_function_variables_no_sensitive_data":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_variables_no_sensitive_data","org":"turbot","name":"lambda_function_variables_no_sensitive_data","sql":"$91","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":154,"endLineNumber":189,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_variables_no_sensitive_data","org":"turbot","name":"lambda_function_variables_no_sensitive_data","mod":"Terraform AWS Compliance","title":"Lambda functions variable should not have any sensitive data","description":"Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions variable should not have any sensitive data","controlDescription":"Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_code_signing_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_code_signing_configured","org":"turbot","name":"lambda_function_code_signing_configured","sql":"select\n address as resource,\n case\n when (attributes_std -> 'code_signing_config_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'code_signing_config_arn') is null then ' code signing not configured'\n else ' code signing is configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":133,"endLineNumber":152,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_code_signing_configured","org":"turbot","name":"lambda_function_code_signing_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should have code signing configured","description":"This control checks whether code signing is configured for lambda function.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should have code signing configured","controlDescription":"This control checks whether code signing is configured for lambda function.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_xray_tracing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_xray_tracing_enabled","org":"turbot","name":"lambda_function_xray_tracing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'tracing_config') is null then 'alarm'\n when (attributes_std -> 'tracing_config' ->> 'mode') = 'Active' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'tracing_config') is null then ' has X-Ray tracing disabled'\n when (attributes_std -> 'tracing_config' ->> 'mode') = 'Active' then ' has X-Ray tracing enabled'\n else ' has X-Ray tracing disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":89,"endLineNumber":110,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_xray_tracing_enabled","org":"turbot","name":"lambda_function_xray_tracing_enabled","mod":"Terraform AWS Compliance","title":"Lambda functions xray tracing should be enabled","description":"X-Ray tracing in lambda functions allows you to visualize and troubleshoot errors and performance bottlenecks, and investigate requests that resulted in an error.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions xray tracing should be enabled","controlDescription":"X-Ray tracing in lambda functions allows you to visualize and troubleshoot errors and performance bottlenecks, and investigate requests that resulted in an error.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_use_latest_runtime":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_use_latest_runtime","org":"turbot","name":"lambda_function_use_latest_runtime","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'runtime') is null then 'skip'\n when (attributes_std ->> 'runtime') in ('nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'runtime') is null then ' runtime not set'\n when (attributes_std ->> 'runtime') in ('nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1') then ' uses latest runtime - ' || (attributes_std ->> 'runtime') || '.'\n else ' uses ' || (attributes_std ->> 'runtime')|| ' which is not the latest version.'\n end as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\ntype = 'aws_lambda_function';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":66,"endLineNumber":87,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_use_latest_runtime","org":"turbot","name":"lambda_function_use_latest_runtime","mod":"Terraform AWS Compliance","title":"Lambda functions should use latest runtimes","description":"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5,java11, java8, go1.x, dotnetcore3.1, dotnetcore2.1.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should use latest runtimes","controlDescription":"This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs14.x, nodejs12.x, nodejs10.x, python3.8, python3.7, python3.6, ruby2.7, ruby2.5,java11, java8, go1.x, dotnetcore3.1, dotnetcore2.1.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_permission_restricted_service_permission":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_permission_restricted_service_permission","org":"turbot","name":"lambda_permission_restricted_service_permission","sql":"$92","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":216,"endLineNumber":243,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_permission_restricted_service_permission","org":"turbot","name":"lambda_permission_restricted_service_permission","mod":"Terraform AWS Compliance","title":"Lambda permissions should restrict service permission by source account or source arn","description":"Ensure that Lambda permissions restricts service permission by source account or source arn.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda permissions should restrict service permission by source account or source arn","controlDescription":"Ensure that Lambda permissions restricts service permission by source account or source arn.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}},"lambda_function_url_auth_type_configured":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/lambda_function_url_auth_type_configured","org":"turbot","name":"lambda_function_url_auth_type_configured","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'authorization_type') = 'NONE' then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'authorization_type') = 'NONE' then ' URLs AuthType is not configured'\n else ' URLs AuthType is configured'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lambda_function_url';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/lambda.pp","startLineNumber":112,"endLineNumber":131,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.lambda_function_url_auth_type_configured","org":"turbot","name":"lambda_function_url_auth_type_configured","mod":"Terraform AWS Compliance","title":"Lambda functions should not have URLs AuthType as 'None'","description":"This control checks whether lambda function have URL AuthType set to 'None'.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}],"controlTitle":"Lambda functions should not have URLs AuthType as 'None'","controlDescription":"This control checks whether lambda function have URL AuthType set to 'None'.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Lambda"}}},"mq":{"mq_broker_audit_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_audit_logging_enabled","org":"turbot","name":"mq_broker_audit_logging_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'engine_type') = 'RabbitMQ') and (attributes_std -> 'logs' ->> 'audit')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'engine_type') = 'RabbitMQ') and (attributes_std -> 'logs' ->> 'audit')::bool is null then ' audit logging enabled'\n else ' audit logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_audit_logging_enabled","org":"turbot","name":"mq_broker_audit_logging_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have audit logging enabled","description":"This control checks whether audit logging is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have audit logging enabled","controlDescription":"This control checks whether audit logging is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_automatic_minor_upgrade_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_automatic_minor_upgrade_enabled","org":"turbot","name":"mq_broker_automatic_minor_upgrade_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade')::bool then ' automatic minor version upgrade enabled'\n else ' automatic minor version upgrade disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_automatic_minor_upgrade_enabled","org":"turbot","name":"mq_broker_automatic_minor_upgrade_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have automatic minor version upgrade enabled","description":"This control checks whether automatic minor version upgrade is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have automatic minor version upgrade enabled","controlDescription":"This control checks whether automatic minor version upgrade is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_publicly_accessible","org":"turbot","name":"mq_broker_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'publicly_accessible')::bool then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'publicly_accessible')::bool then ' is publicly accessible'\n else ' is not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_publicly_accessible","org":"turbot","name":"mq_broker_publicly_accessible","mod":"Terraform AWS Compliance","title":"MQ Broker should not be publicly accessible","description":"This control checks whether the MQ Broker is publicly accessible. This control is non-compliant if the MQ Broker is publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should not be publicly accessible","controlDescription":"This control checks whether the MQ Broker is publicly accessible. This control is non-compliant if the MQ Broker is publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_general_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_general_logging_enabled","org":"turbot","name":"mq_broker_general_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'logs' ->> 'general')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'logs' ->> 'general')::bool is null then ' general logging enabled'\n else ' general logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_general_logging_enabled","org":"turbot","name":"mq_broker_general_logging_enabled","mod":"Terraform AWS Compliance","title":"MQ Broker should have general logging enabled","description":"This control checks whether general logging is enabled for the MQ Broker.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should have general logging enabled","controlDescription":"This control checks whether general logging is enabled for the MQ Broker.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_currect_broker_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_currect_broker_version","org":"turbot","name":"mq_broker_currect_broker_version","sql":"$93","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":106,"endLineNumber":127,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_currect_broker_version","org":"turbot","name":"mq_broker_currect_broker_version","mod":"Terraform AWS Compliance","title":"MQ Broker should use correct engine version for their engine type","description":"This control checks whether the MQ Broker uses the correct engine version for their engine type.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should use correct engine version for their engine type","controlDescription":"This control checks whether the MQ Broker uses the correct engine version for their engine type.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}},"mq_broker_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/mq_broker_encrypted_with_kms_cmk","org":"turbot","name":"mq_broker_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when ((attributes_std -> 'encryption_option' ->> 'use_aws_owned_key')::bool and (attributes_std -> 'encryption_option' ->> 'kms_key_id') is null) then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std -> 'encryption_option' ->> 'use_aws_owned_key')::bool and (attributes_std -> 'encryption_option' ->> 'kms_key_id') is null) then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_mq_broker';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/mqbroker.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.mq_broker_encrypted_with_kms_cmk","org":"turbot","name":"mq_broker_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"MQ Broker should be encrypted with KMS CMK","description":"This control checks whether the MQ Broker is encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}],"controlTitle":"MQ Broker should be encrypted with KMS CMK","controlDescription":"This control checks whether the MQ Broker is encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/MQ"}}},"ses":{"ses_configuration_set_tls_enforced":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ses_configuration_set_tls_enforced","org":"turbot","name":"ses_configuration_set_tls_enforced","sql":"select\n address as resource,\n case\n when (attributes_std -> 'delivery_options' ->> 'tls_policy') = 'Require' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'delivery_options' ->> 'tls_policy')= 'Require' then ' TLS enforced'\n else ' TLS not enforced'\n end || '.' as reason\n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ses_configuration_set';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ses.pp","startLineNumber":1,"endLineNumber":19,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ses_configuration_set_tls_enforced","org":"turbot","name":"ses_configuration_set_tls_enforced","mod":"Terraform AWS Compliance","title":"SES configuration set should enforce TLS usage","description":"This control ensures that TLS is enforced for SES configuration set. Enforcing TLS usage in SES configuration set is essential in securing email communications, ensuring data privacy, and maintaining compliance with various data protection standards.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/SES"}}],"controlTitle":"SES configuration set should enforce TLS usage","controlDescription":"This control ensures that TLS is enforced for SES configuration set. Enforcing TLS usage in SES configuration set is essential in securing email communications, ensuring data privacy, and maintaining compliance with various data protection standards.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/SES"}}},"kendra":{"kendra_index_server_side_encryption_uses_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/kendra_index_server_side_encryption_uses_kms_cmk","org":"turbot","name":"kendra_index_server_side_encryption_uses_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'server_side_encryption_configuration' ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'server_side_encryption_configuration' ->> 'kms_key_id') is not null then ' uses KMS CMK'\n else ' does not use KMS CMK'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_kendra_index';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/kendra.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.kendra_index_server_side_encryption_uses_kms_cmk","org":"turbot","name":"kendra_index_server_side_encryption_uses_kms_cmk","mod":"Terraform AWS Compliance","title":"Kendra indexes should use KMS CMKs for server-side encryption","description":"This control checks whether Kendra indexes are using KMS CMKs for server-side encryption.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kendra"}}],"controlTitle":"Kendra indexes should use KMS CMKs for server-side encryption","controlDescription":"This control checks whether Kendra indexes are using KMS CMKs for server-side encryption.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Kendra"}}},"elb":{"elb_classic_lb_use_tls_https_listeners":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_tls_https_listeners","org":"turbot","name":"elb_classic_lb_use_tls_https_listeners","sql":"select\n address as resource,\n case\n when (attributes_std -> 'listener' ->> 'lb_protocol') like any (array ['HTTPS', 'TLS']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'listener' ->> 'lb_protocol') like any (array ['HTTPS', 'TLS']) then ' configured with ' || (attributes_std -> 'listener' ->> 'lb_protocol') || ' protocol'\n else ' not configured with HTTPS or TLS protocol'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":168,"endLineNumber":187,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_tls_https_listeners","org":"turbot","name":"elb_classic_lb_use_tls_https_listeners","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should only use SSL or HTTPS listeners","description":"Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should only use SSL or HTTPS listeners","controlDescription":"Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_lb_drop_invalid_header_fields":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_drop_invalid_header_fields","org":"turbot","name":"elb_application_lb_drop_invalid_header_fields","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then 'skip'\n when (attributes_std ->> 'drop_invalid_header_fields')::boolean and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')\n then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'load_balancer_type') like any (array ['gateway', 'network']) then ' load balancer is of ' || (attributes_std ->> 'load_balancer_type') || ' type'\n when (attributes_std ->> 'drop_invalid_header_fields')::boolean\n and ((attributes_std ->> 'load_balancer_type') is null or (attributes_std ->> 'load_balancer_type') = 'application')\n then ' configured to drop invalid http header field(s)'\n else ' not configured to drop invalid http header field(s)'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb', 'aws_alb');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":233,"endLineNumber":257,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_drop_invalid_header_fields","org":"turbot","name":"elb_application_lb_drop_invalid_header_fields","mod":"Terraform AWS Compliance","title":"ELB application load balancers should have drop invalid header fields configured","description":"Ensure that your application load balancers are configured to drop invalid header fields.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should have drop invalid header fields configured","controlDescription":"Ensure that your application load balancers are configured to drop invalid header fields.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_application_lb_drop_http_headers":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_drop_http_headers","org":"turbot","name":"elb_application_lb_drop_http_headers","sql":"select\n address as resource,\n case\n when (attributes_std -> 'drop_invalid_header_fields') is null then 'alarm'\n when (attributes_std -> 'drop_invalid_header_fields')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'drop_invalid_header_fields') is null then ' ''drop_invalid_header_fields'' disabled'\n when (attributes_std -> 'drop_invalid_header_fields')::boolean then ' ''drop_invalid_header_fields'' enabled'\n else ' ''drop_invalid_header_fields'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":74,"endLineNumber":95,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_drop_http_headers","org":"turbot","name":"elb_application_lb_drop_http_headers","mod":"Terraform AWS Compliance","title":"ELB application load balancers should be drop HTTP headers","description":"Ensure that your Elastic Load Balancers are configured to drop HTTP headers.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should be drop HTTP headers","controlDescription":"Ensure that your Elastic Load Balancers are configured to drop HTTP headers.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_classic_lb_use_ssl_certificate":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_ssl_certificate","org":"turbot","name":"elb_classic_lb_use_ssl_certificate","sql":"$94","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":143,"endLineNumber":166,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_ssl_certificate","org":"turbot","name":"elb_classic_lb_use_ssl_certificate","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should use SSL certificates","description":"Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.","tags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should use SSL certificates","controlDescription":"Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing.","controlTags":{"category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_lb_deletion_protection_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_deletion_protection_enabled","org":"turbot","name":"elb_application_lb_deletion_protection_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_deletion_protection') is null then 'alarm'\n when (attributes_std -> 'enable_deletion_protection')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_deletion_protection') is null then ' ''enable_deletion_protection'' not defined'\n when (attributes_std -> 'enable_deletion_protection')::boolean then ' deletion protection enabled'\n else ' deletion protection disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":51,"endLineNumber":72,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_deletion_protection_enabled","org":"turbot","name":"elb_application_lb_deletion_protection_enabled","mod":"Terraform AWS Compliance","title":"ELB application load balancer deletion protection should be enabled","description":"This rule ensures that Elastic Load Balancing has deletion protection enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancer deletion protection should be enabled","controlDescription":"This rule ensures that Elastic Load Balancing has deletion protection enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","hipaa":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}},"elb_classic_lb_use_desync_mitigation_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_classic_lb_use_desync_mitigation_mode","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then ' configured with ' || (attributes_std ->> 'desync_mitigation_mode') || ' mitigation mode'\n else ' not configured with defensive or strictest desync mitigation mode'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":210,"endLineNumber":229,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_classic_lb_use_desync_mitigation_mode","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should have defensive or strictest desync mitigation mode configured","description":"Ensure that your classic load balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should have defensive or strictest desync mitigation mode configured","controlDescription":"Ensure that your classic load balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_lb_use_secure_protocol_listener":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_lb_use_secure_protocol_listener","org":"turbot","name":"elb_lb_use_secure_protocol_listener","sql":"$95","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":259,"endLineNumber":280,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_lb_use_secure_protocol_listener","org":"turbot","name":"elb_lb_use_secure_protocol_listener","mod":"Terraform AWS Compliance","title":"ELB load balancer listeners should use a secure protocol","description":"Ensure that your load balancer listeners are configured with a secure protocol including redirections.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB load balancer listeners should use a secure protocol","controlDescription":"Ensure that your load balancer listeners are configured with a secure protocol including redirections.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_application_lb_waf_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_lb_waf_enabled","org":"turbot","name":"elb_application_lb_waf_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_waf_fail_open') is null then 'alarm'\n when (attributes_std -> 'enable_waf_fail_open')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_waf_fail_open') is null then ' WAF disabled'\n when (attributes_std -> 'enable_waf_fail_open')::boolean then ' WAF enabled'\n else ' WAF disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_lb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":97,"endLineNumber":118,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_lb_waf_enabled","org":"turbot","name":"elb_application_lb_waf_enabled","mod":"Terraform AWS Compliance","title":"ELB application load balancers should have Web Application Firewall (WAF) enabled","description":"Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications.","tags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}}],"controlTitle":"ELB application load balancers should have Web Application Firewall (WAF) enabled","controlDescription":"Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications.","controlTags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB"}},"elb_application_network_gateway_lb_use_desync_mitigation_mode":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_network_gateway_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_application_network_gateway_lb_use_desync_mitigation_mode","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'desync_mitigation_mode') like any (array ['defensive', 'strictest']) then ' configured with ' || (attributes_std ->> 'desync_mitigation_mode') || ' mitigation mode'\n else ' not configured with defensive or strictest desync mitigation mode'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb', 'aws_alb');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":189,"endLineNumber":208,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_network_gateway_lb_use_desync_mitigation_mode","org":"turbot","name":"elb_application_network_gateway_lb_use_desync_mitigation_mode","mod":"Terraform AWS Compliance","title":"ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured","description":"Ensure that your Elastic Load Balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application, network and gateway load balancers should have defensive or strictest desync mitigation mode configured","controlDescription":"Ensure that your Elastic Load Balancers (ELBs) are configured with defensive or strictest desync mitigation mode.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_application_classic_network_lb_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_classic_network_lb_logging_enabled","org":"turbot","name":"elb_application_classic_network_lb_logging_enabled","sql":"$96","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":1,"endLineNumber":49,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_classic_network_lb_logging_enabled","org":"turbot","name":"elb_application_classic_network_lb_logging_enabled","mod":"Terraform AWS Compliance","title":"ELB application and classic load balancer logging should be enabled","description":"Elastic Load Balancing activity is a central point of communication within an environment. Ensure that logging is enabled to track the activities of the load balancer.","tags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB","soc_2":"true"}}],"controlTitle":"ELB application and classic load balancer logging should be enabled","controlDescription":"Elastic Load Balancing activity is a central point of communication within an environment. Ensure that logging is enabled to track the activities of the load balancer.","controlTags":{"aws_foundational_security":"true","category":"Compliance","gdpr":"true","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ELB","soc_2":"true"}},"elb_classic_lb_cross_zone_load_balancing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_classic_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_classic_lb_cross_zone_load_balancing_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'cross_zone_load_balancing') is null then 'ok'\n when (attributes_std -> 'cross_zone_load_balancing')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'cross_zone_load_balancing') is null then ' cross-zone load balancing enabled'\n when (attributes_std -> 'cross_zone_load_balancing')::boolean then ' cross-zone load balancing enabled'\n else ' cross-zone load balancing disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb'\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":120,"endLineNumber":141,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_classic_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_classic_lb_cross_zone_load_balancing_enabled","mod":"Terraform AWS Compliance","title":"ELB classic load balancers should have cross-zone load balancing enabled","description":"Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent number of instances in each enabled availability zone.","tags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB classic load balancers should have cross-zone load balancing enabled","controlDescription":"Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent number of instances in each enabled availability zone.","controlTags":{"category":"Compliance","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/ELB"}},"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","sql":"$97","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":282,"endLineNumber":303,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","org":"turbot","name":"elb_application_network_gateway_lb_cross_zone_load_balancing_enabled","mod":"Terraform AWS Compliance","title":"ELB application, network and gateway load balancer should have cross-zone load balancing enabled","description":"Ensure that your application, network and gateway load balancer are configured with cross-zone load balancing.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB application, network and gateway load balancer should have cross-zone load balancing enabled","controlDescription":"Ensure that your application, network and gateway load balancer are configured with cross-zone load balancing.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"elb_lb_target_group_use_health_check":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elb_lb_target_group_use_health_check","org":"turbot","name":"elb_lb_target_group_use_health_check","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'protocol') like any (array ['HTTPS', 'HTTP']) and (attributes_std ->> 'health_check') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'protocol') like any (array ['HTTPS', 'HTTP']) and (attributes_std ->> 'health_check') is not null then ' target group configured with health check'\n else ' target group not configured with health check'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type in ('aws_lb_target_group', 'aws_alb_target_group');\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elb.pp","startLineNumber":305,"endLineNumber":324,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elb_lb_target_group_use_health_check","org":"turbot","name":"elb_lb_target_group_use_health_check","mod":"Terraform AWS Compliance","title":"ELB HTTP HTTPS target group should be configured with Healthcheck","description":"Ensure HTTP HTTPS target group is defined with Healthcheck.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"ELB HTTP HTTPS target group should be configured with Healthcheck","controlDescription":"Ensure HTTP HTTPS target group is defined with Healthcheck.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ELB"}},"ec2_classic_lb_connection_draining_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ec2_classic_lb_connection_draining_enabled","org":"turbot","name":"ec2_classic_lb_connection_draining_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'connection_draining') is null then 'alarm'\n when (attributes_std -> 'connection_draining')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'connection_draining') is null then ' ''connection_draining'' disabled'\n when (attributes_std -> 'connection_draining')::bool then ' ''connection_draining'' enabled'\n else ' ''connection_draining'' disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elb';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ec2.pp","startLineNumber":1,"endLineNumber":22,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ec2_classic_lb_connection_draining_enabled","org":"turbot","name":"ec2_classic_lb_connection_draining_enabled","mod":"Terraform AWS Compliance","title":"Classic Load Balancers should have connection draining enabled","description":"This control checks whether Classic Load Balancers have connection draining enabled.","tags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}],"controlTitle":"Classic Load Balancers should have connection draining enabled","controlDescription":"This control checks whether Classic Load Balancers have connection draining enabled.","controlTags":{"aws_foundational_security":"true","category":"Compliance","plugin":"terraform","service":"AWS/ELB"}}},"emr":{"emr_cluster_security_configuration_encryption_uses_sse_kms":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_encryption_uses_sse_kms","org":"turbot","name":"emr_cluster_security_configuration_encryption_uses_sse_kms","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'SSE-KMS' then ' encryption uses SSE-KMS'\n else ' encryption does not use SSE-KMS'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_encryption_uses_sse_kms","org":"turbot","name":"emr_cluster_security_configuration_encryption_uses_sse_kms","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should use SSE-KMS","description":"This control checks whether EMR cluster security configurations use SSE-KMS.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should use SSE-KMS","controlDescription":"This control checks whether EMR cluster security configurations use SSE-KMS.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_kerberos_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_kerberos_enabled","org":"turbot","name":"emr_cluster_kerberos_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kerberos_attributes') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kerberos_attributes') is null then ' kerberos disabled'\n else ' kerberos enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_kerberos_enabled","org":"turbot","name":"emr_cluster_kerberos_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster Kerberos should be enabled","description":"The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster Kerberos should be enabled","controlDescription":"The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for Amazon EMR clusters.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_encryption_in_transit_enabled","org":"turbot","name":"emr_cluster_security_configuration_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableInTransitEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableInTransitEncryption')::bool then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_encryption_in_transit_enabled","org":"turbot","name":"emr_cluster_security_configuration_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have encryption in transit enabled","description":"This control checks whether EMR cluster security configurations are encrypted in transit.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have encryption in transit enabled","controlDescription":"This control checks whether EMR cluster security configurations are encrypted in transit.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_ebs_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_ebs_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_ebs_encryption_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EnableEbsEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration' ->> 'EnableEbsEncryption')::bool then ' EBS encryption enabled'\n else ' EBS encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_ebs_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_ebs_encryption_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have EBS encryption enabled","description":"This control checks whether EMR cluster security configurations have EBS encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have EBS encryption enabled","controlDescription":"This control checks whether EMR cluster security configurations have EBS encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}},"emr_cluster_security_configuration_local_disk_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/emr_cluster_security_configuration_local_disk_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_local_disk_encryption_enabled","sql":"select\n address as resource,\n case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' ->> 'LocalDiskEncryptionConfiguration') is not null then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' ->> 'EnableAtRestEncryption')::bool and ((attributes_std ->> 'configuration')::jsonb -> 'EncryptionConfiguration' -> 'AtRestEncryptionConfiguration' ->> 'LocalDiskEncryptionConfiguration') is not null then ' local disk encryption enabled'\n else ' local disk encryption disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_emr_security_configuration';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/emr.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.emr_cluster_security_configuration_local_disk_encryption_enabled","org":"turbot","name":"emr_cluster_security_configuration_local_disk_encryption_enabled","mod":"Terraform AWS Compliance","title":"EMR cluster security configurations should have local disk encryption enabled","description":"This control checks whether EMR cluster security configurations have local disk encryption enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}],"controlTitle":"EMR cluster security configurations should have local disk encryption enabled","controlDescription":"This control checks whether EMR cluster security configurations have local disk encryption enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EMR"}}},"neptune":{"neptune_cluster_backup_retention_period_7":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_backup_retention_period_7","org":"turbot","name":"neptune_cluster_backup_retention_period_7","sql":"select\n address as resource,\n case\n when (attributes_std -> 'backup_retention_period') is null then 'alarm'\n when ((attributes_std ->> 'backup_retention_period'))::int >= 7 then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'backup_retention_period') is null then ' backup retention not set'\n else ' backup retention set to ' || (attributes_std ->> 'backup_retention_period')\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":127,"endLineNumber":147,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_backup_retention_period_7","org":"turbot","name":"neptune_cluster_backup_retention_period_7","mod":"Terraform AWS Compliance","title":"Neptune cluster backup retention period should be at least 7 days","description":"This control checks whether Neptune cluster backup retention is set to 7 or greater than 7.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster backup retention period should be at least 7 days","controlDescription":"This control checks whether Neptune cluster backup retention is set to 7 or greater than 7.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_encrypted_with_kms_cmk","org":"turbot","name":"neptune_cluster_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_arn') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_arn') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_encrypted_with_kms_cmk","org":"turbot","name":"neptune_cluster_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Neptune cluster should be encrypted with KMS CMK","description":"This control checks whether Neptune clusters are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster should be encrypted with KMS CMK","controlDescription":"This control checks whether Neptune clusters are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_snapshot_storage_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_snapshot_storage_encryption_enabled","org":"turbot","name":"neptune_snapshot_storage_encryption_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":85,"endLineNumber":104,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_snapshot_storage_encryption_enabled","org":"turbot","name":"neptune_snapshot_storage_encryption_enabled","mod":"Terraform AWS Compliance","title":"Neptune snapshot storage encryption should be enabled","description":"This control checks whether Neptune snapshot storage encryption is enabled. These snapshots contain sensitive data and should be encrypted at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune snapshot storage encryption should be enabled","controlDescription":"This control checks whether Neptune snapshot storage encryption is enabled. These snapshots contain sensitive data and should be encrypted at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_logging_enabled","org":"turbot","name":"neptune_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enable_cloudwatch_logs_exports') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enable_cloudwatch_logs_exports') is null then ' logging not enabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_logging_enabled","org":"turbot","name":"neptune_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"Neptune logging should be enabled","description":"Ensure Neptune logging is enabled. These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune logging should be enabled","controlDescription":"Ensure Neptune logging is enabled. These access logs can be used to analyze traffic patterns and troubleshoot security and operational issues.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_iam_authentication_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_iam_authentication_enabled","org":"turbot","name":"neptune_cluster_iam_authentication_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'iam_database_authentication_enabled') is null then ' IAM database authentication disabled'\n when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' IAM database authentication enabled'\n else ' ''iam_database_authentication_enabled'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":172,"endLineNumber":193,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_iam_authentication_enabled","org":"turbot","name":"neptune_cluster_iam_authentication_enabled","mod":"Terraform AWS Compliance","title":"Neptune clusters should have IAM authentication enabled","description":"Checks if an Neptune cluster has AWS Identity and Access Management (IAM) authentication enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune clusters should have IAM authentication enabled","controlDescription":"Checks if an Neptune cluster has AWS Identity and Access Management (IAM) authentication enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_encryption_at_rest_enabled","org":"turbot","name":"neptune_cluster_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'storage_encrypted')::boolean then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'storage_encrypted')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_encryption_at_rest_enabled","org":"turbot","name":"neptune_cluster_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"Neptune cluster encryption at rest should be enabled","description":"Ensure Neptune clusters being created are set to be encrypted at rest to protect sensitive data.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster encryption at rest should be enabled","controlDescription":"Ensure Neptune clusters being created are set to be encrypted at rest to protect sensitive data.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_copy_tags_to_snapshot_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"neptune_cluster_copy_tags_to_snapshot_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' not set'\n when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'\n else ' ''copy_tags_to_snapshot'' disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":149,"endLineNumber":170,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_copy_tags_to_snapshot_enabled","org":"turbot","name":"neptune_cluster_copy_tags_to_snapshot_enabled","mod":"Terraform AWS Compliance","title":"Neptune clusters should be configured to copy tags to snapshots","description":"This control checks whether Neptune clusters are configured to copy all tags to snapshots when the snapshots are created.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune clusters should be configured to copy tags to snapshots","controlDescription":"This control checks whether Neptune clusters are configured to copy all tags to snapshots when the snapshots are created.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_snapshot_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"neptune_snapshot_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std -> 'kms_key_id') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'kms_key_id') is null then ' not encrypted with KMS CMK'\n else ' encrypted with KMS CMK'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_snapshot';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":106,"endLineNumber":125,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_snapshot_encrypted_with_kms_cmk","org":"turbot","name":"neptune_snapshot_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"Neptune snapshot should be encrypted with KMS CMK","description":"This control checks whether Neptune snapshots are encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune snapshot should be encrypted with KMS CMK","controlDescription":"This control checks whether Neptune snapshots are encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}},"neptune_cluster_instance_publicly_accessible":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/neptune_cluster_instance_publicly_accessible","org":"turbot","name":"neptune_cluster_instance_publicly_accessible","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'publicly_accessible')::boolean then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'publicly_accessible')::boolean then ' publicly accessible'\n else ' not publicly accessible'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_neptune_cluster_instance';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/neptune.pp","startLineNumber":64,"endLineNumber":83,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.neptune_cluster_instance_publicly_accessible","org":"turbot","name":"neptune_cluster_instance_publicly_accessible","mod":"Terraform AWS Compliance","title":"Neptune cluster instance should not be publicly accessible","description":"This control checks whether Neptune cluster instances are not publicly accessible.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}],"controlTitle":"Neptune cluster instance should not be publicly accessible","controlDescription":"This control checks whether Neptune cluster instances are not publicly accessible.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Neptune"}}},"eks":{"eks_cluster_control_plane_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_control_plane_logging_enabled","org":"turbot","name":"eks_cluster_control_plane_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled_cluster_log_types') is null then 'alarm'\n when (attributes_std ->> 'enabled_cluster_log_types') like '%[\"api\", \"authenticator\", \"audit\", \"scheduler\", \"controllerManager\"]%' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled_cluster_log_types') is null then ' control plane logging not set'\n when (attributes_std ->> 'enabled_cluster_log_types') like '%[\"api\", \"authenticator\", \"audit\", \"scheduler\", \"controllerManager\"]%' then ' control plane logging enabled'\n else ' control plane logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":96,"endLineNumber":117,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_control_plane_logging_enabled","org":"turbot","name":"eks_cluster_control_plane_logging_enabled","mod":"Terraform AWS Compliance","title":"EKS cluster control plane logging should be enabled for all log types","description":"Ensure control plane logging is enabled for all log types in Amazon EKS cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster control plane logging should be enabled for all log types","controlDescription":"Ensure control plane logging is enabled for all log types in Amazon EKS cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_log_types_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_log_types_enabled","org":"turbot","name":"eks_cluster_log_types_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'enabled_cluster_log_types') is null then 'alarm'\n else 'ok'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'enabled_cluster_log_types') is null then ' logging disabled'\n else ' logging enabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":29,"endLineNumber":48,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_log_types_enabled","org":"turbot","name":"eks_cluster_log_types_enabled","mod":"Terraform AWS Compliance","title":"EKS cluster log types should be enabled","description":"Ensure Amazon EKS cluster logging is enabled for all log types","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster log types should be enabled","controlDescription":"Ensure Amazon EKS cluster logging is enabled for all log types","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_node_group_ssh_access_from_internet":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_node_group_ssh_access_from_internet","org":"turbot","name":"eks_cluster_node_group_ssh_access_from_internet","sql":"$98","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":119,"endLineNumber":142,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_node_group_ssh_access_from_internet","org":"turbot","name":"eks_cluster_node_group_ssh_access_from_internet","mod":"Terraform AWS Compliance","title":"EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0","description":"EKS cluster node group SSH access should be restricted from internet. If you specify ec2_ssh_key, but do not specify source_security_group_ids configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster node group should be configured to restrict SSH access from 0.0.0.0/0","controlDescription":"EKS cluster node group SSH access should be restricted from internet. If you specify ec2_ssh_key, but do not specify source_security_group_ids configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_run_on_supported_kubernetes_version":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_run_on_supported_kubernetes_version","org":"turbot","name":"eks_cluster_run_on_supported_kubernetes_version","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'version') is null then 'skip'\n when (attributes_std ->> 'version') like any (array ['1.22', '1.23', '1.24', '1.25', '1.26']) then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'version') is null then ' Kubernetes version not set'\n when (attributes_std ->> 'version') like any (array ['1.22', '1.23', '1.24', '1.25', '1.26']) then ' run on supported Kubernetes version'\n else ' do not run on supported Kubernetes version'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":73,"endLineNumber":94,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_run_on_supported_kubernetes_version","org":"turbot","name":"eks_cluster_run_on_supported_kubernetes_version","mod":"Terraform AWS Compliance","title":"EKS cluster should run on supported Kubernetes version","description":"Ensure Amazon EKS cluster is running on supported Kubernetes version.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS cluster should run on supported Kubernetes version","controlDescription":"Ensure Amazon EKS cluster is running on supported Kubernetes version.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_endpoint_restrict_public_access":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_endpoint_restrict_public_access","org":"turbot","name":"eks_cluster_endpoint_restrict_public_access","sql":"$99","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":1,"endLineNumber":27,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_endpoint_restrict_public_access","org":"turbot","name":"eks_cluster_endpoint_restrict_public_access","mod":"Terraform AWS Compliance","title":"EKS clusters endpoint should restrict public access","description":"Ensure whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is complaint if the endpoint is publicly accessible.","tags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS clusters endpoint should restrict public access","controlDescription":"Ensure whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible. The rule is complaint if the endpoint is publicly accessible.","controlTags":{"category":"Compliance","nist_csf":"true","plugin":"terraform","service":"AWS/EKS"}},"eks_cluster_secrets_encrypted":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/eks_cluster_secrets_encrypted","org":"turbot","name":"eks_cluster_secrets_encrypted","sql":"select\n address as resource,\n case\n when (attributes_std -> 'encryption_config') is null then 'alarm'\n when (attributes_std -> 'encryption_config' -> 'resources') @> '[\"secrets\"]' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'encryption_config') is null then ' encryption disabled'\n when (attributes_std -> 'encryption_config' -> 'resources') @> '[\"secrets\"]' then ' encrypted with EKS secrets'\n else ' not encrypted with EKS secrets'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_eks_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/eks.pp","startLineNumber":50,"endLineNumber":71,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.eks_cluster_secrets_encrypted","org":"turbot","name":"eks_cluster_secrets_encrypted","mod":"Terraform AWS Compliance","title":"EKS clusters should be configured to have kubernetes secrets encrypted using KMS","description":"Ensure if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.","tags":{"category":"Compliance","hipaa":"true","plugin":"terraform","service":"AWS/EKS"}}],"controlTitle":"EKS clusters should be configured to have kubernetes secrets encrypted using KMS","controlDescription":"Ensure if Amazon Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys.","controlTags":{"category":"Compliance","hipaa":"true","plugin":"terraform","service":"AWS/EKS"}}},"elasti_cache":{"elasticache_replication_group_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_in_transit_enabled","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean then ' encrypted in transit'\n else ' not encrypted in transit'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":23,"endLineNumber":42,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_in_transit_enabled","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at transit","description":"Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at transit","controlDescription":"Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_redis_cluster_automatic_backup_retention_15_days":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_redis_cluster_automatic_backup_retention_15_days","org":"turbot","name":"elasticache_redis_cluster_automatic_backup_retention_15_days","sql":"select\n address as resource,\n case\n when (attributes_std -> 'snapshot_retention_limit')::int < 15 then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'snapshot_retention_limit')::int is null then ' automatic backups disabled'\n when (attributes_std -> 'snapshot_retention_limit')::int < 15 then ' automatic backup retention period is less than 15 days'\n else ' automatic backup retention period is more than 15 days'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":1,"endLineNumber":21,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_redis_cluster_automatic_backup_retention_15_days","org":"turbot","name":"elasticache_redis_cluster_automatic_backup_retention_15_days","mod":"Terraform AWS Compliance","title":"ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater","description":"When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.","tags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ElastiCache","soc_2":"true"}}],"controlTitle":"ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater","controlDescription":"When automatic backups are enabled, Amazon ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss.","controlTags":{"category":"Compliance","hipaa":"true","nist_800_53_rev_4":"true","nist_csf":"true","plugin":"terraform","rbi_cyber_security":"true","service":"AWS/ElastiCache","soc_2":"true"}},"elasticache_cluster_has_subnet_group":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_cluster_has_subnet_group","org":"turbot","name":"elasticache_cluster_has_subnet_group","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'subnet_group_name') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'subnet_group_name') is not null then ' subnet group name set'\n else ' subnet group name not set'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":130,"endLineNumber":149,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_cluster_has_subnet_group","org":"turbot","name":"elasticache_cluster_has_subnet_group","mod":"Terraform AWS Compliance","title":"ElastiCache cluster should have subnet group","description":"This control checks whether the ElastiCache cluster has subnet group.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache cluster should have subnet group","controlDescription":"This control checks whether the ElastiCache cluster has subnet group.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encryption_in_transit_enabled_auth_token":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_in_transit_enabled_auth_token","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled_auth_token","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is not null then ' encrypted in transit and auth token set'\n when (attributes_std ->> 'transit_encryption_enabled')::boolean and (attributes_std ->> 'auth_token') is null then ' encrypted in transit but auth token not set'\n when (attributes_std ->> 'auth_token') is not null then 'not encrypted in transit but auth token set'\n else ' not encrypted in transit and auth token not set'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":44,"endLineNumber":65,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_in_transit_enabled_auth_token","org":"turbot","name":"elasticache_replication_group_encryption_in_transit_enabled_auth_token","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at transit","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at transit.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at transit","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at transit.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encrypted_with_kms_cmk":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encrypted_with_kms_cmk","org":"turbot","name":"elasticache_replication_group_encrypted_with_kms_cmk","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'kms_key_id') is not null then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'kms_key_id') is not null then ' encrypted with kms cmk'\n else ' not encrypted with kms cmk'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":88,"endLineNumber":107,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encrypted_with_kms_cmk","org":"turbot","name":"elasticache_replication_group_encrypted_with_kms_cmk","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted with KMS CMK","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted with KMS CMK.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted with KMS CMK","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted with KMS CMK.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_replication_group_encryption_at_rest_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_replication_group_encryption_at_rest_enabled","org":"turbot","name":"elasticache_replication_group_encryption_at_rest_enabled","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'at_rest_encryption_enabled')::boolean then ' encrypted at rest'\n else ' not encrypted at rest'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_replication_group';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":67,"endLineNumber":86,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_replication_group_encryption_at_rest_enabled","org":"turbot","name":"elasticache_replication_group_encryption_at_rest_enabled","mod":"Terraform AWS Compliance","title":"ElastiCache replication group should be encrypted at rest","description":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at rest.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache replication group should be encrypted at rest","controlDescription":"This control checks whether all data stored in the Elasticache Replication Group is securely encrypted at rest.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}},"elasticache_redis_cluster_auto_minor_version_upgrade":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/elasticache_redis_cluster_auto_minor_version_upgrade","org":"turbot","name":"elasticache_redis_cluster_auto_minor_version_upgrade","sql":"select\n address as resource,\n case\n when (attributes_std ->> 'auto_minor_version_upgrade')::boolean then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std ->> 'auto_minor_version_upgrade')::boolean then ' auto minor version upgrade enabled'\n else ' auto minor version upgrade disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_elasticache_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/elasticache.pp","startLineNumber":109,"endLineNumber":128,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.elasticache_redis_cluster_auto_minor_version_upgrade","org":"turbot","name":"elasticache_redis_cluster_auto_minor_version_upgrade","mod":"Terraform AWS Compliance","title":"ElastiCache Redis cluster should have auto minor version upgrade enabled","description":"This control checks whether the ElastiCache Redis cluster has auto minor version upgrade enabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}],"controlTitle":"ElastiCache Redis cluster should have auto minor version upgrade enabled","controlDescription":"This control checks whether the ElastiCache Redis cluster has auto minor version upgrade enabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ElastiCache"}}},"glue":{"glue_dev_endpoint_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_dev_endpoint_security_configuration_enabled","org":"turbot","name":"glue_dev_endpoint_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_dev_endpoint';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":22,"endLineNumber":41,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_dev_endpoint_security_configuration_enabled","org":"turbot","name":"glue_dev_endpoint_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue dev endpoint security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue dev endpoint.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue dev endpoint security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue dev endpoint.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_job_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_job_security_configuration_enabled","org":"turbot","name":"glue_job_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_job';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":43,"endLineNumber":62,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_job_security_configuration_enabled","org":"turbot","name":"glue_job_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue job security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue job.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue job security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue job.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_security_configuration_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_security_configuration_encryption_enabled","org":"turbot","name":"glue_security_configuration_encryption_enabled","sql":"$9a","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":90,"endLineNumber":118,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_security_configuration_encryption_enabled","org":"turbot","name":"glue_security_configuration_encryption_enabled","mod":"Terraform AWS Compliance","title":"Glue security configuration encryption should be enabled","description":"This control checks whether Glue security configuration encryption is enabled. This control is non-complaint if Glue security configuration encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue security configuration encryption should be enabled","controlDescription":"This control checks whether Glue security configuration encryption is enabled. This control is non-complaint if Glue security configuration encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_crawler_security_configuration_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_crawler_security_configuration_enabled","org":"turbot","name":"glue_crawler_security_configuration_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'security_configuration') is null then 'alarm'\n else 'ok'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'security_configuration') is null then ' security configuration disabled'\n else ' security configuration enabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_glue_crawler';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":1,"endLineNumber":20,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_crawler_security_configuration_enabled","org":"turbot","name":"glue_crawler_security_configuration_enabled","mod":"Terraform AWS Compliance","title":"Glue crawler security configuration should be enabled","description":"This control checks whether the security configuration is enabled for the Glue crawler.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue crawler security configuration should be enabled","controlDescription":"This control checks whether the security configuration is enabled for the Glue crawler.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}},"glue_data_catalog_encryption_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/glue_data_catalog_encryption_enabled","org":"turbot","name":"glue_data_catalog_encryption_enabled","sql":"$9b","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/glue.pp","startLineNumber":64,"endLineNumber":88,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.glue_data_catalog_encryption_enabled","org":"turbot","name":"glue_data_catalog_encryption_enabled","mod":"Terraform AWS Compliance","title":"Glue data catalog encryption should be enabled","description":"This control checks whether Glue data catalog encryption is enabled. This control is non-complaint if data catalog encryption is disabled.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}],"controlTitle":"Glue data catalog encryption should be enabled","controlDescription":"This control checks whether Glue data catalog encryption is enabled. This control is non-complaint if data catalog encryption is disabled.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/Glue"}}},"ecs":{"ecs_cluster_logging_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_cluster_logging_enabled","org":"turbot","name":"ecs_cluster_logging_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') in ('DEFAULT','OVERRIDE') then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'configuration' -> 'execute_command_configuration' ->> 'logging') in ('DEFAULT','OVERRIDE') then ' logging enabled'\n else ' logging disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":47,"endLineNumber":66,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_cluster_logging_enabled","org":"turbot","name":"ecs_cluster_logging_enabled","mod":"Terraform AWS Compliance","title":"ECS cluster logging should be enabled","description":"This control checks whether logging is enabled for the ECS cluster.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS cluster logging should be enabled","controlDescription":"This control checks whether logging is enabled for the ECS cluster.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_cluster_container_insights_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_cluster_container_insights_enabled","org":"turbot","name":"ecs_cluster_container_insights_enabled","sql":"select\n address as resource,\n case\n when\n (attributes_std -> 'setting' ->> 'name')::text = 'containerInsights'\n and (attributes_std -> 'setting' ->> 'value')::text = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n split_part(address, '.', 2) || case\n when\n (attributes_std -> 'setting' ->> 'name')::text = 'containerInsights'\n and (attributes_std -> 'setting' ->> 'value')::text = 'enabled' then ' container insights enabled'\n else ' container insights disabled'\n end || '.' as reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_cluster';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":1,"endLineNumber":24,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_cluster_container_insights_enabled","org":"turbot","name":"ecs_cluster_container_insights_enabled","mod":"Terraform AWS Compliance","title":"ECS cluster container insights should be enabled","description":"One of the best practices when using AWS ECS is to enable cluster container insights for better visibility.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS cluster container insights should be enabled","controlDescription":"One of the best practices when using AWS ECS is to enable cluster container insights for better visibility.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_encryption_in_transit_enabled":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_encryption_in_transit_enabled","org":"turbot","name":"ecs_task_definition_encryption_in_transit_enabled","sql":"select\n address as resource,\n case\n when (attributes_std -> 'volume' -> 'efs_volume_configuration' ->> 'transit_encryption')::text = 'ENABLED' then 'ok'\n else 'alarm'\n end status,\n split_part(address, '.', 2) || case\n when (attributes_std -> 'volume' -> 'efs_volume_configuration' ->> 'transit_encryption')::text = 'ENABLED' then ' encryption in transit enabled'\n else ' encryption in transit disabled'\n end || '.' reason\n \n , path || ':' || start_line\nfrom\n terraform_resource\nwhere\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":26,"endLineNumber":45,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_encryption_in_transit_enabled","org":"turbot","name":"ecs_task_definition_encryption_in_transit_enabled","mod":"Terraform AWS Compliance","title":"ECS task definition encryption in transit should be enabled","description":"Ensure encryption in transit is enabled for EFS volumes in ECS Task definitions.","tags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}}],"controlTitle":"ECS task definition encryption in transit should be enabled","controlDescription":"Ensure encryption in transit is enabled for EFS volumes in ECS Task definitions.","controlTags":{"category":"Compliance","plugin":"terraform","service":"AWS/ECS"}},"ecs_task_definition_container_readonly_root_filesystem":{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/queries/ecs_task_definition_container_readonly_root_filesystem","org":"turbot","name":"ecs_task_definition_container_readonly_root_filesystem","sql":"with task_with_readonly_root_filesystem as (\n select\n distinct (address ) as name\n from\n terraform_resource,\n jsonb_array_elements(\n case when ((attributes_std ->> 'container_definitions') = '')\n then null\n else (attributes_std ->> 'container_definitions')::jsonb end\n ) as s where (s ->> 'ReadonlyRootFilesystem')::boolean and type = 'aws_ecs_task_definition'\n )\n select\n r.address as resource,\n case\n when p.name is not null then 'ok'\n else 'alarm'\n end status,\n split_part(r.address, '.', 2) || case\n when p.name is not null then ' containers limited to read-only access to root filesystems'\n else ' containers not limited to read-only access to root filesystems'\n end || '.' reason\n \n , path || ':' || start_line\n from\n terraform_resource as r\n left join task_with_readonly_root_filesystem as p on p.name = r.address\n where\n type = 'aws_ecs_task_definition';\n","tags":{},"tables":["terraform.terraform_resource"],"plugins":["turbot/terraform"],"sourceDefinitionRepoPath":"query/ecs.pp","startLineNumber":203,"endLineNumber":234,"modSourceName":"steampipe-mod-terraform-aws-compliance","dashboards":[],"isControlQuery":true,"controls":[{"path":"/mods/turbot/steampipe-mod-terraform-aws-compliance/benchmarks/control.ecs_task_definition_container_readonly_root_filesystem","org":"turbot","name":"ecs_task_definition_container_readonly_root_filesystem","mod":"Terraform AWS Compliance","title":"ECS containers should be limited to read-only access to root filesystems","description":"This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter

Query: Ensure IAM password policy requires minimum length of 14 or greate

Description

Query

SQL