/steampipe-mod-azure-compliance

Run individual configuration, compliance and security controls or full compliance benchmarks for CIS, HIPAA HITRUST, NIST, and more across all of your Azure subscriptions using Steampipe.

Primary LanguageHCLApache License 2.0Apache-2.0

Azure Compliance Mod for Steampipe

200+ checks covering industry defined security best practices for Azure. Includes full support for CIS v1.3,CIS v1.4,CIS v1.5,CIS v2.0,HIPAA HITRUST 9.2,NIST SP 800-53 and PCI DSS v3.2.1 compliance benchmarks across all your Azure subscriptions.

Includes full support for the CIS v1.3 Azure Benchmarks.

Run checks in a dashboard: image

Or in a terminal: image

Includes support for:

Getting started

Installation

Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the Azure and the Azure Active Directory plugins with Steampipe:

steampipe plugin install azure
steampipe plugin install azuread

Configure your Azure CLI credentials

az login

Clone:

git clone https://github.com/turbot/steampipe-mod-azure-compliance.git
cd steampipe-mod-azure-compliance

Usage

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run a single benchmark:

steampipe check benchmark.cis_v130_6

Run a specific control:

steampipe check control.cis_v130_4_3_5

Different output formats are also available, for more information please see Output Formats.

Credentials

This mod uses the credentials configured in the Steampipe Azure plugin.

Configuration

No extra configuration is required.

Common and Tag Dimensions

The benchmark queries use common properties (like connection_name, resource_group, region, subscription and subscription_id) and tags that are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:

  • Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

  • Pass in a value on the command line:

    steampipe check benchmark.cis_v140 --var 'common_dimensions=["resource_group", "region", "subscription", "subscription_id"]'
    steampipe check benchmark.cis_v140 --var 'tag_dimensions=["Department", "Environment"]'

  • Set an environment variable:

    SP_VAR_common_dimensions='["resource_group", "region", "subscription", "subscription_id"]' steampipe check control.storage_account_use_virtual_service_endpoint
    SP_VAR_tag_dimensions='["Department", "Environment"]' steampipe check control.storage_account_use_virtual_service_endpoint

Contributing

If you have an idea for additional compliance controls, or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing. (Even if you just want to help with the docs.)

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues: