search

turbot / steampipe-mod-terraform-azure-compliance

Run compliance and security controls to detect Terraform Azure resources deviating from security best practices prior to deployment using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/terraform_azure_compliance
Apache License 2.0
8 stars 0 forks source link

Add additional services specific controls. Closes #27 #32

Closed Priyanka-Chatterjee-2000 closed 1 year ago

Priyanka-Chatterjee-2000 commented 1 year ago

New controls and queries added:-

  1. [x] container_registry_admin_user_disabled
  2. [x] container_registry_anonymous_pull_disabled
  3. [x] container_registry_image_scan_enabled
  4. [x] container_registry_quarantine_policy_enabled
  5. [x] container_registry_retention_policy_enabled
  6. [x] container_registry_geo_replication_enabled
  7. [x] container_registry_public_network_access_disabled
  8. [x] container_registry_trust_policy_enabled
  9. [x] kubernetes_cluster_restrict_public_access
  10. [x] kubernetes_cluster_sku_standard
  11. [x] kubernetes_cluster_local_admin_disabled
  12. [x] kubernetes_cluster_logging_enabled
  13. [x] kubernetes_cluster_max_pod_50
  14. [x] kubernetes_cluster_network_policy_enabled
  15. [x] kubernetes_cluster_node_restrict_public_access
  16. [x] kubernetes_cluster_node_pool_type_scale_set
  17. [x] kubernetes_cluster_key_vault_secret_rotation_enabled
  18. [x] kubernetes_cluster_upgrade_channel
  19. [x] kubernetes_cluster_addon_azure_policy_enabled
  20. [x] apimanagement_backend_uses_https
  21. [x] apimanagement_service_client_certificate_enabled
  22. [x] apimanagement_service_uses_latest_tls_version
  23. [x] apimanagement_service_restrict_public_access
  24. [x] app_configuration_encryption_enabled
  25. [x] app_configuration_local_auth_disabled
  26. [x] app_configuration_restrict_public_access
  27. [x] app_configuration_purge_protection_enabled
  28. [x] app_configuration_sku_standard
  29. [x] application_gateway_uses_https_listener
  30. [x] appservice_web_app_always_on
  31. [x] appservice_web_app_detailed_error_messages_enabled
  32. [x] appservice_web_app_latest_dotnet_framework_version
  33. [x] appservice_web_app_failed_request_tracing_enabled
  34. [x] appservice_web_app_http_logs_enabled
  35. [x] appservice_web_app_worker_more_than_one
  36. [x] appservice_web_app_health_check_enabled
  37. [x] appservice_plan_minimum_sku
  38. [x] appservice_web_app_slot_remote_debugging_disabled
  39. [x] appservice_web_app_slot_use_https
  40. [x] appservice_web_app_slot_latest_tls_version
  41. [x] appservice_web_app_uses_azure_file
  42. [x] container_instance_container_group_in_virtual_network
  43. [x] firewal_has_firewall_policy_set
  44. [x] firewal_threat_intel_mode_set_to_deny
  45. [x] firewall_policy_intrusion_detection_mode_set_to_deny
  46. [x] compute_vm_allow_extension_operations_disabled
  47. [x] compute_vm_disable_password_authentication
  48. [x] compute_linux_vm_disable_password_authentication
  49. [x] compute_managed_disk_set_encryption_enabled
  50. [x] compute_vm_scale_set_disable_password_authentication_linux
  51. [x] search_service_uses_managed_identity
  52. [x] search_service_replica_count_3
  53. [x] service_bus_namespace_infrastructure_encryption_enabled
  54. [x] service_bus_namespace_encrypted_with_cmk
  55. [x] service_bus_namespace_uses_managed_identity
  56. [x] service_bus_namespace_local_auth_disabled
  57. [x] service_bus_namespace_latest_tls_version
  58. [x] service_bus_namespace_restrict_public_access
  59. [x] cdn_endpoint_http_disabled
  60. [x] cdn_endpoint_https_enabled
  61. [x] cdn_endpoint_custom_domain_uses_latest_tls_version
  62. [x] cosmodb_account_with_restricted_access
  63. [x] cosmodb_account_access_key_metadata_writes_disabled
  64. [x] cosmodb_account_public_network_access_disabled
  65. [x] cosmodb_account_local_authentication_disabled
  66. [x] iam_no_custom_subscription_owner_roles_created
  67. [x] kusto_cluster_sku_with_sla
  68. [x] kusto_cluster_uses_managed_identity
  69. [x] data_factory_public_network_access_disabled
  70. [x] data_factory_uses_git_repository
  71. [x] databricks_workspace_restrict_public_access
  72. [x] eventgrid_domain_uses_managed_identity
  73. [x] eventgrid_domain_local_auth_disabled
  74. [x] eventgrid_domain_restrict_public_access
  75. [x] eventgrid_topic_uses_managed_identity
  76. [x] eventgrid_topic_local_auth_disabled
  77. [x] eventgrid_topic_restrict_public_access
  78. [x] appservice_function_app_builtin_logging_enabled
  79. [x] iot_hub_restrict_public_access
  80. [x] compute_vm_and_scale_set_ssh_key_enabled_linux
  81. [x] machine_learning_compute_cluster_local_auth_disabled
  82. [x] machine_learning_compute_cluster_minimum_node_zero
  83. [x] machine_learning_workspace_restrict_public_access
  84. [x] sql_server_audting_log_monitoring_enabled
  85. [x] sql_server_uses_latest_tls_version
  86. [x] mariadb_server_ssl_enabled
  87. [x] monitor_log_profile_retention_365_days
  88. [x] mysql_server_min_tls_1_2
  89. [x] mysql_server_threat_detection_enabled
  90. [x] network_security_rule_http_access_restricted
  91. [x] network_security_group_http_access_restricted
  92. [x] network_security_rule_rdp_access_restricted
  93. [x] network_security_group_rdp_access_restricted
  94. [x] network_security_rule_ssh_access_restricted
  95. [x] network_security_group_ssh_access_restricted
  96. [x] network_security_rule_udp_access_restricted
  97. [x] network_security_group_udp_access_restricted
  98. [x] network_watcher_flow_log_retention_period_90_days
  99. [x] postgres_db_flexible_server_geo_redundant_backup_enabled
  100. [x] postgres_db_server_threat_detection_policy_enabled
  101. [x] web_pubsub_sku_with_sla
  102. [x] web_pubsub_uses_managed_identity
  103. [x] redis_cache_min_tls_1_2
  104. [x] redis_cache_restrict_public_access
  105. [x] sql_server_email_security_alert_enabled
  106. [x] sql_server_admins_email_security_alert_enabled
  107. [x] sql_server_all_security_alerts_enabled
  108. [x] keyvault_secret_content_type
  109. [x] securitycenter_contact_number_configured
  110. [x] securitycenter_uses_standard_pricing_tier
  111. [x] signalr_services_uses_paid_sku
  112. [x] spring_cloud_api_https_only_enabled
  113. [x] spring_cloud_api_restrict_public_access
  114. [x] storage_account_uses_latest_minimum_tls_version
  115. [x] storage_account_replication_type_set
  116. [x] storage_container_restrict_public_access
  117. [x] synapse_workspace_data_exfiltration_protection_enabled
  118. [x] compute_vm_scale_set_automatic_os_upgrade_enabled
madhushreeray30 commented 1 year ago

@Priyanka-Chatterjee-2000 please take a look at the comments, thanks!