====== Azure Steampipe/Powerpipe ======
  * [[https://hub.powerpipe.io/mods/turbot/steampipe-mod-azure-compliance/benchmarks|Azure Compliance Mod]], CIS, NIST, etc
    * This page includes a list of the raw queries that can be ran using the Steampipe ''steampipe query --output line'' command.


  * Details on installing are here, [[https://github.com/turbot/steampipe-mod-azure-compliance]]


====== Installation ======
  - Install Powerpipe
  - Install Steampipe
  - Install Steampipe Azure Compliance Mod


<code>
sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"

sudo /bin/sh -c "$(curl -fsSL https://steampipe.io/install/steampipe.sh)"


mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
</code>

<code>
az login --tenant cfc.avertium.com --use-device-code
</code>

====== Azure ======
For Azure modules I provide authentication using the Azure CLI. Below is an example logging into a tenant.
<code>
 az login --tenant <tenant id> --use-device-code
</code>

Run CIS Benchmark checks and output the results to HTML.
<code>
powerpipe benchmark run azure_compliance.benchmark.cis_v300 --export html
</code>


====== Installation Alt ======
To install and run **Powerpipe** and **Steampipe** for Azure CIS benchmarks, you will follow a four-stage process: installing the binaries, configuring Azure authentication, setting up the plugins, and finally running the compliance mod. [1](https://avertium-my.sharepoint.com/personal/michael_gupton_avertium_com/Documents/Microsoft%20Copilot%20Chat%20Files/powerpipe_azure_assessment.md)

=== 1. Install Steampipe and Powerpipe ===
Run these commands in your bash terminal to install the latest versions using the official install scripts.

<code bash>
# Install Steampipe
sudo /bin/sh -c "$(curl -fsSL https://steampipe.io/install/steampipe.sh)"
# Install Powerpipe
sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"
</code>

----

=== 2. Authenticate with Azure ===
Steampipe uses your existing Azure CLI credentials by default. Ensure you are logged in and have the correct subscription active. 

<code bash>
# Log in to Azure
az login
# (Optional) Set the specific subscription you want to scan
az account set --subscription "Your-Subscription-ID"
</code>

----

=== 3. Install Plugins and Compliance Mod ===
Steampipe needs the **Azure** and **Azure AD** plugins to fetch data, while Powerpipe needs the **Azure Compliance** mod to run the CIS checks.

<code bash>
# Install required Steampipe plugins
steampipe plugin install azure
steampipe plugin install azuread
# Create a directory for your compliance checks and initialize a mod
mkdir azure-compliance
cd azure-compliance
powerpipe mod init
# Install the Azure Compliance mod
powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
</code> 

----

=== 4. Run the CIS Benchmark ===
You must start the Steampipe service so Powerpipe can query it, then run the benchmark command. 

<code bash>
# Start the Steampipe service in the background
steampipe service start
# Run the CIS v3.0.0 benchmark (or choose your preferred version)
powerpipe benchmark run azure_compliance.benchmark.cis_v300 --export cis_300.html --export cis_300.csv
</code>

<WRAP tip>
**Prefer a visual dashboard?** Instead of ``run``, use ``powerpipe server`` and navigate to ``http://localhost:9033`` in your browser to view the results in a rich, interactive UI.
</WRAP>

----

=== Summary of Common Benchmarks ===

^ Framework ^ Command ^
| **CIS v3.0.0** | ``powerpipe benchmark run azure_compliance.benchmark.cis_v300`` |
| **CIS v2.1.0** | ``powerpipe benchmark run azure_compliance.benchmark.cis_v210`` |
| **NIST SP 800-53** | ``powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5`` | 
``


====== Azure Compliance Mod Controls ======

=== List controls ===

<code>
powerpipe control list | grep keyvault
azure_compliance    azure_compliance.control.keyvault_certificate_validity_12_months
azure_compliance    azure_compliance.control.keyvault_certificate_validity_period_less_equal_12_months
azure_compliance    azure_compliance.control.keyvault_firewall_enabled
azure_compliance    azure_compliance.control.keyvault_key_automatic_rotation_enabled
azure_compliance    azure_compliance.control.keyvault_key_expiration_set
azure_compliance    azure_compliance.control.keyvault_logging_enabled
azure_compliance    azure_compliance.control.keyvault_managed_hms_logging_enabled
azure_compliance    azure_compliance.control.keyvault_managed_hms_purge_protection_enabled
azure_compliance    azure_compliance.control.keyvault_purge_protection_enabled
azure_compliance    azure_compliance.control.keyvault_rbac_enabled
azure_compliance    azure_compliance.control.keyvault_secret_expiration_set
azure_compliance    azure_compliance.control.keyvault_soft_delete_enabled
azure_compliance    azure_compliance.control.keyvault_vault_private_link_used
azure_compliance    azure_compliance.control.keyvault_vault_public_network_access_disabled
azure_compliance    azure_compliance.control.keyvault_vault_recoverable
azure_compliance    azure_compliance.control.keyvault_vault_use_virtual_service_endpoint
azure_compliance    azure_compliance.control.keyvault_with_non_rbac_key_expiration_set
azure_compliance    azure_compliance.control.keyvault_with_non_rbac_secret_expiration_set
azure_compliance    azure_compliance.control.keyvault_with_rbac_key_expiration_set
azure_compliance    azure_compliance.control.keyvault_with_rbac_secret_expiration_set
azure_compliance    azure_compliance.control.securitycenter_azure_defender_on_for_keyvault
</code>


====== Manually Running Controls (Checks) from Azure Compliance Mode ======
  * Search the [[https://github.com/turbot/steampipe-mod-azure-compliance|source code]] for the compliance check by id and look for the query.