Azure Steampipe/Powerpipe
- Azure Compliance Mod, CIS, NIST, etc
- This page includes a list of the raw queries that can be ran using the Steampipe
steampipe query –output linecommand.
- Details on installing are here, https://github.com/turbot/steampipe-mod-azure-compliance
Installation
- Install Powerpipe
- Install Steampipe
- Install Steampipe Azure Compliance Mod
sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)" sudo /bin/sh -c "$(curl -fsSL https://steampipe.io/install/steampipe.sh)" mkdir dashboards cd dashboards powerpipe mod init powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
az login --tenant cfc.avertium.com --use-device-code
Azure
For Azure modules I provide authentication using the Azure CLI. Below is an example logging into a tenant.
az login --tenant <tenant id> --use-device-code
Run CIS Benchmark checks and output the results to HTML.
powerpipe benchmark run azure_compliance.benchmark.cis_v300 --export html
Installation Alt
To install and run Powerpipe and Steampipe for Azure CIS benchmarks, you will follow a four-stage process: installing the binaries, configuring Azure authentication, setting up the plugins, and finally running the compliance mod. [1](https://avertium-my.sharepoint.com/personal/michael_gupton_avertium_com/Documents/Microsoft%20Copilot%20Chat%20Files/powerpipe_azure_assessment.md)
1. Install Steampipe and Powerpipe
Run these commands in your bash terminal to install the latest versions using the official install scripts.
# Install Steampipe sudo /bin/sh -c "$(curl -fsSL https://steampipe.io/install/steampipe.sh)" # Install Powerpipe sudo /bin/sh -c "$(curl -fsSL https://powerpipe.io/install/powerpipe.sh)"
2. Authenticate with Azure
Steampipe uses your existing Azure CLI credentials by default. Ensure you are logged in and have the correct subscription active.
# Log in to Azure az login # (Optional) Set the specific subscription you want to scan az account set --subscription "Your-Subscription-ID"
3. Install Plugins and Compliance Mod
Steampipe needs the Azure and Azure AD plugins to fetch data, while Powerpipe needs the Azure Compliance mod to run the CIS checks.
# Install required Steampipe plugins steampipe plugin install azure steampipe plugin install azuread # Create a directory for your compliance checks and initialize a mod mkdir azure-compliance cd azure-compliance powerpipe mod init # Install the Azure Compliance mod powerpipe mod install github.com/turbot/steampipe-mod-azure-compliance
4. Run the CIS Benchmark
You must start the Steampipe service so Powerpipe can query it, then run the benchmark command.
# Start the Steampipe service in the background steampipe service start # Run the CIS v3.0.0 benchmark (or choose your preferred version) powerpipe benchmark run azure_compliance.benchmark.cis_v300 --export cis_300.html --export cis_300.csv
<WRAP tip> Prefer a visual dashboard? Instead of ``run``, use ``powerpipe server`` and navigate to ``http://localhost:9033`` in your browser to view the results in a rich, interactive UI. </WRAP>
Summary of Common Benchmarks
| Framework | Command |
|---|---|
| CIS v3.0.0 | ``powerpipe benchmark run azure_compliance.benchmark.cis_v300`` |
| CIS v2.1.0 | ``powerpipe benchmark run azure_compliance.benchmark.cis_v210`` |
| NIST SP 800-53 | ``powerpipe benchmark run azure_compliance.benchmark.nist_sp_800_53_rev_5`` |
``
Azure Compliance Mod Controls
List controls
powerpipe control list | grep keyvault azure_compliance azure_compliance.control.keyvault_certificate_validity_12_months azure_compliance azure_compliance.control.keyvault_certificate_validity_period_less_equal_12_months azure_compliance azure_compliance.control.keyvault_firewall_enabled azure_compliance azure_compliance.control.keyvault_key_automatic_rotation_enabled azure_compliance azure_compliance.control.keyvault_key_expiration_set azure_compliance azure_compliance.control.keyvault_logging_enabled azure_compliance azure_compliance.control.keyvault_managed_hms_logging_enabled azure_compliance azure_compliance.control.keyvault_managed_hms_purge_protection_enabled azure_compliance azure_compliance.control.keyvault_purge_protection_enabled azure_compliance azure_compliance.control.keyvault_rbac_enabled azure_compliance azure_compliance.control.keyvault_secret_expiration_set azure_compliance azure_compliance.control.keyvault_soft_delete_enabled azure_compliance azure_compliance.control.keyvault_vault_private_link_used azure_compliance azure_compliance.control.keyvault_vault_public_network_access_disabled azure_compliance azure_compliance.control.keyvault_vault_recoverable azure_compliance azure_compliance.control.keyvault_vault_use_virtual_service_endpoint azure_compliance azure_compliance.control.keyvault_with_non_rbac_key_expiration_set azure_compliance azure_compliance.control.keyvault_with_non_rbac_secret_expiration_set azure_compliance azure_compliance.control.keyvault_with_rbac_key_expiration_set azure_compliance azure_compliance.control.keyvault_with_rbac_secret_expiration_set azure_compliance azure_compliance.control.securitycenter_azure_defender_on_for_keyvault
Manually Running Controls (Checks) from Azure Compliance Mode
- Search the source code for the compliance check by id and look for the query.