Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, codified controls that can be used to test current configuration of your cloud resources against a desired configuration, and dashboards that organize and display key pieces of information.

CIS Azure Benchmarks provide a predefined set of compliance and security best-practice checks for Microsoft Azure usage.

In this blog post, I am gonna show you how to use Steampipe Azure Compliance Mod to run individual configuration, compliance and security controls or full CISHIPAA HITRUSTNIST and PCI DSS compliance benchmarks across all your Azure subscriptions.


We support running Steampipe on Windows 10 via Windows Subsystem for Linux (WSL 2.0), and have tested things using Ubuntu 20.04.1 LTS.
Install Prerequisites: WSL and Ubuntu

Install WSL 2.0 by following Microsoft’s installation instructions.

After WSL is running and you have rebooted then install Ubuntu from the Microsoft Store.

Open a new Ubuntu terminal session on your PC and follow the Steampipe installation instructions below.

STEP 1: Copy and paste into your WSL shell
sudo /bin/sh -c "$(curl -fsSL"
STEP 2: Version check
~$ steampipe -v
steampipe version 0.21.1
STEP 3: Install your first plugin
~$ steampipe plugin install steampipe
Installed plugin: steampipe
RESULT! Run your first query…
~$ steampipe query "select name from steampipe_registry_plugin;"
| name |
| turbot/aws |
| turbot/steampipe |
| turbot/azure |
| ... |

Whoa!? What just happened?

Steampipe’s one step installer downloaded the steampipe binary, installed it into /usr/local/bin, and then created a .steampipe directory in your home directory with all the supporting libraries and configuration needed to get started (including PostgreSQL). Now, get to work!

How do you update Steampipe?

Just re-run the curl script in STEP 1 above to install the latest released version of Steampipe.

john@WinEntLTSC:~$ sudo /bin/sh -c “$(curl -fsSL”
[sudo] password for john:
Created temporary directory at /tmp/tmp.uf0NjGUGAW. Changing to /tmp/tmp.uf0NjGUGAW
Downloading from
–2023-11-05 03:31:47–
Resolving (…
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: [following]
–2023-11-05 03:32:00–
Reusing existing connection to
HTTP request sent, awaiting response… 302 Found
Location: [following]
–2023-11-05 03:32:00–
Resolving (…,,, …
Connecting to (||:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 17804949 (17M) [application/octet-stream]
Saving to: ‘/tmp/tmp.uf0NjGUGAW/steampipe.tar.gz’
/tmp/tmp.uf0NjGUGAW/steampipe 100%[=================================================>]  16.98M   464KB/s    in 22s
2023-11-05 03:32:22 (807 KB/s) – ‘/tmp/tmp.uf0NjGUGAW/steampipe.tar.gz’ saved [17804949/17804949]
Deflating downloaded archive
Applying necessary permissions
Removing downloaded archive
Steampipe was installed successfully to /usr/local/bin/steampipe

Note: Default WSL login user name is root. 
If you would like to change to some other users, you can add a new user , “adduser test1”
Then user following command to change default user to test1
  • ubuntu2204 config --default-user <username>

Start Steampipe & Launch Dashboard

Get started with the Azure Compliance mod
  1. Download and install Steampipe.
  2. Update or install the required plugins:
    steampipe plugin update azure azuread

  3. For install:   steampipe plugin install azure azuread

  4. Clone the repo:
    git clone
    cd steampipe-mod-azure-compliance
  5. Start the dashboard server:
    steampipe dashboard

    or run this benchmark in your terminal:

    steampipe check benchmark.cis_v200_1

john@WinEntLTSC:~$ steampipe plugin update azure

turbot/azure                   [====================================================================] Latest already installed

john@WinEntLTSC:~$ steampipe plugin update azuread

turbot/azuread                 [====================================================================] Latest already installed


Other things you will need to do:

1. Install azure-cli so you can launch command ‘az login’

 sudo apt install azure-cli –fix-missing

2.  Configuration

Installing the latest azure plugin will create a config file (~/.steampipe/config/azure.spc) with a single connection named azure:

connection "azure" {
plugin = "azure"
# The Azure cloud environment to use, defaults to AZUREPUBLICCLOUD
# If using Azure CLI for authentication, make sure to also set the default environment:
# environment = "AZUREPUBLICCLOUD"
# You can connect to Azure using one of options below:
# Use client secret authentication (
# tenant_id = "00000000-0000-0000-0000-000000000000"
# subscription_id = "00000000-0000-0000-0000-000000000000"
# client_id = "00000000-0000-0000-0000-000000000000"
# client_secret = "~dummy@3password"
# Use client certificate authentication (
# tenant_id = "00000000-0000-0000-0000-000000000000"
# subscription_id = "00000000-0000-0000-0000-000000000000"
# client_id = "00000000-0000-0000-0000-000000000000"
# certificate_path = "~/home/azure_cert.pem"
# certificate_password = "notreal~pwd"
# Use resource owner password authentication (
# tenant_id = "00000000-0000-0000-0000-000000000000"
# subscription_id = "00000000-0000-0000-0000-000000000000"
# client_id = "00000000-0000-0000-0000-000000000000"
# username = "my-username"
# password = "plaintext password"
# Use a managed identity (
# This method is useful with Azure virtual machines
# tenant_id = "00000000-0000-0000-0000-000000000000"
# subscription_id = "00000000-0000-0000-0000-000000000000"
# client_id = "00000000-0000-0000-0000-000000000000"
# If no credentials are specified, the plugin will use Azure CLI authentication
# List of additional azure error codes to ignore for all queries.
# By default, common not found error codes are ignored and will still be ignored even if this argument is not set.
#ignore_error_codes = ["NoAuthenticationInformation", "InvalidAuthenticationInfo", "AccountIsDisabled", "UnauthorizedOperation", "UnrecognizedClientException", "AuthorizationError", "AuthenticationFailed", "InsufficientAccountPermissions"]

3. You also can use ‘az login’ from command line to login into Azure using a browser. Steampipe dashboard will use Azure Cli authentication to scan you Azure environment.

Evaluate your environment with Azure CIS v2.0

The Steampipe Azure Compliance mod, packed with hundreds of controls that check your Azure accounts for compliance with benchmarks like CIS, NIST, and PCI DSS, now includes new controls for Azure CIS v2.0.

If you’re new to Steampipe, you can download the CLI and then run the following commands to install the Azure and AzureAD plugins, and then configure the Azure Compliance mod:

steampipe plugin install azure azuread
git clone
cd steampipe-mod-azure-compliance
steampipe dashboard

Then open http://localhost:9194 in your browser and view the dashboard.


john@WinEntLTSC:~$ git clone
Cloning into 'steampipe-mod-azure-compliance'...
remote: Enumerating objects: 4899, done.
remote: Counting objects: 100% (2470/2470), done.
remote: Compressing objects: 100% (870/870), done.
remote: Total 4899 (delta 1832), reused 1888 (delta 1600), pack-reused 2429
Receiving objects: 100% (4899/4899), 2.95 MiB | 936.00 KiB/s, done.
Resolving deltas: 100% (3588/3588), done.
john@WinEntLTSC:~$ cd steampipe-mod-azure-compliance
john@WinEntLTSC:~/steampipe-mod-azure-compliance$ steampipe dashboard
[ Wait    ] Loading Workspace
[ Wait    ] Starting Dashboard Server
[ Message ] Workspace loaded
[ Message ] Initialization complete
[ Ready   ] Dashboard server started on 9194 and listening on local
[ Message ] Visit http://localhost:9194
[ Message ] Press Ctrl+C to exit
[ Message ] Could not start web browser.

Download Report


You can download data into a csv file:


By Jon

Leave a Reply