Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Steampipe Mods are collections of named queries, codified controls that can be used to test current configuration of your cloud resources against a desired configuration, and dashboards that organize and display key pieces of information.
CIS Azure Benchmarks provide a predefined set of compliance and security best-practice checks for Microsoft Azure usage.
In this blog post, I am gonna show you how to use Steampipe Azure Compliance Mod to run individual configuration, compliance and security controls or full CIS, HIPAA HITRUST, NIST and PCI DSS compliance benchmarks across all your Azure subscriptions.
Table of Contents
Install Steampipe: Windows
Install WSL 2.0 by following Microsoft’s installation instructions.
After WSL is running and you have rebooted then install Ubuntu from the Microsoft Store.
Open a new Ubuntu terminal session on your PC and follow the Steampipe installation instructions below.
sudo /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/turbot/steampipe/main/install.sh)"~$ steampipe -v
steampipe version 0.21.1~$ steampipe plugin install steampipe
Installed plugin: steampipe~$ steampipe query "select name from steampipe_registry_plugin;"
+------------------+| name |+------------------+| turbot/aws || turbot/steampipe || turbot/azure || ... |+------------------+Whoa!? What just happened?
Steampipe’s one step installer downloaded the steampipe binary, installed it into /usr/local/bin, and then created a .steampipe directory in your home directory with all the supporting libraries and configuration needed to get started (including PostgreSQL). Now, get to work!
How do you update Steampipe?
Just re-run the curl script in STEP 1 above to install the latest released version of Steampipe.
[sudo] password for john:
Created temporary directory at /tmp/tmp.uf0NjGUGAW. Changing to /tmp/tmp.uf0NjGUGAW
Downloading from https://github.com/turbot/steampipe/releases/latest/download/steampipe_linux_amd64.tar.gz
–2023-11-05 03:31:47– https://github.com/turbot/steampipe/releases/latest/download/steampipe_linux_amd64.tar.gz
Resolving github.com (github.com)… 140.82.114.4
Connecting to github.com (github.com)|140.82.114.4|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location: https://github.com/turbot/steampipe/releases/download/v0.21.1/steampipe_linux_amd64.tar.gz [following]
–2023-11-05 03:32:00– https://github.com/turbot/steampipe/releases/download/v0.21.1/steampipe_linux_amd64.tar.gz
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response… 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/330405184/413600a7-8a9f-4c6b-9143-393dcdf58e3e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231105T113159Z&X-Amz-Expires=300&X-Amz-Signature=b39b029e285b9c51064522be0d76e6068fd227bfe37376de0b7718c98e7d2c09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=330405184&response-content-disposition=attachment%3B%20filename%3Dsteampipe_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
–2023-11-05 03:32:00– https://objects.githubusercontent.com/github-production-release-asset-2e65be/330405184/413600a7-8a9f-4c6b-9143-393dcdf58e3e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231105T113159Z&X-Amz-Expires=300&X-Amz-Signature=b39b029e285b9c51064522be0d76e6068fd227bfe37376de0b7718c98e7d2c09&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=330405184&response-content-disposition=attachment%3B%20filename%3Dsteampipe_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)… 185.199.108.133, 185.199.109.133, 185.199.111.133, …
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 17804949 (17M) [application/octet-stream]
Saving to: ‘/tmp/tmp.uf0NjGUGAW/steampipe.tar.gz’
/tmp/tmp.uf0NjGUGAW/steampipe 100%[=================================================>] 16.98M 464KB/s in 22s
2023-11-05 03:32:22 (807 KB/s) – ‘/tmp/tmp.uf0NjGUGAW/steampipe.tar.gz’ saved [17804949/17804949]
Deflating downloaded archive
Installing
Applying necessary permissions
Removing downloaded archive
Steampipe was installed successfully to /usr/local/bin/steampipe
ubuntu2204 config --default-user <username>
Start Steampipe & Launch Dashboard
- Download and install Steampipe.
- Update or install the required plugins:
steampipe plugin update azure azuread
For install: steampipe plugin install azure azuread
- Clone the repo:
git clone https://github.com/turbot/steampipe-mod-azure-compliancecd steampipe-mod-azure-compliance
- Start the dashboard server:
steampipe dashboardor run this benchmark in your terminal:
steampipe check benchmark.cis_v200_1
john@WinEntLTSC:~$ steampipe plugin update azure
turbot/azure [====================================================================] Latest already installed
john@WinEntLTSC:~$ steampipe plugin update azuread
turbot/azuread [====================================================================] Latest already installed
john@WinEntLTSC:~$
Other things you will need to do:
1. Install azure-cli so you can launch command ‘az login’
sudo apt install azure-cli –fix-missing
2. Configuration
Installing the latest azure plugin will create a config file (~/.steampipe/config/azure.spc) with a single connection named azure:
connection "azure" { plugin = "azure"
# The Azure cloud environment to use, defaults to AZUREPUBLICCLOUD # Valid environments are AZUREPUBLICCLOUD, AZURECHINACLOUD, AZUREGERMANCLOUD, AZUREUSGOVERNMENTCLOUD # If using Azure CLI for authentication, make sure to also set the default environment: https://docs.microsoft.com/en-us/cli/azure/manage-clouds-azure-cli # environment = "AZUREPUBLICCLOUD"
# You can connect to Azure using one of options below:
# Use client secret authentication (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret) # tenant_id = "00000000-0000-0000-0000-000000000000" # subscription_id = "00000000-0000-0000-0000-000000000000" # client_id = "00000000-0000-0000-0000-000000000000" # client_secret = "~dummy@3password"
# Use client certificate authentication (https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-1-upload-a-certificate) # tenant_id = "00000000-0000-0000-0000-000000000000" # subscription_id = "00000000-0000-0000-0000-000000000000" # client_id = "00000000-0000-0000-0000-000000000000" # certificate_path = "~/home/azure_cert.pem" # certificate_password = "notreal~pwd"
# Use resource owner password authentication (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) # tenant_id = "00000000-0000-0000-0000-000000000000" # subscription_id = "00000000-0000-0000-0000-000000000000" # client_id = "00000000-0000-0000-0000-000000000000" # username = "my-username" # password = "plaintext password"
# Use a managed identity (https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) # This method is useful with Azure virtual machines # tenant_id = "00000000-0000-0000-0000-000000000000" # subscription_id = "00000000-0000-0000-0000-000000000000" # client_id = "00000000-0000-0000-0000-000000000000"
# If no credentials are specified, the plugin will use Azure CLI authentication
# List of additional azure error codes to ignore for all queries. # By default, common not found error codes are ignored and will still be ignored even if this argument is not set. #ignore_error_codes = ["NoAuthenticationInformation", "InvalidAuthenticationInfo", "AccountIsDisabled", "UnauthorizedOperation", "UnrecognizedClientException", "AuthorizationError", "AuthenticationFailed", "InsufficientAccountPermissions"]}3. You also can use ‘az login’ from command line to login into Azure using a browser. Steampipe dashboard will use Azure Cli authentication to scan you Azure environment.
Evaluate your environment with Azure CIS v2.0
The Steampipe Azure Compliance mod, packed with hundreds of controls that check your Azure accounts for compliance with benchmarks like CIS, NIST, and PCI DSS, now includes new controls for Azure CIS v2.0.
If you’re new to Steampipe, you can download the CLI and then run the following commands to install the Azure and AzureAD plugins, and then configure the Azure Compliance mod:
Then open
http://localhost:9194in your browser and view the dashboard.
Note: https://steampipe.io/blog/cis-v20-azure-benchmark
john@WinEntLTSC:~$ git clone https://github.com/turbot/steampipe-mod-azure-compliance.git
Cloning into 'steampipe-mod-azure-compliance'...
remote: Enumerating objects: 4899, done.
remote: Counting objects: 100% (2470/2470), done.
remote: Compressing objects: 100% (870/870), done.
remote: Total 4899 (delta 1832), reused 1888 (delta 1600), pack-reused 2429
Receiving objects: 100% (4899/4899), 2.95 MiB | 936.00 KiB/s, done.
Resolving deltas: 100% (3588/3588), done.
john@WinEntLTSC:~$ cd steampipe-mod-azure-compliance
john@WinEntLTSC:~/steampipe-mod-azure-compliance$ steampipe dashboard
[ Wait ] Loading Workspace
[ Wait ] Starting Dashboard Server
[ Message ] Workspace loaded
[ Message ] Initialization complete
[ Ready ] Dashboard server started on 9194 and listening on local
[ Message ] Visit http://localhost:9194
[ Message ] Press Ctrl+C to exit
[ Message ] Could not start web browser.
Download Report
References
- Azure + Steampipe
- Install Steampipe: Windows
- https://pipes.turbot.com/
