We just raised $3.5M and we are hiring!

Azure Policies

With Azure Policies, you can use CloudQuery to automatically check compliance and security of Azure-based cloud resources.

$ cloudquery policy run azure
Category
compliance
Version
v0.2.0
License
MPL-2.0
License
MPL-2.0

queries_account_locations_without_network_watchers.sql

queries_authorization_custom_roles.sql

queries_authorization_subscriptions_with_less_than_2_owners.sql

queries_authorization_subscriptions_with_more_than_3_owners.sql

queries_batch_resource_logs_in_batch_accounts_should_be_enabled.sql

queries_compute_asc_missingsystemupdates_audit.sql

queries_compute_audit_virtual_machines_without_disaster_recovery_configured.sql

queries_compute_endpoint_protection_solution_should_be_installed_on_virtual_machine_scale_sets.sql

queries_compute_guestconfiguration_windowsloganalyticsagentconnection_aine.sql

queries_compute_internet-facing_virtual_machines_should_be_protected_with_network_security_groups.sql

queries_compute_linux_machines_without_data_collection_agent.sql

queries_compute_machines_without_log_analytics_agent.sql

queries_compute_machines_without_vulnerability_assessment_extension.sql

queries_compute_os_and_data_disks_encrypted_with_cmk.sql

queries_compute_scale_sets_without_log_analytics_agent.sql

queries_compute_unattached_disks_are_encrypted_with_cmk.sql

queries_compute_vhds_not_encrypted.sql

queries_compute_virtual_machine_scale_sets_without_logs.sql

queries_compute_virtual_machines_without_jit_network_access_policy.sql

queries_compute_virtualmachines_antimalwareautoupdate_auditifnotexists.sql

queries_compute_vmantimalwareextension_deploy.sql

queries_compute_vms_no_resource_manager.sql

queries_compute_vms_utilizing_managed_disks.sql

queries_compute_vms_without_approved_networks.sql

queries_compute_windows_machines_without_data_collection_agent.sql

queries_container_aks_rbac_disabled.sql

queries_container_containers_without_virtual_service_endpoint.sql

queries_cosmosdb_cosmos_db_should_use_a_virtual_network_service_endpoint.sql

queries_datalake_datalake_storage_accounts_with_disabled_logging.sql

queries_datalake_not_encrypted_storage_accounts.sql

queries_eventhub_event_hub_should_use_a_virtual_network_service_endpoint.sql

queries_eventhub_namespaces_without_logging.sql

queries_iam_custom_subscription_owner_roles.sql

queries_keyvault_azure_key_vault_managed_hsm_should_have_purge_protection_enabled.sql

queries_keyvault_hsms_without_logging.sql

queries_keyvault_keys_without_expiration_date.sql

queries_keyvault_not_recoverable.sql

queries_keyvault_secrets_without_expiration_date.sql

queries_keyvault_vaults_with_no_service_endpoint.sql

queries_keyvault_vaults_without_logging.sql

queries_logic_app_workflow_logging_enabled.sql

queries_manual.sql

queries_monitor_activitylog_administrativeoperations_audit.sql

queries_monitor_azure_monitor_log_profile_should_collect_logs_for_categories_write_delete_and_action.sql

queries_monitor_azure_monitor_should_collect_activity_logs_from_all_regions.sql

queries_mysql_enforce_ssl_connection_should_be_enabled_for_mysql_database_servers.sql

queries_network_asc_unprotectedendpoints_audit.sql

queries_network_gateway_subnets_should_not_be_configured_with_a_network_security_group.sql

queries_network_networkwatcher_deploy.sql

queries_network_rdp_access_permitted.sql

queries_network_security_groups_with_open_management_ports.sql

queries_network_securtiy_group_flow_log_retention_less_than_90_days.sql

queries_network_sql_database_allow_ingress.sql

queries_network_ssh_access_permitted.sql

queries_network_subnets_without_nsg_associated.sql

queries_network_udp_services_permitted.sql

queries_network_virtualnetworkserviceendpoint_appservice_auditifnotexists.sql

queries_postgresql_enforce_ssl_connection_should_be_enabled_for_postgresql_database_servers.sql

queries_redis_only_secure_connections_to_your_azure_cache_for_redis_should_be_enabled.sql

queries_search_resource_logs_in_search_services_should_be_enabled.sql

queries_security_asc_automatic_provisioning_log_analytics_monitoring_agent.sql

queries_security_auto_provisioning_monitoring_agent_enabled.sql

queries_security_default_policy_disabled.sql

queries_security_defender_on_for_app_service.sql

queries_security_defender_on_for_container_registeries.sql

queries_security_defender_on_for_k8s.sql

queries_security_defender_on_for_key_vault.sql

queries_security_defender_on_for_servers.sql

queries_security_defender_on_for_sql_servers.sql

queries_security_defender_on_for_sql_servers_on_machines.sql

queries_security_defender_on_for_storage.sql

queries_security_deprecated_accounts_with_owner_permissions_should_be_removed_from_your_subscription.sql

queries_security_external_accounts_with_owner_permissions_should_be_removed_from_your_subscription.sql

queries_security_mcas_integration_with_security_center_enabled.sql

queries_security_mfa_should_be_enabled_accounts_with_write_permissions_on_your_subscription.sql

queries_security_mfa_should_be_enabled_on_accounts_with_owner_permissions_on_your_subscription.sql

queries_security_mfa_should_be_enabled_on_accounts_with_read_permissions_on_your_subscription.sql

queries_security_notify_high_severity_alerts.sql

queries_security_security_email_configured.sql

queries_security_wdatp_integration_with_security_center_enabled.sql

queries_servicebus_resource_logs_in_service_bus_should_be_enabled.sql

queries_sql_ad_admin_configured.sql

queries_sql_atp_on_sql_server_disabled.sql

queries_sql_auditing_off.sql

queries_sql_auditing_retention_less_than_90_days.sql

queries_sql_data_encryption_off.sql

queries_sql_long-term_geo-redundant_backup_should_be_enabled_for_azure_sql_databases.sql

queries_sql_managed_instances_without_cmk_at_rest.sql

queries_sql_managed_instances_without_vulnerability_assessments.sql

queries_sql_mariadb_servers_without_geo_redundant_backups.sql

queries_sql_mysql_servers_without_geo_redundant_backups.sql

queries_sql_mysql_ssl_enforcment_disabled.sql

queries_sql_postgresql_allow_access_to_azure_services_enabled.sql

queries_sql_postgresql_connection_throttling_disabled.sql

queries_sql_postgresql_log_checkpoints_disabled.sql

queries_sql_postgresql_log_connections_disabled.sql

queries_sql_postgresql_log_disconnections_disabled.sql

queries_sql_postgresql_log_retention_days_less_than_3_days.sql

queries_sql_postgresql_servers_without_geo_redundant_backups.sql

queries_sql_postgresql_ssl_enforcment_disabled.sql

queries_sql_servers_without_vulnerability_assessments.sql

queries_sql_sql_databases_with_unresolved_vulnerability_findings.sql

queries_sql_sql_servers_with_no_service_endpoint.sql

queries_sql_sqlserver_tde_not_encrypted_with_cmek.sql

queries_sql_sqlserverauditing_audit.sql

queries_sql_va_is_enabled_on_sql_server_by_storage_account.sql

queries_sql_va_periodic_scans_enabled_on_sql_server.sql

queries_sql_va_send_email_to_admins_and_owners_enabled.sql

queries_sql_va_send_scan_report_enabled_on_sql_server.sql

queries_storage_accounts_with_no_service_endpoint_associated.sql

queries_storage_accounts_with_not_restricted_asscess.sql

queries_storage_secure_transfer_to_storage_accounts_should_be_enabled.sql

queries_streamanalytics_resource_logs_in_azure_stream_analytics_should_be_enabled.sql

queries_web_api_app_should_only_be_accessible_over_https.sql

queries_web_app_allow_http.sql

queries_web_app_auth_unset.sql

queries_web_app_client_cert_disabled.sql

queries_web_app_ftp_deployment_enabled.sql

queries_web_app_register_with_ad_disabled.sql

queries_web_app_using_old_tls.sql

queries_web_apps_with_logging_disabled.sql

queries_web_cors_should_not_allow_every_resource_to_access_your_api_app.sql

queries_web_cors_should_not_allow_every_resource_to_access_your_function_apps.sql

queries_web_cors_should_not_allow_every_resource_to_access_your_web_applications.sql

queries_web_function_app_should_only_be_accessible_over_https.sql

queries_web_latest_tls_version_should_be_used_in_your_api_app.sql

queries_web_latest_tls_version_should_be_used_in_your_function_app.sql

queries_web_latest_tls_version_should_be_used_in_your_web_app.sql

queries_web_remote_debugging_should_be_turned_off_for_api_apps.sql

queries_web_remote_debugging_should_be_turned_off_for_function_apps.sql

queries_web_remote_debugging_should_be_turned_off_for_web_applications.sql

queries_web_web_application_should_only_be_accessible_over_https.sql

Query

SELECT l.subscription_id, l.id FROM azure_account_locations l LEFT JOIN azure_network_watchers anw ON l.name = anw.location WHERE anw.cq_id IS NULL;