Comments (7)
Thanks @fgomesz for raising this issue and providing good context on how the control should work.
We will pick this up shortly and hopefully fix and release it 👍 .
from steampipe-mod-azure-compliance.
'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
from steampipe-mod-azure-compliance.
'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
from steampipe-mod-azure-compliance.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
from steampipe-mod-azure-compliance.
@bigdatasourav Is this something we can fix in the plugin, so the azure_kubernetes_cluster
table can return the correct disk encryption information even if Steampipe is not whitelisted?
Else, are we able to detect if we're getting a response as if we're not whitelisted, so we can return the correct result in the query?
from steampipe-mod-azure-compliance.
@cbruno10 @fgomesz In our tests, we get the disk encryption information even if Steampipe is not whitelisted.
Below are the steps we have followed to reproduce the above issue with the latest plugin and compliance version-
- Created a cluster name test-cmk1 with disk-encryption-set and without enforcing the IP whitelist -
> select name, disk_encryption_set_id from azure_kubernetes_cluster where name = 'test-cmk1'
+-----------+--------------------------------------------------------------------------------------------------------------------------------------+
| name | disk_encryption_set_id |
+-----------+--------------------------------------------------------------------------------------------------------------------------------------+
| test-cmk1 | /subscriptions/d46d7416-f95f-4771-454354354/resourceGroups/demo/providers/Microsoft.Compute/diskEncryptionSets/test-cmk-disk |
+-----------+--------------------------------------------------------------------------------------------------------------------------------------+
Control output - (expected)
➜ steampipe-mod-azure-compliance git:(main) steampipe query azure_compliance.query.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk
+---------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------------------------------------+----------------+-----------------+
| resource | status | reason | resource_group | subscription |
+---------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------------------------------------+----------------+-----------------+
| /subscriptions/d46d7416-f95f-4771-454354354/resourcegroups/demo/providers/Microsoft.ContainerService/managedClusters/test-cmk1 | ok | test-cmk1 os and data diska encrypted with CMK. | demo | new AAA |
- Created a cluster name test-whitelist with disk-encryption-set and enforced the IP whitelist - (Steampipe is not whitelisted)
> select name, disk_encryption_set_id from azure_kubernetes_cluster where name = 'test-whitelist'
+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
| name | disk_encryption_set_id |
+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
| test-whitelist | /subscriptions/d46d7416-f95f-471-bbb5-529d4c769c/resourceGroups/demo/providers/Microsoft.Compute/diskEncryptionSets/test-cmk-disk |
+----------------+--------------------------------------------------------------------------------------------------------------------------------------+
Control output - (expected)
➜ steampipe-mod-azure-compliance git:(main) steampipe query azure_compliance.query.kubernetes_cluster_os_and_data_disks_encrypted_with_cmk
+---------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------------------------------------+----------------+-----------------+
| resource | status | reason | resource_group | subscription |
+---------------------------------------------------------------------------------------------------------------------------------------------+--------+------------------------------------------------------+----------------+-----------------+
| /subscriptions/d46d7416-f95f-4771-bbb5-529d4c76659c/resourcegroups/demo/providers/Microsoft.ContainerService/managedClusters/test-whitelist | ok | test-whitelist os and data diska encrypted with CMK. | demo | newwarriors AAA |
+---------------------------------------------------------------------------------------------------------------------------------------------+--------+-----------------------------------
Please let us know if we miss anything.
from steampipe-mod-azure-compliance.
Hey @fgomesz, We are closing this issue because we have not heard from you. Please feel free to reopen the issue if you want to share or discuss anything.
from steampipe-mod-azure-compliance.
Related Issues (20)
- Support for new CIS Microsoft Azure Foundations Benchmark v1.5.0 HOT 1
- Azure Compliance Mod NSG Evaluation HOT 4
- Add Azure PCI DSS 3.2.1 (Built-in Regulatory Compliance )
- Add CIS Microsoft Azure Foundations Benchmark v2.0.0 HOT 3
- Add common and tag dimensions across compliance queries HOT 1
- Missing implementation of CIS 3.14 HOT 1
- Missing implementation of CIS 4.3.7 HOT 2
- Keep consistency in indicating vulnerable resources (3.10)
- Update Benchmark: HIPAA HITRUST 9.2
- Fix query sql_database_allow_internet_access for setting specified endIpAddress
- Ensure that 'Data encryption' is set to 'On' on a SQL query should ignore master database
- control.cis_v200_5_1_3 is returning false negatives HOT 2
- control.cis_v200_5_1_4 is returning false negatives HOT 2
- Update Benchmark: NIST SP 800-53 Revision 5
- Add additional controls to 'Other Compliance Checks'
- Use single query for checking for appservice azure defender enable check
- Fix CIS v2.0.0 5.2.X by replacing alert.location = 'global' & removing additional alert.condition for 'resourceType' HOT 5
- Add/Update monthly controls [Oct 23]
- Handle error null in iam_user_not_allowed_to_create_security_group & iam_user_not_allowed_to_register_application HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from steampipe-mod-azure-compliance.