Resource Type: Azure > Subscription

Controls

The primary controls for Azure > Subscription are:

• CMDB
• Discovery
• Intelligent Assessment
• ServiceNow
• Stack
• Stack [Native]
• Tags

It is also targeted by these controls:

• Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
• Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
• Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
• Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > IAM > Primary Object ID
• Azure > IAM > Role Assignment > Discovery
• Azure > IAM > Role Definition > Discovery
• Azure > Monitor > Log Profile > Discovery
• Azure > Provider > API Management > Discovery
• Azure > Provider > Automation > Discovery
• Azure > Provider > Billing > Discovery
• Azure > Provider > Compute > Discovery
• Azure > Provider > Container Registry > Discovery
• Azure > Provider > Container Service > Discovery
• Azure > Provider > Cost Management > Discovery
• Azure > Provider > Data Factory > Discovery
• Azure > Provider > Data Lake Analytics > Discovery
• Azure > Provider > Databricks > Discovery
• Azure > Provider > DB for MySQL > Discovery
• Azure > Provider > DB for PostgreSQL > Discovery
• Azure > Provider > Document DB > Discovery
• Azure > Provider > Domain Registration > Discovery
• Azure > Provider > Elastic > Discovery
• Azure > Provider > HDInsight > Discovery
• Azure > Provider > Insights > Discovery
• Azure > Provider > Key Vault > Discovery
• Azure > Provider > Managed Identity > Discovery
• Azure > Provider > Network > Discovery
• Azure > Provider > Operational Insights > Discovery
• Azure > Provider > Recovery Services > Discovery
• Azure > Provider > Relay > Discovery
• Azure > Provider > Resources > Discovery
• Azure > Provider > Search > Discovery
• Azure > Provider > Security > Discovery
• Azure > Provider > Service Bus > Discovery
• Azure > Provider > SignalR Service > Discovery
• Azure > Provider > SQL > Discovery
• Azure > Provider > SQL Virtual Machine > Discovery
• Azure > Provider > Storage > Discovery
• Azure > Provider > Synapse > Discovery
• Azure > Provider > Web > Discovery
• Azure > Resource Group > Discovery
• Azure > Security Center > Security Center > Discovery
• Azure > Turbot > Event Handlers
• Azure > Turbot > Event Poller
• Azure > Turbot > IAM
• Azure > Turbot > Resource Group
• ServiceNow > Turbot > Watches > Azure

Quick Actions

• Event Handler
• Event Poller
• Router
• Set Tags

Category

• Cloud > Account

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure#/resource/types/subscription

Category URI

tmod:@turbot/turbot#/resource/categories/cloudAccount

GraphQL

query resource(id: "tmod:@turbot/azure#/resource/types/subscription") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure#/resource/types/subscription'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure#/resource/types/subscription"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure#/resource/types/subscription"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription' and notification_type in ('resource_updated', 'resource_created');