Resource Type: Azure > Subscription
The Subscription resource type represents a logical container that groups Azure resources, such as virtual machines, databases, and applications, enabling users to manage access, billing, and compliance across all resources within the subscription.
Controls
The primary controls for Azure > Subscription are:
It is also targeted by these controls:
- Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
- Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
- Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
- Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
- Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
- Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
- Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
- Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
- Azure > IAM > Primary Object ID
- Azure > IAM > Role Assignment > Discovery
- Azure > IAM > Role Definition > Discovery
- Azure > Monitor > Log Profile > Discovery
- Azure > Provider > API Management > Discovery
- Azure > Provider > Automation > Discovery
- Azure > Provider > Billing > Discovery
- Azure > Provider > Compute > Discovery
- Azure > Provider > Container Registry > Discovery
- Azure > Provider > Container Service > Discovery
- Azure > Provider > Cost Management > Discovery
- Azure > Provider > Data Factory > Discovery
- Azure > Provider > Data Lake Analytics > Discovery
- Azure > Provider > Databricks > Discovery
- Azure > Provider > DB for MySQL > Discovery
- Azure > Provider > DB for PostgreSQL > Discovery
- Azure > Provider > Document DB > Discovery
- Azure > Provider > Domain Registration > Discovery
- Azure > Provider > Elastic > Discovery
- Azure > Provider > HDInsight > Discovery
- Azure > Provider > Insights > Discovery
- Azure > Provider > Key Vault > Discovery
- Azure > Provider > Managed Identity > Discovery
- Azure > Provider > Network > Discovery
- Azure > Provider > Operational Insights > Discovery
- Azure > Provider > Recovery Services > Discovery
- Azure > Provider > Relay > Discovery
- Azure > Provider > Resources > Discovery
- Azure > Provider > Search > Discovery
- Azure > Provider > Security > Discovery
- Azure > Provider > Service Bus > Discovery
- Azure > Provider > SignalR Service > Discovery
- Azure > Provider > SQL > Discovery
- Azure > Provider > SQL Virtual Machine > Discovery
- Azure > Provider > Storage > Discovery
- Azure > Provider > Synapse > Discovery
- Azure > Provider > Web > Discovery
- Azure > Resource Group > Discovery
- Azure > Security Center > Security Center > Discovery
- Azure > Turbot > Event Handlers
- Azure > Turbot > Event Poller
- Azure > Turbot > IAM
- Azure > Turbot > Resource Group
- ServiceNow > Turbot > Watches > Azure
Quick Actions
Category
In Your Workspace
- Controls by Resource Type report
- Policy Settings by Resource Type report
- Resources by Resource Type report
Developers
- tmod:@turbot/azure#/resource/types/subscription
- tmod:@turbot/turbot#/resource/categories/cloudAccount
- turbot graphql resource --id "tmod:@turbot/azure#/resource/types/subscription"
Get Resource- select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription';
- select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure#/resource/types/subscription"';
- select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription' and notification_type in ('resource_updated', 'resource_created');
Get ResourceGet Policy Settings (By Resource ID)Get Resource Notification
Resource Type URI
Category URI
GraphQL
CLI
Steampipe Query