Resource Type: Azure > Subscription

Controls

The primary controls for Azure > Subscription are:

• CMDB
• Discovery
• Intelligent Assessment
• Prevention
• ServiceNow
• Stack
• Stack [Native]
• Tags

It is also targeted by these controls:

• Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.1 Ensure that a Log Profile exists (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.2 Ensure that Activity Log Alert exists for Create or Update Network Security Group (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.3 Ensure that Activity Log Alert exists for Delete Network Security Group (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.4 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.5 Ensure that activity log alert exists for the Delete Network Security Group Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.6 Ensure that Activity Log Alert exists for Create or Update Security Solution (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.7 Ensure that Activity Log Alert exists for Delete Security Solution (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.8 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule (Scored)
• Azure > CIS v1 > 5 Logging and Monitoring > 5.2 Monitoring using Activity Log alerts > 5.2.9 Ensure that Activity Log Alert exists for Update Security Policy (Scored)
• Azure > CIS v1 > 6 Networking > 6.05 Ensure that Network Watcher is 'Enabled' (Scored)
• Azure > CIS v1 > 8 Other Security Considerations > 8.03 Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.03 - Ensure that Resource Locks are set for mission critical Azure resources (Not Scored)
• Azure > CIS v2.0 > 01 - Identity and Access Management > 1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'
• Azure > CIS v2.0 > 04 - Database Services > 4.05 - Cosmos DB > 4.05.03 - Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.01 - Ensure that a 'Diagnostic Setting' exists
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.02 - Monitoring using Activity Log Alerts > 5.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.03 - Configuring Application Insights > 5.03.01 - Ensure Application Insights are Configured
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v2.0 > 07 - Virtual Machines > 7.01 - Ensure an Azure Bastion Host Exists
• Azure > CIS v3.0 > 02 - Identity > 02.25 - Ensure That 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' Is Set To 'Permit no one'
• Azure > CIS v3.0 > 05 - Database Services > 05.04 - Azure Cosmos DB > 05.04.03 - Use Entra ID Client Authentication and Azure RBAC where possible
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.02 - Monitoring using Activity Log Alerts > 06.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.03 - Configuring Application Insights > 06.03.01 - Ensure Application Insights are Configured
• Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v3.0 > 08 - Virtual Machines > 08.01 - Ensure an Azure Bastion Host Exists
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.01 - Microsoft Managed Keys (MMK) > 02.01.01.01.01 - Ensure Critical Data is Encrypted with Microsoft Managed Keys (MMK)
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.01 - Secrets and Keys > 02.01.01 - Encryption Key Management > 02.01.01.02 - Customer Managed Keys (CMK) > 02.01.01.02.01 - Ensure Critical Data is Encrypted with Customer Managed Keys (CMK)
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.01 - Ensure public network access is Disabled
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.01 - Virtual Networks (VNets) > 02.02.01.02 - Ensure Network Access Rules are set to Deny-by-default
• Azure > CIS v4.0 > 02 - Common Reference Recommendations > 02.02 - Networking > 02.02.02 - Private Endpoints > 02.02.02.01 - Ensure Private Endpoints are used to access {service}
• Azure > CIS v4.0 > 04 - Compute Services > 04.01 - Virtual Machines > 04.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
• Azure > CIS v4.0 > 06 - Identity Services > 06.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.08 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Graph activity logs to an appropriate destination
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.09 - Ensure that a Microsoft Entra diagnostic setting exists to send Microsoft Entra activity logs to an appropriate destination
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.02 - Monitoring using Activity Log Alerts > 07.01.02.11 - Ensure that Activity Log Alert exists for Service Health
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.03 - Configuring Application Insights > 07.01.03.01 - Ensure Application Insights are Configured
• Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v4.0 > 09 - Security Services > 09.04 - Azure Bastion > 09.04.01 - Ensure an Azure Bastion Host Exists
• Azure > CIS v5.0 > 3 - Compute Services > 3.01 - Virtual Machines > 3.01.01 - Ensure only MFA enabled identities can access privileged Virtual Machine
• Azure > CIS v5.0 > 5 - Identity Services > 5.25 - Ensure that 'Subscription leaving Microsoft Entra tenant' and 'Subscription entering Microsoft Entra tenant' is set to 'Permit no one'
• Azure > CIS v5.0 > 5 - Identity Services > 5.27 - Ensure there are between 2 and 3 subscription owners
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.01 - Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.02 - Ensure Diagnostic Setting captures appropriate categories
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.07 - Ensure that virtual network flow logs are captured and sent to Log Analytics
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.10 - Ensure that Intune logs are captured and sent to Log Analytics
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.01 - Ensure that Activity Log Alert exists for Create Policy Assignment
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.02 - Ensure that Activity Log Alert exists for Delete Policy Assignment
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.03 - Ensure that Activity Log Alert exists for Create or Update Network Security Group
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.04 - Ensure that Activity Log Alert exists for Delete Network Security Group
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.05 - Ensure that Activity Log Alert exists for Create or Update Security Solution
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.06 - Ensure that Activity Log Alert exists for Delete Security Solution
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.07 - Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.08 - Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.09 - Ensure that Activity Log Alert exists for Create or Update Public IP Address rule
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.10 - Ensure that Activity Log Alert exists for Delete Public IP Address rule
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.02 - Monitoring using Activity Log Alerts > 6.01.02.11 - Ensure that an Activity Log Alert exists for Service Health
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.03 - Configuring Application Insights > 6.01.03.01 - Ensure Application Insights are Configured
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.04 - Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it
• Azure > CIS v5.0 > 6 - Management and Governance Services > 6.02 - Ensure that Resource Locks are set for Mission-Critical Azure Resources
• Azure > CIS v5.0 > 7 - Networking Services > 7.16 - Ensure Azure Network Security Perimeter is used to secure Azure platform-as-a-service resources
• Azure > CIS v5.0 > 8 - Security Services > 8.04 - Azure Bastion > 8.04.01 - Ensure an Azure Bastion Host Exists
• Azure > IAM > Primary Object ID
• Azure > IAM > Role Assignment > Discovery
• Azure > IAM > Role Definition > Discovery
• Azure > Monitor > Log Profile > Discovery
• Azure > Policy Assignment > Discovery
• Azure > Policy Definition > Discovery
• Azure > Policy Set Definition > Discovery
• Azure > Provider > Alerts Management > Discovery
• Azure > Provider > API Management > Discovery
• Azure > Provider > Automation > Discovery
• Azure > Provider > Billing > Discovery
• Azure > Provider > Bot Service > Discovery
• Azure > Provider > Cognitive Services > Discovery
• Azure > Provider > Compute > Discovery
• Azure > Provider > Container Registry > Discovery
• Azure > Provider > Container Service > Discovery
• Azure > Provider > Cost Management > Discovery
• Azure > Provider > Data Box > Discovery
• Azure > Provider > Data Factory > Discovery
• Azure > Provider > Data Lake Analytics > Discovery
• Azure > Provider > Databricks > Discovery
• Azure > Provider > DB for MySQL > Discovery
• Azure > Provider > DB for PostgreSQL > Discovery
• Azure > Provider > Document DB > Discovery
• Azure > Provider > Domain Registration > Discovery
• Azure > Provider > Elastic > Discovery
• Azure > Provider > HDInsight > Discovery
• Azure > Provider > Insights > Discovery
• Azure > Provider > Key Vault > Discovery
• Azure > Provider > Managed Identity > Discovery
• Azure > Provider > Network > Discovery
• Azure > Provider > Operational Insights > Discovery
• Azure > Provider > Recovery Services > Discovery
• Azure > Provider > Redis > Discovery
• Azure > Provider > Relay > Discovery
• Azure > Provider > Resources > Discovery
• Azure > Provider > Search > Discovery
• Azure > Provider > Security > Discovery
• Azure > Provider > Service Bus > Discovery
• Azure > Provider > SignalR Service > Discovery
• Azure > Provider > SQL > Discovery
• Azure > Provider > SQL Virtual Machine > Discovery
• Azure > Provider > Storage > Discovery
• Azure > Provider > Synapse > Discovery
• Azure > Provider > Virtual Desktop > Discovery
• Azure > Provider > Web > Discovery
• Azure > Resource Group > Discovery
• Azure > Security Center > Security Center > Discovery
• Azure > Turbot > Event Handlers
• Azure > Turbot > Event Handlers [Event Grid]
• Azure > Turbot > Event Poller
• Azure > Turbot > IAM
• Azure > Turbot > Resource Group
• ServiceNow > Turbot > Watches > Azure

Quick Actions

• Event Handler
• Event Poller
• Router
• Set Tags

Category

• Cloud > Account

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure#/resource/types/subscription

Category URI

tmod:@turbot/turbot#/resource/categories/cloudAccount

GraphQL

query resource(id: "tmod:@turbot/azure#/resource/types/subscription") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure#/resource/types/subscription'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure#/resource/types/subscription"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure#/resource/types/subscription"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure#/resource/types/subscription' and notification_type in ('resource_updated', 'resource_created');