Mondoo
Docs
CloudAzure

Assess an Azure Subscription

Assess the security and compliance of an Azure subscription with cnspec.

Scan your Azure subscription to find security risks before they become incidents. cnspec evaluates subscription-level settings like storage account encryption, SQL Database auditing policies, network security group rules, Key Vault access controls, and AKS cluster configurations. All you need is your existing Azure CLI credentials.

Prerequisites

To test your Azure environment with cnspec, you must have:

Verify with a quick Azure check

To quickly confirm that cnspec can access your Azure environment, run this check from your terminal:

cnspec run azure -c 'azure.subscription.name != empty'

If cnspec can connect, it returns the subscription name and confirms the check passed:

[ok] value: "my-subscription"

If the command fails, verify that you are logged in with az login.

Scan Azure

To scan your Azure environment:

cnspec scan azure

This scans all subscriptions available under your logged-in account. To scan a specific subscription:

cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID

To examine scan results in detail, add the -o full flag:

cnspec scan azure -o full

Scan using a registered app

You can also scan through an Azure registered app to control which resources cnspec has permission to access. To learn how to register and configure the app, read Continuously Scan with an Azure Integration.

After you register the app, authenticate with a certificate:

cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --certificate-path certificate.combo.pem

Or authenticate with a client secret:

cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --client-secret YOUR-CLIENT-SECRET

Example checks

You can interactively explore and test checks using the cnspec shell. To open a shell connected to your Azure environment:

cnspec shell azure

Below are some example checks you can run from the shell.

Ensure SQL Database auditing is enabled

cnspec> azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" }
azure.subscription.sql.servers: [
  0: {
    auditingPolicy.state == "Enabled": true
  }
]

Ensure no storage accounts allow public access

cnspec> azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }
azure.subscription.storage.accounts: [
  0: {
    containers: [
      0: {
        properties.publicAccess == "None": true
      }
    ]
  }
]

Ensure network security groups don't allow inbound SSH from the internet

cnspec> azure.subscription.network.securityGroups.all(securityRules.none(destinationPortRange == "22" && access == "Allow" && direction == "Inbound" && sourceAddressPrefix == "*"))
[ok] value: true

Learn more

Overview

Secure your Microsoft Azure environment by scanning for vulnerabilities and misconfigurations with cnspec.

Scan Virtual Machines

Scan Azure virtual machines, snapshots, and disks with cnspec.

On this page

PrerequisitesVerify with a quick Azure checkScan AzureScan using a registered appExample checksEnsure SQL Database auditing is enabledEnsure no storage accounts allow public accessEnsure network security groups don't allow inbound SSH from the internetLearn more