Mondoo
Docs
CloudAzure

Assess an Azure Subscription

Assess the security and compliance of an Azure subscription with cnspec.

Scan your Azure subscription to find security risks before they become incidents. cnspec evaluates subscription-level settings like storage account encryption, SQL Database auditing policies, network security group rules, Key Vault access controls, and AKS cluster configurations. All you need is your existing Azure CLI credentials.

Prerequisites

To test your Azure environment with cnspec, you must have:

Verify with a quick Azure check

To quickly confirm that cnspec can access your Azure environment, run this check from your terminal:

cnspec run azure -c 'azure.subscription.name != empty'

If cnspec can connect, it returns the subscription name and confirms the check passed:

[ok] value: "my-subscription"

If the command fails, verify that you are logged in with az login.

Scan Azure

To scan your Azure environment:

cnspec scan azure

This scans all subscriptions available under your logged-in account. To scan a specific subscription:

cnspec scan azure --subscription YOUR-SUBSCRIPTION-ID

To examine scan results in detail, add the -o full flag:

cnspec scan azure -o full

Scan using a registered app

You can also scan through an Azure registered app to control which resources cnspec has permission to access. To learn how to register and configure the app, read Continuously Scan with an Azure Integration.

After you register the app, authenticate with a certificate:

cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --certificate-path certificate.combo.pem

Or authenticate with a client secret:

cnspec scan azure --tenant-id YOUR-TENANT-ID --client-id YOUR-CLIENT-ID --client-secret YOUR-CLIENT-SECRET

Explore and test checks interactively

Open a cnspec shell to discover resources and test checks:

cnspec shell azure

List storage accounts

cnspec> azure.subscription.storage.accounts { id type properties }

Filter storage accounts by kind

cnspec> azure.subscription.storage.accounts.where(kind == "BlobStorage") { id name type }

Get full details for any resource

cnspec> azure.subscription.storage.accounts { * }

Example security checks

Ensure SQL Database auditing is enabled

cnspec> azure.subscription.sql.servers { auditingPolicy['state'] == "Enabled" }
azure.subscription.sql.servers: [
  0: {
    auditingPolicy.state == "Enabled": true
  }
]

Ensure no storage accounts allow public access

cnspec> azure.subscription.storage.accounts { containers { properties['publicAccess'] == "None" } }
azure.subscription.storage.accounts: [
  0: {
    containers: [
      0: {
        properties.publicAccess == "None": true
      }
    ]
  }
]

Ensure network security groups don't allow inbound SSH from the internet

cnspec> azure.subscription.network.securityGroups.all(securityRules.none(destinationPortRange == "22" && access == "Allow" && direction == "Inbound" && sourceAddressPrefix == "*"))
[ok] value: true

Learn more

Overview

Secure your Microsoft Azure environment by scanning for vulnerabilities and misconfigurations with cnspec.

Scan Virtual Machines

Scan Azure virtual machines, snapshots, and disks with cnspec.

On this page

PrerequisitesVerify with a quick Azure checkScan AzureScan using a registered appExplore and test checks interactivelyList storage accountsFilter storage accounts by kindGet full details for any resourceExample security checksEnsure SQL Database auditing is enabledEnsure no storage accounts allow public accessEnsure network security groups don't allow inbound SSH from the internetLearn more