azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_bastion_hostazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway
Table: azure_key_vault
Azure Key Vault is a cloud service used to manage keys, secrets, and certificates.
Examples
List of key vaults where soft deletion is not enabled
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere not soft_delete_enabled;
List of key vaults where soft deletion retention period is less than 30 days
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere soft_delete_retention_in_days < 30;
Key vaults access information
select name, id, enabled_for_deployment, enabled_for_disk_encryption, enabled_for_template_deploymentfrom azure_key_vault;
List of premium category key vaults
select name, id, sku_name, sku_familyfrom azure_key_vaultwhere sku_name = 'Premium';
Key vaults access policies details for certificates, keys and secrets
select name, policy -> 'permissionsCertificates' as certificates_permissions, policy -> 'permissionsKeys' as keys_permissions, policy -> 'permissionsSecrets' as secrets_permissionsfrom azure_key_vault, jsonb_array_elements(access_policies) as policy;
List vaults with logging enabled
select name, setting -> 'properties' ->> 'storageAccountId' storage_account_id, log ->> 'category' category, log -> 'retentionPolicy' ->> 'days' log_retention_daysfrom azure_key_vault, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') logwhere diagnostic_settings is not null and setting -> 'properties' ->> 'storageAccountId' <> '' and (log ->> 'enabled') :: boolean and log ->> 'category' = 'AuditEvent' and (log -> 'retentionPolicy' ->> 'days') :: integer > 0;
Query examples
- azure_key_vault_private_link_enabled_count
- compute_disk_encryption_details
- compute_disk_encryption_set_details
- key_vault_access_policies
- key_vault_by_region
- key_vault_by_sku
- key_vault_by_subscription
- key_vault_count
- key_vault_keys_for_key_vault
- key_vault_keys_for_storage_account
- key_vault_network_acls
- key_vault_public_network_access_enabled
- key_vault_public_network_access_enabled_count
- key_vault_purge_protection_enabled_count
- key_vault_sku
- key_vault_soft_delete_enabled_count
- key_vault_soft_delete_retention_in_days
- key_vault_tags
- key_vault_usage
- key_vault_vaults_for_compute_disk
- key_vault_vaults_for_compute_snapshot
- key_vault_vaults_for_key_vault_key
- key_vault_vaults_for_sql_server
- key_vault_vaults_for_storage_account
- network_subnets_for_key_vault
- network_virtual_networks_for_key_vault
Control examples
- key_vault_expected_tag_values
- key_vault_mandatory
- key_vault_prohibited
- key_vault_tag_limit
- key_vault_untagged
- eventhub_namespaces_for_key_vault_key
- key_vault_by_public_network_access_status
- key_vault_by_purge_protection_status
- key_vault_by_resource_group
- key_vault_by_soft_delete_status
- key_vault_input
- key_vault_key_age_table
- key_vault_overview
- key_vault_purge_protection_status
- key_vault_soft_delete_status
- servicebus_namespaces_for_key_vault_key
- keyvault_logging_enabled
- keyvault_purge_protection_enabled
- keyvault_rbac_enabled
- keyvault_soft_delete_enabled
- keyvault_vault_private_link_used
- keyvault_vault_public_network_access_disabled
- keyvault_vault_recoverable
- keyvault_vault_use_virtual_service_endpoint
- keyvault_with_non_rbac_key_expiration_set
- keyvault_with_non_rbac_secret_expiration_set
- keyvault_with_rbac_key_expiration_set
- keyvault_with_rbac_secret_expiration_set
.inspect azure_key_vault
Azure Key Vault
Name | Type | Description |
---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
access_policies | jsonb | A list of 0 to 1024 identities that have access to the key vault. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. |
cloud_environment | text | The Azure Cloud Environment. |
create_mode | text | The vault's create mode to indicate whether the vault need to be recovered or not. Possible values include: 'default', 'recover'. |
diagnostic_settings | jsonb | A list of active diagnostic settings for the vault. |
enable_rbac_authorization | boolean | Property that controls how data actions are authorized. |
enabled_for_deployment | boolean | Indicates whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. |
enabled_for_disk_encryption | boolean | Indicates whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. |
enabled_for_template_deployment | boolean | Indicates whether Azure Resource Manager is permitted to retrieve secrets from the key vault. |
id | text | Contains ID to identify a vault uniquely. |
name | text | The friendly name that identifies the vault. |
network_acls | jsonb | Rules governing the accessibility of the key vault from specific network locations. |
private_endpoint_connections | jsonb | List of private endpoint connections associated with the key vault. |
purge_protection_enabled | boolean | Indicates whether protection against purge is enabled for this vault. |
region | text | The Azure region/location in which the resource is located. |
resource_group | text | The resource group which holds this resource. |
sku_family | text | Contains SKU family name. |
sku_name | text | SKU name to specify whether the key vault is a standard vault or a premium vault. |
soft_delete_enabled | boolean | Indicates whether the 'soft delete' functionality is enabled for this key vault. |
soft_delete_retention_in_days | bigint | Contains softDelete data retention days. |
subscription_id | text | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. |
tenant_id | text | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. |
title | text | Title of the resource. |
type | text | Type of the resource. |
vault_uri | text | Contains URI of the vault for performing operations on keys and secrets. |