turbot/azure

GitHub
steampipe plugin install azuresteampipe plugin install azure
azure_ad_groupazure_ad_service_principalazure_ad_userazure_api_managementazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_application_gatewayazure_application_security_groupazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_virtual_machineazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_vmazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_databaseazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_diagnostic_settingazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_management_groupazure_management_lockazure_mariadb_serverazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_serverazure_providerazure_public_ipazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gatewayindex

Table: azure_key_vault

Azure Key Vault is a cloud service used to manage keys, secrets, and certificates.

Examples

List of key vaults where soft deletion is not enabled

select
name,
id,
soft_delete_enabled,
soft_delete_retention_in_days
from
azure_key_vault
where
not soft_delete_enabled;

List of key vaults where soft deletion retention period is less than 30 days

select
name,
id,
soft_delete_enabled,
soft_delete_retention_in_days
from
azure_key_vault
where
soft_delete_retention_in_days < 30;

Key vaults access information

select
name,
id,
enabled_for_deployment,
enabled_for_disk_encryption,
enabled_for_template_deployment
from
azure_key_vault;

List of premium category key vaults

select
name,
id,
sku_name,
sku_family
from
azure_key_vault
where
sku_name = 'Premium';

Key vaults access policies details for certificates, keys and secrets

select
name,
policy -> 'permissionsCertificates' as certificates_permissions,
policy -> 'permissionsKeys' as keys_permissions,
policy -> 'permissionsSecrets' as secrets_permissions
from
azure_key_vault,
jsonb_array_elements(access_policies) as policy;

List vaults with logging enabled

select
name,
setting -> 'properties' ->> 'storageAccountId' storage_account_id,
log ->> 'category' category,
log -> 'retentionPolicy' ->> 'days' log_retention_days
from
azure_key_vault,
jsonb_array_elements(diagnostic_settings) setting,
jsonb_array_elements(setting -> 'properties' -> 'logs') log
where
diagnostic_settings is not null
and setting -> 'properties' ->> 'storageAccountId' <> ''
and (log ->> 'enabled')::boolean
and log ->> 'category' = 'AuditEvent'
and (log -> 'retentionPolicy' ->> 'days')::integer > 0;

Query examples

Control examples

.inspect azure_key_vault

Azure Key Vault

NameTypeDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
access_policiesjsonbA list of 0 to 1024 identities that have access to the key vault.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
create_modetextThe vault's create mode to indicate whether the vault need to be recovered or not. Possible values include: 'default', 'recover'.
diagnostic_settingsjsonbA list of active diagnostic settings for the vault.
enable_rbac_authorizationbooleanProperty that controls how data actions are authorized.
enabled_for_deploymentbooleanIndicates whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
enabled_for_disk_encryptionbooleanIndicates whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys.
enabled_for_template_deploymentbooleanIndicates whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
idtextContains ID to identify a vault uniquely.
nametextThe friendly name that identifies the vault.
network_aclsjsonbRules governing the accessibility of the key vault from specific network locations.
private_endpoint_connectionsjsonbList of private endpoint connections associated with the key vault.
purge_protection_enabledbooleanIndicates whether protection against purge is enabled for this vault.
regiontextThe Azure region/location in which the resource is located.
resource_grouptextThe resource group which holds this resource.
sku_familytextContains SKU family name.
sku_nametextSKU name to specify whether the key vault is a standard vault or a premium vault.
soft_delete_enabledbooleanIndicates whether the 'soft delete' functionality is enabled for this key vault.
soft_delete_retention_in_daysbigintContains softDelete data retention days.
subscription_idtextThe Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
tenant_idtextThe Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
titletextTitle of the resource.
typetextType of the resource.
vault_uritextContains URI of the vault for performing operations on keys and secrets.