Table: azure_key_vault - Query Azure Key Vaults using SQL
Azure Key Vault is a service within Microsoft Azure that safeguards cryptographic keys and other secrets used by cloud apps and services. It allows you to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Azure Key Vault simplifies the process of meeting the compliance needs for managing, protecting, and controlling access to sensitive business information.
Table Usage Guide
The azure_key_vault
table provides insights into the keys, secrets, and certificates stored within Azure Key Vaults. As a security administrator, explore vault-specific details through this table, including enabled status, recovery level, and associated metadata. Utilize it to uncover information about vaults, such as the access policies, tenant details, and the verification of enabled network rules.
Examples
List of key vaults where soft deletion is not enabled
Identify instances where key vaults in Azure are potentially vulnerable due to the lack of soft deletion feature. This can help in enhancing data security by pinpointing areas where improvements can be made.
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere not soft_delete_enabled;
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere soft_delete_enabled = 0;
List of key vaults where soft deletion retention period is less than 30 days
Determine the areas in which the soft deletion retention period of key vaults in Azure is less than 30 days. This query can be used to pinpoint specific locations where data retention policies may need to be strengthened for better security.
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere soft_delete_retention_in_days < 30;
select name, id, soft_delete_enabled, soft_delete_retention_in_daysfrom azure_key_vaultwhere soft_delete_retention_in_days < 30;
Key vaults access information
Determine the areas in which your Azure Key Vaults are being utilized by assessing whether they are enabled for deployment, disk encryption, or template deployment. This allows for a comprehensive understanding of your vault usage and can help optimize resource allocation.
select name, id, enabled_for_deployment, enabled_for_disk_encryption, enabled_for_template_deploymentfrom azure_key_vault;
select name, id, enabled_for_deployment, enabled_for_disk_encryption, enabled_for_template_deploymentfrom azure_key_vault;
List of premium category key vaults
Determine the areas in which premium category key vaults are being used within your Azure environment. This is useful for keeping track of high-security vaults and ensuring they are being used appropriately.
select name, id, sku_name, sku_familyfrom azure_key_vaultwhere sku_name = 'Premium';
select name, id, sku_name, sku_familyfrom azure_key_vaultwhere sku_name = 'Premium';
Key vaults access policies details for certificates, keys and secrets
Determine the access policies for certificates, keys, and secrets within Azure Key Vaults to enhance security and access management. This query is useful in understanding the permissions structure within your Key Vaults, which can aid in identifying potential security vulnerabilities.
select name, policy -> 'permissionsCertificates' as certificates_permissions, policy -> 'permissionsKeys' as keys_permissions, policy -> 'permissionsSecrets' as secrets_permissionsfrom azure_key_vault, jsonb_array_elements(access_policies) as policy;
select name, json_extract(policy.value, '$.permissionsCertificates') as certificates_permissions, json_extract(policy.value, '$.permissionsKeys') as keys_permissions, json_extract(policy.value, '$.permissionsSecrets') as secrets_permissionsfrom azure_key_vault, json_each(access_policies) as policy;
List vaults with logging enabled
Determine the areas in which your Azure Key Vaults have logging enabled for auditing purposes. This can be useful to ensure compliance with security policies and regulations by identifying vaults that are actively recording and retaining audit events.
select name, setting -> 'properties' ->> 'storageAccountId' storage_account_id, log ->> 'category' category, log -> 'retentionPolicy' ->> 'days' log_retention_daysfrom azure_key_vault, jsonb_array_elements(diagnostic_settings) setting, jsonb_array_elements(setting -> 'properties' -> 'logs') logwhere diagnostic_settings is not null and setting -> 'properties' ->> 'storageAccountId' <> '' and (log ->> 'enabled') :: boolean and log ->> 'category' = 'AuditEvent' and (log -> 'retentionPolicy' ->> 'days') :: integer > 0;
select name, json_extract(setting.value, '$.properties.storageAccountId') storage_account_id, json_extract(log.value, '$.category') category, json_extract(log.value, '$.retentionPolicy.days') log_retention_daysfrom azure_key_vault, json_each(diagnostic_settings) as setting, json_each(json_extract(setting.value, '$.properties.logs')) as logwhere diagnostic_settings is not null and json_extract(setting.value, '$.properties.storageAccountId') <> '' and json_extract(log.value, '$.enabled') = 1 and json_extract(log.value, '$.category') = 'AuditEvent' and json_extract(log.value, '$.retentionPolicy.days') > 0;
Query examples
- azure_key_vault_private_link_enabled_count
- compute_disk_encryption_details
- compute_disk_encryption_set_details
- key_vault_access_policies
- key_vault_by_region
- key_vault_by_sku
- key_vault_by_subscription
- key_vault_count
- key_vault_keys_for_key_vault
- key_vault_keys_for_storage_account
- key_vault_network_acls
- key_vault_public_network_access_enabled
- key_vault_public_network_access_enabled_count
- key_vault_purge_protection_enabled_count
- key_vault_sku
- key_vault_soft_delete_enabled_count
- key_vault_soft_delete_retention_in_days
- key_vault_tags
- key_vault_usage
- key_vault_vaults_for_compute_disk
- key_vault_vaults_for_compute_snapshot
- key_vault_vaults_for_key_vault_key
- key_vault_vaults_for_sql_server
- key_vault_vaults_for_storage_account
- network_subnets_for_key_vault
- network_virtual_networks_for_key_vault
Control examples
- All Controls > Key Vault > Azure Key Vault should disable public network access
- All Controls > Key Vault > Enable Role Based Access Control for Azure Key Vault
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- All Controls > Key Vault > Ensure the key vault is recoverable
- Azure Key Vault should have firewall enabled
- Azure Key Vaults should use private link
- CIS v1.3.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.3.0 > 8 Other Security Considerations > 8.4 Ensure the key vault is recoverable
- CIS v1.3.0 > 8 Other Security Considerations > 8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services
- CIS v1.4.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.4.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.6 Ensure the key vault is recoverable
- CIS v1.4.0 > 8 Other Security Considerations > 8.7 Enable role-based access control (RBAC) within Azure Kubernetes Services
- CIS v1.5.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'
- CIS v1.5.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.5 Ensure the key vault is recoverable
- CIS v1.5.0 > 8 Other Security Considerations > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v1.5.0 > 8 Other Security Considerations > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v2.0.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'
- CIS v2.0.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.5 Ensure the Key Vault is Recoverable
- CIS v2.0.0 > 8 Key Vault > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v2.0.0 > 8 Key Vault > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v2.1.0 > 5 Logging and Monitoring > 5.1 Configuring Diagnostic Settings > 5.1.4 Ensure that logging for Azure Key Vault is 'Enabled'
- CIS v2.1.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.5 Ensure the Key Vault is Recoverable
- CIS v2.1.0 > 8 Key Vault > 8.6 Enable Role Based Access Control for Azure Key Vault
- CIS v2.1.0 > 8 Key Vault > 8.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.5 Ensure the Key Vault is Recoverable
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.6 Enable Role Based Access Control for Azure Key Vault
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.7 Ensure that Private Endpoints are Used for Azure Key Vault
- CIS v3.0.0 > 6 Logging and Monitoring > 6.1 Configuring Diagnostic Settings > 6.1.4 Ensure that logging for Azure Key Vault is 'Enabled'
- Key Vault should use a virtual network service endpoint
- Key vaults should have deletion protection enabled
- Key vaults should have soft delete enabled
- Resource logs in Key Vault should be enabled
Schema for azure_key_vault
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
access_policies | jsonb | A list of 0 to 1024 identities that have access to the key vault. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
create_mode | text | The vault's create mode to indicate whether the vault need to be recovered or not. Possible values include: 'default', 'recover'. | |
diagnostic_settings | jsonb | A list of active diagnostic settings for the vault. | |
enable_rbac_authorization | boolean | Property that controls how data actions are authorized. | |
enabled_for_deployment | boolean | Indicates whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | |
enabled_for_disk_encryption | boolean | Indicates whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | |
enabled_for_template_deployment | boolean | Indicates whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | |
id | text | Contains ID to identify a vault uniquely. | |
name | text | = | The friendly name that identifies the vault. |
network_acls | jsonb | Rules governing the accessibility of the key vault from specific network locations. | |
private_endpoint_connections | jsonb | List of private endpoint connections associated with the key vault. | |
purge_protection_enabled | boolean | Indicates whether protection against purge is enabled for this vault. | |
region | text | The Azure region/location in which the resource is located. | |
resource_group | text | = | The resource group which holds this resource. |
sku_family | text | Contains SKU family name. | |
sku_name | text | SKU name to specify whether the key vault is a standard vault or a premium vault. | |
soft_delete_enabled | boolean | Indicates whether the 'soft delete' functionality is enabled for this key vault. | |
soft_delete_retention_in_days | bigint | Contains softDelete data retention days. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
tenant_id | text | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | |
title | text | Title of the resource. | |
type | text | Type of the resource. | |
vault_uri | text | Contains URI of the vault for performing operations on keys and secrets. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_key_vault