Table: azure_key_vault_key - Query Azure Key Vault Keys using SQL
Azure Key Vault is a service within Microsoft Azure that provides a secure store for secrets, keys, and certificates. It provides a centralized way to manage cryptographic keys and secrets in cloud applications, without having to maintain an in-house key management infrastructure. Azure Key Vault helps users safeguard cryptographic keys and secrets used by cloud apps and services.
Table Usage Guide
The azure_key_vault_key
table provides insights into keys within Azure Key Vault. As a security engineer, explore key-specific details through this table, including key type, key state, and key attributes. Utilize it to uncover information about keys, such as those with specific attributes, the state of the keys, and the verification of key properties.
Examples
Basic info
Explore the status and details of your Azure Key Vault keys to understand their configurations and keep track of their activity. This is useful for maintaining security and ensuring that keys are up-to-date and correctly enabled.
select name, vault_name, enabled, created_at, updated_at, key_type, locationfrom azure_key_vault_key;
select name, vault_name, enabled, created_at, updated_at, key_type, locationfrom azure_key_vault_key;
List disabled keys
Identify instances where Azure Key Vault keys are disabled to ensure proper security measures are in place and access control is effectively managed.
select name, vault_name, enabledfrom azure_key_vault_keywhere not enabled;
select name, vault_name, enabledfrom azure_key_vault_keywhere not enabled;
List keys with no expiration time set
Identify instances where certain keys within Azure's Key Vault service have not been assigned an expiration time. This could be useful in managing security practices, as keys without set expiration times could potentially pose a risk.
select name, enabled, expires_atfrom azure_key_vault_keywhere expires_at is null;
select name, enabled, expires_atfrom azure_key_vault_keywhere expires_at is null;
List keys which have never been updated
Discover the keys in your Azure Key Vault that have remained unmodified since their creation. This can be useful to identify any keys that may have been overlooked or forgotten, ensuring all keys are up-to-date and secure.
select name, enabled, created_at, updated_atfrom azure_key_vault_keywhere enabled and age(updated_at, created_at) = '00:00:00';
select name, enabled, created_at, updated_atfrom azure_key_vault_keywhere enabled and ( strftime('%s', updated_at) - strftime('%s', created_at) ) = 0;
Count the number of keys by key vault
Determine the distribution of keys across various vaults to understand your security setup better. This can help identify any potential vaults that may be overloaded or underutilized.
select vault_name, count(vault_name) as countfrom azure_key_vault_keygroup by vault_name;
select vault_name, count(vault_name) as countfrom azure_key_vault_keygroup by vault_name;
Query examples
- container_registries_for_key_vault_key
- cosmosdb_account_encryption_details
- key_vault_key_1_year_count
- key_vault_key_24_hours_count
- key_vault_key_30_90_days_count
- key_vault_key_30_days_count
- key_vault_key_90_365_days_count
- key_vault_key_age
- key_vault_key_by_creation_month
- key_vault_key_by_recovery_level
- key_vault_key_by_region
- key_vault_key_by_size
- key_vault_key_by_subscription
- key_vault_key_by_type
- key_vault_key_count
- key_vault_key_enabled_count
- key_vault_key_expiration_set_count
- key_vault_key_size
- key_vault_key_tags
- key_vault_key_type
- key_vault_keys_for_compute_disk
- key_vault_keys_for_compute_snapshot
- key_vault_keys_for_cosmosdb_account
- key_vault_keys_for_key_vault
- key_vault_keys_for_sql_server
- key_vault_keys_for_storage_account
- key_vault_vaults_for_cosmosdb_account
- key_vault_vaults_for_key_vault_key
Control examples
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.3.0 > 8 Other Security Considerations > 8.1 Ensure that the expiration date is set on all keys
- CIS v1.4.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
- Key Vault keys should have an expiration date
Schema for azure_key_vault_key
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
created_at | timestamp with time zone | Specifies the time when the key is created. | |
curve_name | text | The elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'. | |
enabled | boolean | Indicates whether the key is enabled, or not. | |
expires_at | timestamp with time zone | Specifies the time when the key wil expire. | |
id | text | Contains ID to identify a key uniquely. | |
key_ops | jsonb | A list of key operations. | |
key_size | bigint | The key size in bits. | |
key_type | text | The type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'. | |
key_uri | text | The URI to retrieve the current version of the key. | |
key_uri_with_version | text | The URI to retrieve the specific version of the key. | |
location | text | Azure location of the key vault resource. | |
name | text | = | The friendly name that identifies the key. |
not_before | timestamp with time zone | Specifies the time before which the key is not usable. | |
recovery_level | text | The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval. | |
region | text | The Azure region/location in which the resource is located. | |
resource_group | text | = | The resource group which holds this resource. |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
type | text | Type of the resource | |
updated_at | timestamp with time zone | Specifies the time when the key was last updated. | |
vault_name | text | = | The friendly name that identifies the vault. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_key_vault_key