steampipe plugin install azure

Table: azure_key_vault_key - Query Azure Key Vault Keys using SQL

Azure Key Vault is a service within Microsoft Azure that provides a secure store for secrets, keys, and certificates. It provides a centralized way to manage cryptographic keys and secrets in cloud applications, without having to maintain an in-house key management infrastructure. Azure Key Vault helps users safeguard cryptographic keys and secrets used by cloud apps and services.

Table Usage Guide

The azure_key_vault_key table provides insights into keys within Azure Key Vault. As a security engineer, explore key-specific details through this table, including key type, key state, and key attributes. Utilize it to uncover information about keys, such as those with specific attributes, the state of the keys, and the verification of key properties.

Examples

Basic info

Explore the status and details of your Azure Key Vault keys to understand their configurations and keep track of their activity. This is useful for maintaining security and ensuring that keys are up-to-date and correctly enabled.

select
name,
vault_name,
enabled,
created_at,
updated_at,
key_type,
location
from
azure_key_vault_key;
select
name,
vault_name,
enabled,
created_at,
updated_at,
key_type,
location
from
azure_key_vault_key;

List disabled keys

Identify instances where Azure Key Vault keys are disabled to ensure proper security measures are in place and access control is effectively managed.

select
name,
vault_name,
enabled
from
azure_key_vault_key
where
not enabled;
select
name,
vault_name,
enabled
from
azure_key_vault_key
where
not enabled;

List keys with no expiration time set

Identify instances where certain keys within Azure's Key Vault service have not been assigned an expiration time. This could be useful in managing security practices, as keys without set expiration times could potentially pose a risk.

select
name,
enabled,
expires_at
from
azure_key_vault_key
where
expires_at is null;
select
name,
enabled,
expires_at
from
azure_key_vault_key
where
expires_at is null;

List keys which have never been updated

Discover the keys in your Azure Key Vault that have remained unmodified since their creation. This can be useful to identify any keys that may have been overlooked or forgotten, ensuring all keys are up-to-date and secure.

select
name,
enabled,
created_at,
updated_at
from
azure_key_vault_key
where
enabled
and age(updated_at, created_at) = '00:00:00';
select
name,
enabled,
created_at,
updated_at
from
azure_key_vault_key
where
enabled
and (
strftime('%s', updated_at) - strftime('%s', created_at)
) = 0;

Count the number of keys by key vault

Determine the distribution of keys across various vaults to understand your security setup better. This can help identify any potential vaults that may be overloaded or underutilized.

select
vault_name,
count(vault_name) as count
from
azure_key_vault_key
group by
vault_name;
select
vault_name,
count(vault_name) as count
from
azure_key_vault_key
group by
vault_name;

Schema for azure_key_vault_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
created_attimestamp with time zoneSpecifies the time when the key is created.
curve_nametextThe elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'.
enabledbooleanIndicates whether the key is enabled, or not.
expires_attimestamp with time zoneSpecifies the time when the key wil expire.
idtextContains ID to identify a key uniquely.
key_opsjsonbA list of key operations.
key_sizebigintThe key size in bits.
key_typetextThe type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'.
key_uritextThe URI to retrieve the current version of the key.
key_uri_with_versiontextThe URI to retrieve the specific version of the key.
locationtextAzure location of the key vault resource.
nametext=The friendly name that identifies the key.
not_beforetimestamp with time zoneSpecifies the time before which the key is not usable.
recovery_leveltextThe deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextType of the resource
updated_attimestamp with time zoneSpecifies the time when the key was last updated.
vault_nametext=The friendly name that identifies the vault.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_key_vault_key