steampipe plugin install azure

Table: azure_key_vault_key_version - Query Azure Key Vault Key Versions using SQL

Azure Key Vault is a service that provides a secure storage for secrets, keys, and certificates. It enables users to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. Azure Key Vault simplifies the process of meeting industry compliance and regulatory standards.

Table Usage Guide

The azure_key_vault_key_version table provides insights into each version of a key stored in Azure Key Vault. As a security analyst, you can explore key-specific details through this table, including the key type, key state, and associated metadata. Use it to track the lifecycle of keys, verify the key state, and ensure compliance with security policies.

Examples

Basic info

Explore the status and details of various versions of keys in your Azure Key Vault. This will help you understand the lifecycle of your keys, their types, and their geographical locations, which can be crucial for managing security and compliance.

select
name,
vault_name,
enabled,
created_at,
updated_at,
key_type,
location
from
azure_key_vault_key_version;
select
name,
vault_name,
enabled,
created_at,
updated_at,
key_type,
location
from
azure_key_vault_key_version;

List disabled key versions

Identify instances where key versions are disabled in Azure Key Vault, allowing you to review and manage your keys' security settings effectively.

select
name,
key_name,
vault_name,
enabled
from
azure_key_vault_key_version
where
not enabled;
select
name,
key_name,
vault_name,
enabled
from
azure_key_vault_key_version
where
enabled = 0;

List keys versions with no expiration time set

Explore which versions of keys in Azure Key Vault have not been assigned an expiration time. This is useful for identifying potential security risks and ensuring key management best practices are being followed.

select
name,
enabled,
expires_at
from
azure_key_vault_key_version
where
expires_at is null;
select
name,
enabled,
expires_at
from
azure_key_vault_key_version
where
expires_at is null;

Count the number of versions by key

Assess the elements within your Azure Key Vault by determining the quantity of versions for each key. This can be beneficial in managing key rotations and understanding the lifecycle of each key.

select
key_name,
count(name) as key_version_count
from
azure_key_vault_key_version
group by
key_name;
select
key_name,
count(name) as key_version_count
from
azure_key_vault_key_version
group by
key_name;

Schema for azure_key_vault_key_version

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
created_attimestamp with time zoneSpecifies the time when the key version is created.
curve_nametextThe elliptic curve name. Possible values are: 'P256', 'P384', 'P521', 'P256K'.
enabledbooleanIndicates whether the key version is enabled, or not.
expires_attimestamp with time zoneSpecifies the time when the key version wil expire.
idtextContains ID to identify a key version uniquely.
key_idtextContains ID to identify a key uniquely.
key_nametext=The friendly name that identifies the key.
key_opsjsonbA list of key operations.
key_sizebigintThe key size in bits.
key_typetextThe type of the key. Possible values are: 'EC', 'ECHSM', 'RSA', 'RSAHSM'.
key_uritextThe URI to retrieve the current version of the key.
key_uri_with_versiontextThe URI to retrieve the specific version of the key.
locationtextAzure location of the key vault resource.
nametextThe friendly name that identifies the key version.
not_beforetimestamp with time zoneSpecifies the time before which the key version is not usable.
recovery_leveltextThe deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval.
regiontextThe Azure region/location in which the resource is located.
resource_grouptextThe resource group which holds this resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextType of the resource
updated_attimestamp with time zoneSpecifies the time when the key was last updated.
vault_nametextThe friendly name that identifies the vault.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_key_vault_key_version