azure_ad_groupazure_ad_service_principalazure_ad_userazure_alert_managementazure_api_managementazure_api_management_backendazure_app_configurationazure_app_service_environmentazure_app_service_function_appazure_app_service_planazure_app_service_web_appazure_app_service_web_app_slotazure_application_gatewayazure_application_insightazure_application_security_groupazure_automation_accountazure_automation_variableazure_bastion_hostazure_batch_accountazure_cognitive_accountazure_compute_availability_setazure_compute_diskazure_compute_disk_accessazure_compute_disk_encryption_setazure_compute_disk_metric_read_opsazure_compute_disk_metric_read_ops_dailyazure_compute_disk_metric_read_ops_hourlyazure_compute_disk_metric_write_opsazure_compute_disk_metric_write_ops_dailyazure_compute_disk_metric_write_ops_hourlyazure_compute_imageazure_compute_resource_skuazure_compute_snapshotazure_compute_ssh_keyazure_compute_virtual_machineazure_compute_virtual_machine_metric_available_memoryazure_compute_virtual_machine_metric_available_memory_dailyazure_compute_virtual_machine_metric_available_memory_hourlyazure_compute_virtual_machine_metric_cpu_utilizationazure_compute_virtual_machine_metric_cpu_utilization_dailyazure_compute_virtual_machine_metric_cpu_utilization_hourlyazure_compute_virtual_machine_scale_setazure_compute_virtual_machine_scale_set_network_interfaceazure_compute_virtual_machine_scale_set_vmazure_consumption_usageazure_container_groupazure_container_registryazure_cosmosdb_accountazure_cosmosdb_mongo_collectionazure_cosmosdb_mongo_databaseazure_cosmosdb_restorable_database_accountazure_cosmosdb_sql_databaseazure_data_factoryazure_data_factory_datasetazure_data_factory_pipelineazure_data_lake_analytics_accountazure_data_lake_storeazure_databox_edge_deviceazure_databricks_workspaceazure_diagnostic_settingazure_dns_zoneazure_eventgrid_domainazure_eventgrid_topicazure_eventhub_namespaceazure_express_route_circuitazure_firewallazure_firewall_policyazure_frontdoorazure_hdinsight_clusterazure_healthcare_serviceazure_hpc_cacheazure_hybrid_compute_machineazure_hybrid_kubernetes_connected_clusterazure_iothubazure_iothub_dpsazure_key_vaultazure_key_vault_deleted_vaultazure_key_vault_keyazure_key_vault_key_versionazure_key_vault_managed_hardware_security_moduleazure_key_vault_secretazure_kubernetes_clusterazure_kubernetes_service_versionazure_kusto_clusterazure_lbazure_lb_backend_address_poolazure_lb_nat_ruleazure_lb_outbound_ruleazure_lb_probeazure_lb_ruleazure_locationazure_log_alertazure_log_profileazure_logic_app_workflowazure_machine_learning_workspaceazure_maintenance_configurationazure_management_groupazure_management_lockazure_mariadb_serverazure_monitor_activity_log_eventazure_monitor_log_profileazure_mssql_elasticpoolazure_mssql_managed_instanceazure_mssql_virtual_machineazure_mysql_flexible_serverazure_mysql_serverazure_nat_gatewayazure_network_interfaceazure_network_security_groupazure_network_watcherazure_network_watcher_flow_logazure_policy_assignmentazure_policy_definitionazure_postgresql_flexible_serverazure_postgresql_serverazure_private_dns_zoneazure_providerazure_public_ipazure_recovery_services_backup_jobazure_recovery_services_vaultazure_redis_cacheazure_resource_groupazure_resource_linkazure_role_assignmentazure_role_definitionazure_route_tableazure_search_serviceazure_security_center_auto_provisioningazure_security_center_automationazure_security_center_contactazure_security_center_jit_network_access_policyazure_security_center_settingazure_security_center_sub_assessmentazure_security_center_subscription_pricingazure_service_fabric_clusterazure_servicebus_namespaceazure_signalr_serviceazure_spring_cloud_serviceazure_sql_databaseazure_sql_serverazure_storage_accountazure_storage_blobazure_storage_blob_serviceazure_storage_containerazure_storage_queueazure_storage_share_fileazure_storage_syncazure_storage_tableazure_storage_table_serviceazure_stream_analytics_jobazure_subnetazure_subscriptionazure_synapse_workspaceazure_tenantazure_virtual_networkazure_virtual_network_gateway
Table: azure_key_vault_managed_hardware_security_module - Query Azure Key Vaults using SQL
Azure Key Vault is a service within Microsoft Azure that provides secure key management and cryptographic protection services. It offers solutions for securely storing and accessing secrets, keys, and certificates, while also providing logging for all key usage. A managed hardware security module (HSM) in Azure Key Vault provides cryptographic key storage in FIPS 140-2 Level 3 validated HSMs.
Table Usage Guide
The azure_key_vault_managed_hardware_security_module table provides insights into Azure Key Vaults managed by hardware security modules. As a security engineer, explore vault-specific details through this table, including keys, secrets, and certificates, and their associated metadata. Utilize it to uncover information about key usage, key permissions, and the verification of cryptographic protection services.
Examples
Basic info
Explore the configuration of Azure's Key Vault Managed Hardware Security Module to understand its current settings and location. This is useful for auditing security measures and ensuring data is stored in the correct geographical region.
select name, id, hsm_uri, type, enable_soft_delete, regionfrom azure_key_vault_managed_hardware_security_module;select name, id, hsm_uri, type, enable_soft_delete, regionfrom azure_key_vault_managed_hardware_security_module;List soft delete disabled hsm managed key vaults
Identify instances where the soft delete feature is disabled in Azure Key Vault Managed Hardware Security Modules. This is useful for enhancing data security by ensuring that deleted data can be recovered.
select name, id, enable_soft_deletefrom azure_key_vault_managed_hardware_security_modulewhere not enable_soft_delete;select name, id, enable_soft_deletefrom azure_key_vault_managed_hardware_security_modulewhere enable_soft_delete = 0;Control examples
Schema for azure_key_vault_managed_hardware_security_module
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| cloud_environment | text | The Azure Cloud Environment. | |
| create_mode | text | The create mode to indicate whether the resource is being created or is being recovered from a deleted resource. Possible values include: 'CreateModeRecover', 'CreateModeDefault'. | |
| diagnostic_settings | jsonb | A list of active diagnostic settings for the managed HSM. | |
| enable_purge_protection | boolean | Property specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible. | |
| enable_soft_delete | boolean | Property to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. If it's not set to any value(true or false) when creating new managed HSM pool, it will be set to true by default. Once set to true, it cannot be reverted to false. | |
| hsm_uri | text | The URI of the managed hsm pool for performing operations on keys. | |
| id | text | The Azure Resource Manager resource ID for the managed HSM Pool. | |
| name | text | = | The name of the managed HSM Pool. |
| provisioning_state | text | Provisioning state. Possible values include: 'ProvisioningStateSucceeded', 'ProvisioningStateProvisioning', 'ProvisioningStateFailed', 'ProvisioningStateUpdating', 'ProvisioningStateDeleting', 'ProvisioningStateActivated', 'ProvisioningStateSecurityDomainRestore', 'ProvisioningStateRestoring'. | |
| region | text | The Azure region/location in which the resource is located. | |
| resource_group | text | = | The resource group which holds this resource. |
| sku_family | text | Contains SKU family name. | |
| sku_name | text | SKU name to specify whether the key vault is a standard vault or a premium vault. | |
| soft_delete_retention_in_days | bigint | Indicates softDelete data retention days. It accepts >=7 and <=90. | |
| status_message | text | Resource Status Message. | |
| subscription_id | text | The Azure Subscription ID in which the resource is located. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | |
| title | text | Title of the resource. | |
| type | text | The resource type of the managed HSM Pool. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azureYou can pass the configuration to the command with the --config argument:
steampipe_export_azure --config '<your_config>' azure_key_vault_managed_hardware_security_module