steampipe plugin install azure

Table: azure_key_vault_managed_hardware_security_module - Query Azure Key Vaults using SQL

Azure Key Vault is a service within Microsoft Azure that provides secure key management and cryptographic protection services. It offers solutions for securely storing and accessing secrets, keys, and certificates, while also providing logging for all key usage. A managed hardware security module (HSM) in Azure Key Vault provides cryptographic key storage in FIPS 140-2 Level 3 validated HSMs.

Table Usage Guide

The azure_key_vault_managed_hardware_security_module table provides insights into Azure Key Vaults managed by hardware security modules. As a security engineer, explore vault-specific details through this table, including keys, secrets, and certificates, and their associated metadata. Utilize it to uncover information about key usage, key permissions, and the verification of cryptographic protection services.

Examples

Basic info

Explore the configuration of Azure's Key Vault Managed Hardware Security Module to understand its current settings and location. This is useful for auditing security measures and ensuring data is stored in the correct geographical region.

select
name,
id,
hsm_uri,
type,
enable_soft_delete,
region
from
azure_key_vault_managed_hardware_security_module;
select
name,
id,
hsm_uri,
type,
enable_soft_delete,
region
from
azure_key_vault_managed_hardware_security_module;

List soft delete disabled hsm managed key vaults

Identify instances where the soft delete feature is disabled in Azure Key Vault Managed Hardware Security Modules. This is useful for enhancing data security by ensuring that deleted data can be recovered.

select
name,
id,
enable_soft_delete
from
azure_key_vault_managed_hardware_security_module
where
not enable_soft_delete;
select
name,
id,
enable_soft_delete
from
azure_key_vault_managed_hardware_security_module
where
enable_soft_delete = 0;

Schema for azure_key_vault_managed_hardware_security_module

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
cloud_environmenttextThe Azure Cloud Environment.
create_modetextThe create mode to indicate whether the resource is being created or is being recovered from a deleted resource. Possible values include: 'CreateModeRecover', 'CreateModeDefault'.
diagnostic_settingsjsonbA list of active diagnostic settings for the managed HSM.
enable_purge_protectionbooleanProperty specifying whether protection against purge is enabled for this managed HSM pool. Setting this property to true activates protection against purge for this managed HSM pool and its content - only the Managed HSM service may initiate a hard, irrecoverable deletion. The setting is effective only if soft delete is also enabled. Enabling this functionality is irreversible.
enable_soft_deletebooleanProperty to specify whether the 'soft delete' functionality is enabled for this managed HSM pool. If it's not set to any value(true or false) when creating new managed HSM pool, it will be set to true by default. Once set to true, it cannot be reverted to false.
hsm_uritextThe URI of the managed hsm pool for performing operations on keys.
idtextThe Azure Resource Manager resource ID for the managed HSM Pool.
nametext=The name of the managed HSM Pool.
provisioning_statetextProvisioning state. Possible values include: 'ProvisioningStateSucceeded', 'ProvisioningStateProvisioning', 'ProvisioningStateFailed', 'ProvisioningStateUpdating', 'ProvisioningStateDeleting', 'ProvisioningStateActivated', 'ProvisioningStateSecurityDomainRestore', 'ProvisioningStateRestoring'.
regiontextThe Azure region/location in which the resource is located.
resource_grouptext=The resource group which holds this resource.
sku_familytextContains SKU family name.
sku_nametextSKU name to specify whether the key vault is a standard vault or a premium vault.
soft_delete_retention_in_daysbigintIndicates softDelete data retention days. It accepts >=7 and <=90.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
status_messagetextResource Status Message.
subscription_idtext=, !=, ~~, ~~*, !~~, !~~*The Azure Subscription ID in which the resource is located.
tagsjsonbA map of tags for the resource.
tenant_idtextThe Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
titletextTitle of the resource.
typetextThe resource type of the managed HSM Pool.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure

You can pass the configuration to the command with the --config argument:

steampipe_export_azure --config '<your_config>' azure_key_vault_managed_hardware_security_module