Table: azure_key_vault_secret - Query Azure Key Vault Secrets using SQL
Azure Key Vault Secret is a resource within Microsoft Azure that allows you to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. It provides a centralized way to manage application secrets and control their distribution. Azure Key Vault Secret helps maintain application secrets with a high level of security.
Table Usage Guide
The azure_key_vault_secret
table provides insights into the secrets stored in Azure Key Vaults. As a security engineer, explore secret-specific details through this table, including secret attributes, versions, and associated metadata. Utilize it to uncover information about secrets, such as their recovery level, enabled status, and expiration dates.
Examples
Basic info
Explore the status and details of your Azure Key Vault secrets. This query is useful to keep track of the secrets' status, enabling you to manage and monitor them effectively.
select name, id, vault_name, enabled, created_at, updated_at, valuefrom azure_key_vault_secret;
select name, id, vault_name, enabled, created_at, updated_at, valuefrom azure_key_vault_secret;
List disabled secrets
Explore which secrets within the Azure Key Vault are currently disabled. This can help in managing access and maintaining the security of your vault.
select name, vault_name, enabledfrom azure_key_vault_secretwhere not enabled;
select name, vault_name, enabledfrom azure_key_vault_secretwhere not enabled;
List secrets that do not expire
Discover the segments that consist of non-expiring secrets within Azure's key vault. This can be useful in managing and identifying potential security risks associated with indefinite secret keys.
select name, enabled, expires_atfrom azure_key_vault_secretwhere expires_at is null;
select name, enabled, expires_atfrom azure_key_vault_secretwhere expires_at is null;
List enabled secrets that have never been updated
Identify the enabled secrets within your Azure Key Vault that have remained unchanged since their creation. This is useful for security purposes and ensuring that secret keys are being regularly updated and managed properly.
select name, enabled, created_at, updated_atfrom azure_key_vault_secretwhere enabled and age(updated_at, created_at) = '00:00:00';
select name, enabled, created_at, updated_atfrom azure_key_vault_secretwhere enabled and (julianday(updated_at) - julianday(created_at)) * 24 * 60 * 60 = 0;
Count the number of secrets by vault
Assess the elements within your Azure Key Vault by counting the number of secrets each vault holds. This allows you to understand the distribution of secrets across your vaults, helping to manage and balance storage.
select vault_name, count(vault_name) as countfrom azure_key_vault_secretgroup by vault_name;
select vault_name, count(vault_name) as countfrom azure_key_vault_secretgroup by vault_name;
Control examples
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- All Controls > Key Vault > Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.3.0 > 8 Other Security Considerations > 8.2 Ensure that the expiration date is set on all Secrets
- CIS v1.4.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.4.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v1.5.0 > 8 Other Security Considerations > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.0.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v2.1.0 > 8 Key Vault > 8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
- CIS v3.0.0 > 3 Security > 3.3 Key Vault > 3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
- Key Vault secrets should have an expiration date
Schema for azure_key_vault_secret
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
content_type | text | Specifies the type of the secret value such as a password. | |
created_at | timestamp with time zone | Specifies the time when the secret is created. | |
enabled | boolean | Indicates whether the secret is enabled, or not. | |
expires_at | timestamp with time zone | Specifies the time when the secret will expire. | |
id | text | Contains ID to identify a secret uniquely. | |
kid | text | If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate. | |
managed | boolean | Indicates whether the secret's lifetime is managed by key vault, or not. | |
name | text | = | The friendly name that identifies the secret. |
not_before | timestamp with time zone | Specifies the time before which the secret is not usable. | |
recoverable_days | bigint | Specifies the soft delete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. | |
recovery_level | text | The deletion recovery level currently in effect for the object. If it contains 'Purgeable', then the object can be permanently deleted by a privileged user; otherwise, only the system can purge the object at the end of the retention interval. | |
region | text | The Azure region/location in which the resource is located. | |
resource_group | text | The resource group which holds this resource. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
updated_at | timestamp with time zone | Specifies the time when the secret was last updated. | |
value | text | Specifies the secret value. | |
vault_name | text | = | The friendly name that identifies the vault. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_key_vault_secret