azure.mgmt.keyvault resources¶
azure.keyvault¶
Key Vault Resource
- example
This policy will find all KeyVaults with 10 or less API Hits over the last 72 hours
policies:
- name: inactive-keyvaults
resource: azure.keyvault
filters:
- type: metric
metric: ServiceApiHit
op: ge
aggregation: total
threshold: 10
timeframe: 72
- example
This policy will find all KeyVaults with an access of Service Principals not in the white list that exceed read-only access
policies:
- name: policy
description:
Ensure only authorized people have an access
resource: azure.keyvault
filters:
- not:
- type: whitelist
key: principalName
users:
- account1@sample.com
- account2@sample.com
permissions:
keys:
- get
secrets:
- get
certificates:
- get
- example
This policy will find all KeyVaults and add get and list permissions for keys.
policies:
- name: policy
description:
Add get and list permissions to keys access policy
resource: azure.keyvault
actions:
- type: update-access-policy
operation: add
access-policies:
- tenant-id: 00000000-0000-0000-0000-000000000000
object-id: 11111111-1111-1111-1111-111111111111
permissions:
keys:
- get
- list
Filters¶
whitelist¶
properties:
key:
type: string
permissions:
certificates:
type: array
keys:
type: array
secrets:
type: array
type:
enum:
- whitelist
users:
type: array
required:
- key
- type
Actions¶
update-access-policy¶
Adds Get and List key access policy to all keyvaults
policies: - name: azure-keyvault-update-access-policies resource: azure.keyvault description: | Add key get and list to all keyvault access policies actions: - type: update-access-policy operation: add access-policies: - tenant-id: 00000000-0000-0000-0000-000000000000 object-id: 11111111-1111-1111-1111-111111111111 permissions: keys: - Get - List
properties:
access-policies:
items:
object-id:
type: string
permissions:
certificates:
items:
type: string
type: array
keys:
items:
type: string
type: array
secrets:
items:
type: string
type: array
type: object
tenant-id:
type: string
type: object
type: array
operation:
enum:
- add
- replace
type: string
type:
enum:
- update-access-policy
required:
- operation
- access-policies
- type