azure.keyvault-key

Key Vault Key Resource

example:

This policy will find all Keys in keyvault_test and keyvault_prod KeyVaults

policies:
  - name: keyvault-keys
    description:
      List all keys from 'keyvault_test' and 'keyvault_prod' vaults
    resource: azure.keyvault-key
    filters:
      - type: keyvault
        vaults:
          - keyvault_test
          - keyvault_prod

example:

This policy will find all Keys in all KeyVaults that are older than 30 days

policies:
  - name: keyvault-keys
    description:
      List all keys that are older than 30 days
    resource: azure.keyvault-key
    filters:
      - type: value
        key: attributes.created
        value_type: age
        op: gt
        value: 30

example:

If your company wants to enforce usage of HSM-backed keys in the KeyVaults, you can use this policy to find all Keys in all KeyVaults not backed by an HSM module.

policies:
  - name: keyvault-keys
    description:
      List all non-HSM keys
    resource: azure.keyvault-key
    filters:
      - not:
         - type: key-type
           key-types:
             - RSA-HSM, EC-HSM

Filters

• advisor-recommendation

• event

• key-type

• keyvault

• list-item

• parent

• reduce

• rotation-policy

• value

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'

properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

key-type

Parent base class for filters and actions.

properties:
  key-types:
    items:
      enum:
      - EC
      - EC-HSM
      - RSA
      - RSA-HSM
    type: array
  type:
    enum:
    - key-type
required:
- type

keyvault

Parent base class for filters and actions.

properties:
  type:
    enum:
    - keyvault
  vaults:
    items:
      type: string
    type: array
required:
- vaults
- type

rotation-policy

Filters keyvault keys for rotation policy

example:

Find all keyvault key that don’t have rotation policy enabled

policies:
   - name: key-vault-keys-rotation-is-disabled
     resource: azure.keyvault-keys
     filters:
        - type: rotation-policy
          state: Disabled

properties:
  state:
    enum:
    - Enabled
    - Disabled
    type: string
  type:
    enum:
    - rotation-policy
required:
- state
- type

Actions

• logic-app

• notify

• webhook