azure.keyvault-key

Key Vault Key Resource

example

This policy will find all Keys in keyvault_test and keyvault_prod KeyVaults

policies:
  - name: keyvault-keys
    description:
      List all keys from 'keyvault_test' and 'keyvault_prod' vaults
    resource: azure.keyvault-key
    filters:
      - type: keyvault
        vaults:
          - keyvault_test
          - keyvault_prod
example

This policy will find all Keys in all KeyVaults that are older than 30 days

policies:
  - name: keyvault-keys
    description:
      List all keys that are older than 30 days
    resource: azure.keyvault-key
    filters:
      - type: value
        key: attributes.created
        value_type: age
        op: gt
        value: 30
example

If your company wants to enforce usage of HSM-backed keys in the KeyVaults, you can use this policy to find all Keys in all KeyVaults not backed by an HSM module.

policies:
  - name: keyvault-keys
    description:
      List all non-HSM keys
    resource: azure.keyvault-key
    filters:
      - not:
         - type: key-type
           key-types:
             - RSA-HSM, EC-HSM

Filters

key-type

properties:
  key-types:
    items:
      enum:
      - EC
      - EC-HSM
      - RSA
      - RSA-HSM
    type: array
  type:
    enum:
    - key-type
required:
- type

keyvault

properties:
  type:
    enum:
    - keyvault
  vaults:
    items:
      type: string
    type: array
required:
- vaults
- type