azure.keyvault

Key Vault Resource

example

This policy will find all KeyVaults with 10 or less API Hits over the last 72 hours

policies:
  - name: inactive-keyvaults
    resource: azure.keyvault
    filters:
      - type: metric
        metric: ServiceApiHit
        op: ge
        aggregation: total
        threshold: 10
        timeframe: 72
example

This policy will find all KeyVaults where Service Principals that have access permissions that exceed read-only.

policies:
    - name: policy
      description:
        Ensure only authorized people have an access
      resource: azure.keyvault
      filters:
        - not:
          - type: whitelist
            key: principalName
            users:
              - account1@sample.com
              - account2@sample.com
            permissions:
              keys:
                - get
              secrets:
                - get
              certificates:
                - get
example

This policy will find all KeyVaults and add get and list permissions for keys.

policies:
    - name: policy
      description:
        Add get and list permissions to keys access policy
      resource: azure.keyvault
      actions:
        - type: update-access-policy
          operation: add
          access-policies:
            - tenant-id: 00000000-0000-0000-0000-000000000000
              object-id: 11111111-1111-1111-1111-111111111111
              permissions:
                keys:
                  - get
                  - list

Filters

firewall-bypass

Filters resources by the firewall bypass rules.

example

This policy will find all KeyVaults with enabled Azure Services bypass rules

policies:
  - name: keyvault-bypass
    resource: azure.keyvault
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices
properties:
  list:
    items:
      enum:
      - AzureServices
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

whitelist

properties:
  key:
    type: string
  permissions:
    certificates:
      type: array
    keys:
      type: array
    secrets:
      type: array
  type:
    enum:
    - whitelist
  users:
    type: array
required:
- key
- type

Actions

update-access-policy

Adds Get and List key access policy to all keyvaults

policies:
  - name: azure-keyvault-update-access-policies
    resource: azure.keyvault
    description: |
      Add key get and list to all keyvault access policies
    actions:
     - type: update-access-policy
       operation: add
       access-policies:
        - tenant-id: 00000000-0000-0000-0000-000000000000
          object-id: 11111111-1111-1111-1111-111111111111
          permissions:
            keys:
              - Get
              - List
properties:
  access-policies:
    items:
      object-id:
        type: string
      permissions:
        certificates:
          items:
            type: string
          type: array
        keys:
          items:
            type: string
          type: array
        secrets:
          items:
            type: string
          type: array
        type: object
      tenant-id:
        type: string
      type: object
    type: array
  operation:
    enum:
    - add
    - replace
    type: string
  type:
    enum:
    - update-access-policy
required:
- operation
- access-policies
- type