azure.keyvault
Key Vault Resource
- example:
This policy will find all KeyVaults with 10 or less API Hits over the last 72 hours
policies:
- name: inactive-keyvaults
resource: azure.keyvault
filters:
- type: metric
metric: ServiceApiHit
op: ge
aggregation: total
threshold: 10
timeframe: 72
- example:
This policy will find all KeyVaults where Service Principals that have access permissions that exceed read-only.
policies:
- name: policy
description:
Ensure only authorized people have an access
resource: azure.keyvault
filters:
- not:
- type: whitelist
key: principalName
users:
- account1@sample.com
- account2@sample.com
permissions:
keys:
- get
secrets:
- get
certificates:
- get
- example:
This policy will find all KeyVaults and add get and list permissions for keys.
policies:
- name: policy
description:
Add get and list permissions to keys access policy
resource: azure.keyvault
actions:
- type: update-access-policy
operation: add
access-policies:
- tenant-id: 00000000-0000-0000-0000-000000000000
object-id: 11111111-1111-1111-1111-111111111111
permissions:
keys:
- get
- list
Filters
advisor-recommendation
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
firewall-bypass
Filters resources by the firewall bypass rules.
- example:
This policy will find all KeyVaults with enabled Azure Services bypass rules
policies:
- name: keyvault-bypass
resource: azure.keyvault
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
properties:
list:
items:
enum:
- AzureServices
type: array
mode:
enum:
- include
- equal
- any
- only
type:
enum:
- firewall-bypass
required:
- mode
- list
- type
whitelist
Parent base class for filters and actions.
properties:
key:
type: string
permissions:
certificates:
type: array
keys:
type: array
secrets:
type: array
type:
enum:
- whitelist
users:
type: array
required:
- key
- type
Actions
update-access-policy
Adds Get and List key access policy to all keyvaults
policies: - name: azure-keyvault-update-access-policies resource: azure.keyvault description: | Add key get and list to all keyvault access policies actions: - type: update-access-policy operation: add access-policies: - tenant-id: 00000000-0000-0000-0000-000000000000 object-id: 11111111-1111-1111-1111-111111111111 permissions: keys: - Get - List
properties:
access-policies:
items:
object-id:
type: string
permissions:
certificates:
items:
type: string
type: array
keys:
items:
type: string
type: array
secrets:
items:
type: string
type: array
type: object
tenant-id:
type: string
type: object
type: array
operation:
enum:
- add
- replace
type: string
type:
enum:
- update-access-policy
required:
- operation
- access-policies
- type