azure.keyvault

Key Vault Resource

example:

This policy will find all KeyVaults with 10 or less API Hits over the last 72 hours

policies:
  - name: inactive-keyvaults
    resource: azure.keyvault
    filters:
      - type: metric
        metric: ServiceApiHit
        op: ge
        aggregation: total
        threshold: 10
        timeframe: 72
example:

This policy will find all KeyVaults where Service Principals that have access permissions that exceed read-only.

policies:
    - name: policy
      description:
        Ensure only authorized people have an access
      resource: azure.keyvault
      filters:
        - not:
          - type: whitelist
            key: principalName
            users:
              - account1@sample.com
              - account2@sample.com
            permissions:
              keys:
                - get
              secrets:
                - get
              certificates:
                - get
example:

This policy will find all KeyVaults and add get and list permissions for keys.

policies:
    - name: policy
      description:
        Add get and list permissions to keys access policy
      resource: azure.keyvault
      actions:
        - type: update-access-policy
          operation: add
          access-policies:
            - tenant-id: 00000000-0000-0000-0000-000000000000
              object-id: 11111111-1111-1111-1111-111111111111
              permissions:
                keys:
                  - get
                  - list

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

firewall-bypass

Filters resources by the firewall bypass rules.

example:

This policy will find all KeyVaults with enabled Azure Services bypass rules

policies:
  - name: keyvault-bypass
    resource: azure.keyvault
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices
properties:
  list:
    items:
      enum:
      - AzureServices
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

whitelist

Parent base class for filters and actions.

properties:
  key:
    type: string
  permissions:
    certificates:
      type: array
    keys:
      type: array
    secrets:
      type: array
  type:
    enum:
    - whitelist
  users:
    type: array
required:
- key
- type

Actions

update-access-policy

Adds Get and List key access policy to all keyvaults

policies:
  - name: azure-keyvault-update-access-policies
    resource: azure.keyvault
    description: |
      Add key get and list to all keyvault access policies
    actions:
     - type: update-access-policy
       operation: add
       access-policies:
        - tenant-id: 00000000-0000-0000-0000-000000000000
          object-id: 11111111-1111-1111-1111-111111111111
          permissions:
            keys:
              - Get
              - List
properties:
  access-policies:
    items:
      object-id:
        type: string
      permissions:
        certificates:
          items:
            type: string
          type: array
        keys:
          items:
            type: string
          type: array
        secrets:
          items:
            type: string
          type: array
        type: object
      tenant-id:
        type: string
      type: object
    type: array
  operation:
    enum:
    - add
    - replace
    type: string
  type:
    enum:
    - update-access-policy
required:
- operation
- access-policies
- type