Turbot Guardrails Hub 
Hub
  • Mods
  • Policy Packs
  • Docs
  • Home
ModsPolicy PacksDocsHome
Mods
Azure
Loading resources...

Resource Type: Azure > Key Vault > Vault

The Vault resource type is a secure storage service that allows you to protect and manage cryptographic keys and secrets, which can be used to secure cloud applications and services.

Resource Context

Vault is a part of the Key Vault service.

Each Vault lives under a Resource Group.

Controls

The primary controls for Azure > Key Vault > Vault are:

  • Active
  • Allowed
  • Approved
  • CMDB
  • Discovery
  • Purge Protection
  • ServiceNow
  • Stack [Native]
  • Tags

It is also targeted by these controls:

  • Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
  • Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
  • Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all secrets (Scored)
  • Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
  • Azure > CIS v1.2 > 8 - Other Security Considerations > 8.01 - Ensure that the expiration date is set on all keys (Scored)
  • Azure > CIS v1.2 > 8 - Other Security Considerations > 8.02 - Ensure that the expiration date is set on all secrets (Scored)
  • Azure > CIS v1.2 > 8 - Other Security Considerations > 8.04 - Ensure the key vault is recoverable (Scored)
  • Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
  • Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.06 - Enable Role Based Access Control for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.07 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
  • Azure > CIS v3.0 > 06 - Logging & Monitoring > 06.01 - Configuring Diagnostic Settings > 06.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v3.0 > 09 - Application Services > 09.11 - Ensure Azure Key Vaults are Used to Store Secrets
  • Azure > CIS v4.0 > 07 - Management and Governance > 07.01 - Logging and Monitoring > 07.01.01 - Configuring Diagnostic Settings > 07.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.05 - Ensure the Key Vault is Recoverable
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.07 - Ensure that Public Network Access when using Private Endpoint is disabled
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.08 - Ensure that Private Endpoints are Used for Azure Key Vault
  • Azure > CIS v4.0 > 09 - Security Services > 09.03 - Key Vault > 09.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
  • Azure > CIS v5.0 > 6 - Management and Governance Services > 6.01 - Logging and Monitoring > 6.01.01 - Configuring Diagnostic Settings > 6.01.01.04 - Ensure that logging for Azure Key Vault is 'Enabled'
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.05 - Ensure 'Purge protection' is set to 'Enabled'
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.06 - Ensure that Role Based Access Control for Azure Key Vault is enabled
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.07 - Ensure Public Network Access is Disabled
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.08 - Ensure Private Endpoints are used to access Azure Key Vault
  • Azure > CIS v5.0 > 8 - Security Services > 8.03 - Key Vault > 8.03.10 - Ensure that Azure Key Vault Managed HSM is used when required
  • Azure > Key Vault > Certificate > Discovery
  • Azure > Key Vault > Key > Discovery
  • Azure > Key Vault > Secret > Discovery

Quick Actions

  • Delete
  • Router
  • Set Tags
  • Update Purge Protection

Category

  • Security

In Your Workspace

  • Controls by Resource Type report
  • Policy Settings by Resource Type report
  • Resources by Resource Type report

Developers

    Resource Type URI
    • tmod:@turbot/azure-keyvault#/resource/types/vault
    • Category URI
    • tmod:@turbot/turbot#/resource/categories/security
    • GraphQL
    • query resource(id: "tmod:@turbot/azure-keyvault#/resource/types/vault") { … }
    • query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-keyvault#/resource/types/vault'") { … }
    • mutation createResource(input: { … })
    • mutation updateResource(input: { … })
    • CLI
    • Get Resource
    • turbot graphql resource --id "tmod:@turbot/azure-keyvault#/resource/types/vault"
    • Steampipe Query
    • Get Resource
    • select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-keyvault#/resource/types/vault';
      • Get Policy Settings (By Resource ID)
    • select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-keyvault#/resource/types/vault"';
      • Get Resource Notification
    • select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-keyvault#/resource/types/vault' and notification_type in ('resource_updated', 'resource_created');
Guardrails
Guardrails Hub
  • Hub
  • Docs
  • Blog
  • Changelog
Products
  • GuardrailsGuardrails
  • PipesPipes
  • SteampipeSteampipe
  • PowerpipePowerpipe
  • FlowpipeFlowpipe
  • TailpipeTailpipe
Turbot
  • Home
  • About us
  • We're hiring!
  • Contact us
Community

Our community of practitioners love to discuss cloud governance & security.

Slack logoJoin us on Slack →

System StatusLegalSecurity
Terms of UseSecurityPrivacy
50
Mods
205
Resource Types
3,574
Policies
1,936
Controls
103
Quick Actions
114
IAM