Resource Type: Azure > Key Vault > Vault

Resource Context

Vault is a part of the Key Vault service.

Each Vault lives under a Resource Group.

Controls

The primary controls for Azure > Key Vault > Vault are:

• Active
• Approved
• CMDB
• Discovery
• Purge Protection
• ServiceNow
• Tags

It is also targeted by these controls:

• Azure > CIS v1 > 5 Logging and Monitoring > 5.1 Configuring Log Profile > 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' (Scored)
• Azure > CIS v1 > 8 Other Security Considerations > 8.01 Ensure that the expiration date is set on all keys (Scored)
• Azure > CIS v1 > 8 Other Security Considerations > 8.02 Ensure that the expiration date is set on all secrets (Scored)
• Azure > CIS v1 > 8 Other Security Considerations > 8.04 Ensure the key vault is recoverable (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.01 - Ensure that the expiration date is set on all keys (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.02 - Ensure that the expiration date is set on all secrets (Scored)
• Azure > CIS v1.2 > 8 - Other Security Considerations > 8.04 - Ensure the key vault is recoverable (Scored)
• Azure > CIS v2.0 > 05 - Logging and Monitoring > 5.01 - Configuring Diagnostic Settings > 5.01.05 - Ensure that logging for Azure Key Vault is 'Enabled'
• Azure > CIS v2.0 > 08 - Key Vault > 8.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults
• Azure > CIS v2.0 > 08 - Key Vault > 8.02 - Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults
• Azure > CIS v2.0 > 08 - Key Vault > 8.03 - Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults
• Azure > CIS v2.0 > 08 - Key Vault > 8.04 - Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults
• Azure > CIS v2.0 > 08 - Key Vault > 8.05 - Ensure the key vault is recoverable
• Azure > CIS v2.0 > 08 - Key Vault > 8.06 - Ensure Role Based Access Control for Azure Key Vault
• Azure > CIS v2.0 > 08 - Key Vault > 8.07 - Ensure that Private Endpoints are Used for Azure Key Vault
• Azure > CIS v2.0 > 08 - Key Vault > 8.08 - Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
• Azure > CIS v2.0 > 09 - Application Services > 9.11 - Ensure Azure Key Vaults are Used to Store Secrets
• Azure > Key Vault > Key > Discovery
• Azure > Key Vault > Secret > Discovery

Category

• Security

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/azure-keyvault#/resource/types/vault

Category URI

tmod:@turbot/turbot#/resource/categories/security

GraphQL

query resource(id: "tmod:@turbot/azure-keyvault#/resource/types/vault") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/azure-keyvault#/resource/types/vault'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/azure-keyvault#/resource/types/vault"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/azure-keyvault#/resource/types/vault';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/azure-keyvault#/resource/types/vault"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/azure-keyvault#/resource/types/vault' and notification_type in ('resource_updated', 'resource_created');