azure.keyvault

Key Vault Resource

example:

This policy will find all KeyVaults with 10 or less API Hits over the last 72 hours

policies:
  - name: inactive-keyvaults
    resource: azure.keyvault
    filters:
      - type: metric
        metric: ServiceApiHit
        op: ge
        aggregation: total
        threshold: 10
        timeframe: 72

example:

This policy will find all KeyVaults where Service Principals that have access permissions that exceed read-only.

policies:
    - name: policy
      description:
        Ensure only authorized people have an access
      resource: azure.keyvault
      filters:
        - not:
          - type: whitelist
            key: principalName
            users:
              - account1@sample.com
              - account2@sample.com
            permissions:
              keys:
                - get
              secrets:
                - get
              certificates:
                - get

example:

This policy will find all KeyVaults and add get and list permissions for keys.

policies:
    - name: policy
      description:
        Add get and list permissions to keys access policy
      resource: azure.keyvault
      actions:
        - type: update-access-policy
          operation: add
          access-policies:
            - tenant-id: 00000000-0000-0000-0000-000000000000
              object-id: 11111111-1111-1111-1111-111111111111
              permissions:
                keys:
                  - get
                  - list

Filters

advisor-recommendation

cost

diagnostic-settings

event

firewall-bypass

firewall-rules

list-item

marked-for-op

metric

offhour

onhour

policy-compliant

reduce

resource-lock

value

whitelist

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'

firewall-bypass

Filters resources by the firewall bypass rules.

example:

This policy will find all KeyVaults with enabled Azure Services bypass rules

policies:
  - name: keyvault-bypass
    resource: azure.keyvault
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices

whitelist

Parent base class for filters and actions.

Actions

auto-tag-date

auto-tag-user

delete

lock

logic-app

mark-for-op

notify

tag

tag-trim

untag

update-access-policy

webhook

update-access-policy

Adds Get and List key access policy to all keyvaults

policies:
  - name: azure-keyvault-update-access-policies
    resource: azure.keyvault
    description: |
      Add key get and list to all keyvault access policies
    actions:
     - type: update-access-policy
       operation: add
       access-policies:
        - tenant-id: 00000000-0000-0000-0000-000000000000
          object-id: 11111111-1111-1111-1111-111111111111
          permissions:
            keys:
              - Get
              - List