🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: Ensure the key vault is recoverable

Description

The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.keyvault_vault_recoverable

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.keyvault_vault_recoverable --share

SQL

This control uses a named query:

select
  kv.id as resource,
  case
    when soft_delete_enabled and purge_protection_enabled then 'ok'
    else 'alarm'
  end as status,
  case
    when not soft_delete_enabled and not purge_protection_enabled then name || ' "soft delete" and "do not purge" not enabled.'
    when not soft_delete_enabled then name || ' "soft delete" not enabled.'
    when not purge_protection_enabled then name || ' "do not purge" not enabled.'
    else name || ' "soft delete" and "do not purge" enabled.'
  end as reason
  
  , kv.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault kv,
  azure_subscription sub
where
  sub.subscription_id = kv.subscription_id;

Tags

service = Azure/KeyVault