Control: Ensure automatic key rotation is enabled within Azure Key Vault
Description
Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.keyvault_key_automatic_rotation_enabled
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.keyvault_key_automatic_rotation_enabled --share
SQL
This control uses a named query:
with key_rotation_policy as ( select id from azure_key_vault_key, jsonb_array_elements(rotation_policy -> 'lifetimeActions') as lifetimeActions where lifetimeActions -> 'action' ->> 'type' = 'Rotate' and lifetimeActions -> 'trigger' -> 'timeAfterCreate' is not null)select kvk.id as resource, case when p.id is not null then 'ok' else 'alarm' end as status, case when p.id is not null then vault_name || ' key ' || kvk.name || ' automatic rotation enabled.' else vault_name || ' key ' || kvk.name || ' automatic rotation disabled.' end as reason , kvk.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault_key kvk left join key_rotation_policy as p on p.id = kvk.id left join azure_subscription sub on sub.subscription_id = kvk.subscription_id;