Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1471Benchmarks
461Queries
8Variables
GitHub

Query: keyvault_key_automatic_rotation_enabled

Usage

powerpipe query azure_compliance.query.keyvault_key_automatic_rotation_enabled

Steampipe Tables

azure_key_vault_key
azure_subscription
Azure plugin

SQL

with key_rotation_policy as (
  select
    id
  from
    azure_key_vault_key,
    jsonb_array_elements(rotation_policy -> 'lifetimeActions') as lifetimeActions
  where
    lifetimeActions -> 'action' ->> 'type' = 'Rotate'
    and lifetimeActions -> 'trigger' -> 'timeAfterCreate' is not null
)
select
  kvk.id as resource,
  case
    when p.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.id is not null then vault_name || ' key ' || kvk.name || ' automatic rotation enabled.'
    else vault_name || ' key ' || kvk.name || ' automatic rotation disabled.'
  end as reason
  
  , kvk.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault_key kvk
  left join key_rotation_policy as p on p.id = kvk.id
  left join  azure_subscription sub on sub.subscription_id = kvk.subscription_id;

Controls

The query is being used by the following controls: