Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1471Benchmarks
461Queries
8Variables
GitHub

Query: keyvault_logging_enabled

Usage

powerpipe query azure_compliance.query.keyvault_logging_enabled

Steampipe Tables

azure_key_vault
azure_subscription
Azure plugin

SQL

with audit_logging_details as (
  select
    id
  from
    azure_key_vault,
    jsonb_array_elements(diagnostic_settings) setting,
    jsonb_array_elements(setting -> 'properties' -> 'logs') log
  where
    diagnostic_settings is not null
    and log -> 'categoryGroup' = '"audit"'
    and (log -> 'enabled')::bool = true
),
alllogs_logging_details as (
  select
    id
  from
    azure_key_vault,
    jsonb_array_elements(diagnostic_settings) setting,
    jsonb_array_elements(setting -> 'properties' -> 'logs') log
  where
    diagnostic_settings is not null
    and log -> 'categoryGroup' = '"allLogs"'
    and (log -> 'enabled')::bool = true
)
select
  v.id as resource,
  case
    when v.diagnostic_settings is null then 'alarm'
    when audit.id is not null  and alllogs.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when v.diagnostic_settings is null then v.name || ' logging not enabled.'
    when audit.id is not null  and alllogs.id is not null then v.name || ' logging enabled.'
    when audit.id is null then v.name || ' logging not enabled for audit category group.'
    when alllogs.id is null then v.name || ' logging not enabled for allLogs category group.'
    else v.name || ' logging not enabled.'
  end as reason
  
  , v.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault v
  left join audit_logging_details as audit on audit.id = v.id
  left join alllogs_logging_details as alllogs on alllogs.id = v.id,
  azure_subscription sub

Controls

The query is being used by the following controls: