turbot/steampipe-mod-azure-compliance

Query: keyvault_logging_enabled

Usage

powerpipe query azure_compliance.query.keyvault_logging_enabled

SQL

with audit_logging_details as (
select
id
from
azure_key_vault,
jsonb_array_elements(diagnostic_settings) setting,
jsonb_array_elements(setting -> 'properties' -> 'logs') log
where
diagnostic_settings is not null
and log -> 'categoryGroup' = '"audit"'
and (log -> 'enabled')::bool = true
),
alllogs_logging_details as (
select
id
from
azure_key_vault,
jsonb_array_elements(diagnostic_settings) setting,
jsonb_array_elements(setting -> 'properties' -> 'logs') log
where
diagnostic_settings is not null
and log -> 'categoryGroup' = '"allLogs"'
and (log -> 'enabled')::bool = true
)
select
v.id as resource,
case
when v.diagnostic_settings is null then 'alarm'
when audit.id is not null and alllogs.id is not null then 'ok'
else 'alarm'
end as status,
case
when v.diagnostic_settings is null then v.name || ' logging not enabled.'
when audit.id is not null and alllogs.id is not null then v.name || ' logging enabled.'
when audit.id is null then v.name || ' logging not enabled for audit category group.'
when alllogs.id is null then v.name || ' logging not enabled for allLogs category group.'
else v.name || ' logging not enabled.'
end as reason
, v.resource_group as resource_group
, sub.display_name as subscription
from
azure_key_vault v
left join audit_logging_details as audit on audit.id = v.id
left join alllogs_logging_details as alllogs on alllogs.id = v.id,
azure_subscription sub

Controls

The query is being used by the following controls: