针对 Azure Key Vault 的 Azure Resource Graph 示例查询

此页面是针对 Azure Key Vault 的 Azure Resource Graph 示例查询的集合。

示例查询

统计 Key Vault 资源

此查询使用 count 而不是 summarize 来计算返回的记录数。只有密钥保管库才包括在计数中。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| count

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

未启用软删除的密钥保管库

此查询标识未启用软删除的密钥保管库，这是一项关键安全功能，允许恢复已删除的密钥保管库对象。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete)
| project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete) | project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete) | project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete"

未启用清除保护的密钥保管库

此查询查找未启用清除保护的密钥保管库。建议对生产环境使用清除保护，以防止在保留期内永久删除密钥保管库对象。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| where properties.enablePurgeProtection != true
| project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enablePurgeProtection != true | project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enablePurgeProtection != true | project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection"

使用 RBAC 授权的密钥保管库

此查询列出了使用 Azure RBAC 进行授权而不是访问策略的密钥保管库。建议使用 RBAC 授权来管理对密钥保管库数据平面的访问。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend rbacEnabled = properties.enableRbacAuthorization
| project name, resourceGroup, subscriptionId, location, rbacEnabled
| where rbacEnabled == true

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend rbacEnabled = properties.enableRbacAuthorization | project name, resourceGroup, subscriptionId, location, rbacEnabled | where rbacEnabled == true"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend rbacEnabled = properties.enableRbacAuthorization | project name, resourceGroup, subscriptionId, location, rbacEnabled | where rbacEnabled == true"

启用了公用网络访问的密钥保管库

此查询标识允许公共网络访问的密钥保管库。为了增强安全性，请考虑限制对特定网络或使用专用终结点的访问。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend networkDefaultAction = tostring(properties.networkAcls.defaultAction)
| where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction)
| project name, resourceGroup, subscriptionId, location, networkDefaultAction

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend networkDefaultAction = tostring(properties.networkAcls.defaultAction) | where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction) | project name, resourceGroup, subscriptionId, location, networkDefaultAction"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend networkDefaultAction = tostring(properties.networkAcls.defaultAction) | where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction) | project name, resourceGroup, subscriptionId, location, networkDefaultAction"

密钥保管库安全配置摘要

此查询为所有密钥保管库提供全面的安全状况摘要，包括软删除状态、清除保护、RBAC 授权和网络设置。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend 
    softDeleteEnabled = tobool(properties.enableSoftDelete),
    purgeProtectionEnabled = tobool(properties.enablePurgeProtection),
    rbacEnabled = tobool(properties.enableRbacAuthorization),
    networkDefaultAction = tostring(properties.networkAcls.defaultAction),
    sku = tostring(properties.sku.name)
| project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction
| order by name asc

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend softDeleteEnabled = tobool(properties.enableSoftDelete), purgeProtectionEnabled = tobool(properties.enablePurgeProtection), rbacEnabled = tobool(properties.enableRbacAuthorization), networkDefaultAction = tostring(properties.networkAcls.defaultAction), sku = tostring(properties.sku.name) | project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction | order by name asc"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend softDeleteEnabled = tobool(properties.enableSoftDelete), purgeProtectionEnabled = tobool(properties.enablePurgeProtection), rbacEnabled = tobool(properties.enableRbacAuthorization), networkDefaultAction = tostring(properties.networkAcls.defaultAction), sku = tostring(properties.sku.name) | project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction | order by name asc"

按位置排序的密钥保管库

此查询统计按 Azure 区域分组的密钥保管库，这对于了解密钥管理资源的地理分布非常有用。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| summarize count() by location
| order by count_ desc

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | summarize count() by location | order by count_ desc"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | summarize count() by location | order by count_ desc"

按 SKU 类型排序的密钥保管库

此查询按其 SKU 层（标准或高级）对密钥保管库进行分组。 HSM 保护的密钥需要高级 SKU。

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend skuName = tostring(properties.sku.name)
| summarize count() by skuName

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend skuName = tostring(properties.sku.name) | summarize count() by skuName"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend skuName = tostring(properties.sku.name) | summarize count() by skuName"

具有订阅名称的密钥保管库

以下查询演示了 join（“类型”为“leftouter”）的复杂用法。查询将联接表限制为订阅资源并具有 project，以仅包括原始字段 SubscriptionId 和重命名为 SubName 的 name 字段。字段重命名避免了 join 将其添加为 name1，因为该字段已存在于资源中。原始表使用 where 进行筛选，以下 project 包括两个表中的列。查询结果是所有密钥保管库，其中显示密钥保管库的类型、名称以及其所在订阅的名称。

Resources
| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId
| where type == 'microsoft.keyvault/vaults'
| project type, name, SubName

az graph query -q "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

Search-AzGraph -Query "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

后续步骤

详细了解查询语言。
详细了解如何浏览资源。

Last updated on 2026-01-26

通过