feat(azure): Checks related to Azure Keyvault (#3430)

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
 
 [[package]]
 name = "about-time"
@@ -326,6 +326,24 @@ cryptography = ">=2.5"
 msal = ">=1.24.0,<2.0.0"
 msal-extensions = ">=0.3.0,<2.0.0"
 
+[[package]]
+name = "azure-keyvault-keys"
+version = "4.8.0"
+description = "Microsoft Azure Key Vault Keys Client Library for Python"
+optional = false
+python-versions = ">=3.7"
+files = [
+    {file = "azure-keyvault-keys-4.8.0.zip", hash = "sha256:6c0bb2f783202a34a3e5ec74866e6212e591ac7124f03b9669d1b09b68224bc4"},
+    {file = "azure_keyvault_keys-4.8.0-py3-none-any.whl", hash = "sha256:d1080fa1ffcb3bc16fc3a6b7acce63c8f0e81ad0b498673b2871b162396674f0"},
+]
+
+[package.dependencies]
+azure-common = ">=1.1,<2.0"
+azure-core = ">=1.24.0,<2.0.0"
+cryptography = ">=2.1.4"
+isodate = ">=0.6.1"
+typing-extensions = ">=4.0.1"
+
 [[package]]
 name = "azure-mgmt-applicationinsights"
 version = "4.0.0"
@@ -405,14 +423,30 @@ azure-mgmt-core = ">=1.3.2,<2.0.0"
 isodate = ">=0.6.1,<1.0.0"
 
 [[package]]
-name = "azure-mgmt-network"
-version = "25.2.0"
-description = "Microsoft Azure Network Management Client Library for Python"
+name = "azure-mgmt-keyvault"
+version = "10.3.0"
+description = "Microsoft Azure Key Vault Management Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "azure-mgmt-network-25.2.0.tar.gz", hash = "sha256:114c4292d223b1d1e247b41af65b8d5a3793567e6adbfa230772055223f4182a"},
-    {file = "azure_mgmt_network-25.2.0-py3-none-any.whl", hash = "sha256:c76181e79d689df40b8160c4ffa8dd2bbf6ba064ed4d164fdefd8fb53b781641"},
+    {file = "azure-mgmt-keyvault-10.3.0.tar.gz", hash = "sha256:183b4164cf1868b8ea7efeaa98edad7d2a4e14a9bd977c2818b12b75150cd2a2"},
+    {file = "azure_mgmt_keyvault-10.3.0-py3-none-any.whl", hash = "sha256:3410cf6c703e9570ed3c8e9716e483c02b1804adde6ab437ddc8feac4545acd6"},
+]
+
+[package.dependencies]
+azure-common = ">=1.1,<2.0"
+azure-mgmt-core = ">=1.3.2,<2.0.0"
+isodate = ">=0.6.1,<1.0.0"
+
+[[package]]
+name = "azure-mgmt-network"
+version = "25.3.0"
+description = "Microsoft Azure Network Management Client Library for Python"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "azure-mgmt-network-25.3.0.tar.gz", hash = "sha256:dce2cafb1ae0e563e0b5efc537dc98a7c0ad824d4261e64bed75f788196dd5c6"},
+    {file = "azure_mgmt_network-25.3.0-py3-none-any.whl", hash = "sha256:87b5338d14c957bd3a28a5ec85fb74043749d1a16a48cd5978ef51c4a1036af3"},
 ]
 
 [package.dependencies]
@@ -3210,6 +3244,7 @@ files = [
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"},
+    {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"},
     {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"},
     {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"},
     {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"},
@@ -3217,8 +3252,16 @@ files = [
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"},
+    {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"},
     {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"},
     {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
+    {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
+    {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
+    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a08c6f0fe150303c1c6b71ebcd7213c2858041a7e01975da3a99aed1e7a378ef"},
+    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
+    {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
+    {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
+    {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"},
     {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"},
@@ -3235,6 +3278,7 @@ files = [
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"},
+    {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"},
     {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"},
     {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"},
     {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"},
@@ -3242,6 +3286,7 @@ files = [
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"},
+    {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"},
     {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"},
     {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"},
     {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"},
@@ -3631,24 +3676,24 @@ python-versions = ">=3.6"
 files = [
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:b42169467c42b692c19cf539c38d4602069d8c1505e97b86387fcf7afb766e1d"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-macosx_13_0_arm64.whl", hash = "sha256:07238db9cbdf8fc1e9de2489a4f68474e70dffcb32232db7c08fa61ca0c7c462"},
-    {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-manylinux2014_aarch64.whl", hash = "sha256:d92f81886165cb14d7b067ef37e142256f1c6a90a65cd156b063a43da1708cfd"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:fff3573c2db359f091e1589c3d7c5fc2f86f5bdb6f24252c2d8e539d4e45f412"},
+    {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-manylinux_2_24_aarch64.whl", hash = "sha256:aa2267c6a303eb483de8d02db2871afb5c5fc15618d894300b88958f729ad74f"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:840f0c7f194986a63d2c2465ca63af8ccbbc90ab1c6001b1978f05119b5e7334"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:024cfe1fc7c7f4e1aff4a81e718109e13409767e4f871443cbff3dba3578203d"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-win32.whl", hash = "sha256:c69212f63169ec1cfc9bb44723bf2917cbbd8f6191a00ef3410f5a7fe300722d"},
     {file = "ruamel.yaml.clib-0.2.8-cp310-cp310-win_amd64.whl", hash = "sha256:cabddb8d8ead485e255fe80429f833172b4cadf99274db39abc080e068cbcc31"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:bef08cd86169d9eafb3ccb0a39edb11d8e25f3dae2b28f5c52fd997521133069"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-macosx_13_0_arm64.whl", hash = "sha256:b16420e621d26fdfa949a8b4b47ade8810c56002f5389970db4ddda51dbff248"},
-    {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-manylinux2014_aarch64.whl", hash = "sha256:b5edda50e5e9e15e54a6a8a0070302b00c518a9d32accc2346ad6c984aacd279"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:25c515e350e5b739842fc3228d662413ef28f295791af5e5110b543cf0b57d9b"},
+    {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-manylinux_2_24_aarch64.whl", hash = "sha256:1707814f0d9791df063f8c19bb51b0d1278b8e9a2353abbb676c2f685dee6afe"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:46d378daaac94f454b3a0e3d8d78cafd78a026b1d71443f4966c696b48a6d899"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:09b055c05697b38ecacb7ac50bdab2240bfca1a0c4872b0fd309bb07dc9aa3a9"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-win32.whl", hash = "sha256:53a300ed9cea38cf5a2a9b069058137c2ca1ce658a874b79baceb8f892f915a7"},
     {file = "ruamel.yaml.clib-0.2.8-cp311-cp311-win_amd64.whl", hash = "sha256:c2a72e9109ea74e511e29032f3b670835f8a59bbdc9ce692c5b4ed91ccf1eedb"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:ebc06178e8821efc9692ea7544aa5644217358490145629914d8020042c24aa1"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-macosx_13_0_arm64.whl", hash = "sha256:edaef1c1200c4b4cb914583150dcaa3bc30e592e907c01117c08b13a07255ec2"},
-    {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-manylinux2014_aarch64.whl", hash = "sha256:7048c338b6c86627afb27faecf418768acb6331fc24cfa56c93e8c9780f815fa"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d176b57452ab5b7028ac47e7b3cf644bcfdc8cacfecf7e71759f7f51a59e5c92"},
+    {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-manylinux_2_24_aarch64.whl", hash = "sha256:1dc67314e7e1086c9fdf2680b7b6c2be1c0d8e3a8279f2e993ca2a7545fecf62"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:3213ece08ea033eb159ac52ae052a4899b56ecc124bb80020d9bbceeb50258e9"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:aab7fd643f71d7946f2ee58cc88c9b7bfc97debd71dcc93e03e2d174628e7e2d"},
     {file = "ruamel.yaml.clib-0.2.8-cp312-cp312-win32.whl", hash = "sha256:5c365d91c88390c8d0a8545df0b5857172824b1c604e867161e6b3d59a827eaa"},
@@ -3656,7 +3701,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.8-cp36-cp36m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:a5aa27bad2bb83670b71683aae140a1f52b0857a2deff56ad3f6c13a017a26ed"},
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:c58ecd827313af6864893e7af0a3bb85fd529f862b6adbefe14643947cfe2942"},
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-macosx_12_0_arm64.whl", hash = "sha256:f481f16baec5290e45aebdc2a5168ebc6d35189ae6fea7a58787613a25f6e875"},
-    {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-manylinux2014_aarch64.whl", hash = "sha256:3fcc54cb0c8b811ff66082de1680b4b14cf8a81dce0d4fbf665c2265a81e07a1"},
+    {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-manylinux_2_24_aarch64.whl", hash = "sha256:77159f5d5b5c14f7c34073862a6b7d34944075d9f93e681638f6d753606c6ce6"},
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:7f67a1ee819dc4562d444bbafb135832b0b909f81cc90f7aa00260968c9ca1b3"},
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:4ecbf9c3e19f9562c7fdd462e8d18dd902a47ca046a2e64dba80699f0b6c09b7"},
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:87ea5ff66d8064301a154b3933ae406b0863402a799b16e4a1d24d9fbbcbe0d3"},
@@ -3664,7 +3709,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.8-cp37-cp37m-win_amd64.whl", hash = "sha256:3f215c5daf6a9d7bbed4a0a4f760f3113b10e82ff4c5c44bec20a68c8014f675"},
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1b617618914cb00bf5c34d4357c37aa15183fa229b24767259657746c9077615"},
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-macosx_12_0_arm64.whl", hash = "sha256:a6a9ffd280b71ad062eae53ac1659ad86a17f59a0fdc7699fd9be40525153337"},
-    {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-manylinux2014_aarch64.whl", hash = "sha256:665f58bfd29b167039f714c6998178d27ccd83984084c286110ef26b230f259f"},
+    {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-manylinux_2_24_aarch64.whl", hash = "sha256:305889baa4043a09e5b76f8e2a51d4ffba44259f6b4c72dec8ca56207d9c6fe1"},
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:700e4ebb569e59e16a976857c8798aee258dceac7c7d6b50cab63e080058df91"},
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:e2b4c44b60eadec492926a7270abb100ef9f72798e18743939bdbf037aab8c28"},
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:e79e5db08739731b0ce4850bed599235d601701d5694c36570a99a0c5ca41a9d"},
@@ -3672,7 +3717,7 @@ files = [
     {file = "ruamel.yaml.clib-0.2.8-cp38-cp38-win_amd64.whl", hash = "sha256:56f4252222c067b4ce51ae12cbac231bce32aee1d33fbfc9d17e5b8d6966c312"},
     {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:03d1162b6d1df1caa3a4bd27aa51ce17c9afc2046c31b0ad60a0a96ec22f8001"},
     {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-macosx_12_0_arm64.whl", hash = "sha256:bba64af9fa9cebe325a62fa398760f5c7206b215201b0ec825005f1b18b9bccf"},
-    {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-manylinux2014_aarch64.whl", hash = "sha256:9eb5dee2772b0f704ca2e45b1713e4e5198c18f515b52743576d196348f374d3"},
+    {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-manylinux_2_24_aarch64.whl", hash = "sha256:a1a45e0bb052edf6a1d3a93baef85319733a888363938e1fc9924cb00c8df24c"},
     {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:da09ad1c359a728e112d60116f626cc9f29730ff3e0e7db72b9a2dbc2e4beed5"},
     {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:184565012b60405d93838167f425713180b949e9d8dd0bbc7b49f074407c5a8b"},
     {file = "ruamel.yaml.clib-0.2.8-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:a75879bacf2c987c003368cf14bed0ffe99e8e85acfa6c0bfffc21a090f16880"},
@@ -4318,4 +4363,4 @@ testing = ["big-O", "jaraco.functools", "jaraco.itertools", "more-itertools", "p
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.13"
-content-hash = "413c7498fb6495b69f8a06f45420b3763dff0894cea1ea8fa7ec718ad120fc1b"
+content-hash = "d565dc4ad16675872bd95eb204de0cecd164e3480d46db3ca7042182dd812c37"

prowler/providers/azure/services/keyvault/keyvault_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.azure.lib.audit_info.audit_info import azure_audit_info
+from prowler.providers.azure.services.keyvault.keyvault_service import KeyVault
+
+keyvault_client = KeyVault(azure_audit_info)

prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_key_expiration_set_in_non_rbac",
+  "CheckTitle": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+  "Risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
+  "Remediation": {
+    "Code": {
+      "CLI": "az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/key-expiration-check.html#",
+      "Terraform": "https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys#terraform"
+    },
+    "Recommendation": {
+      "Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name <keyName> --vault-name <vaultName> -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. From PowerShell: Set-AzKeyVaultKeyAttribute -VaultName <VaultName> -Name <KeyName> -Expires <DateTime>",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used."
+}

prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.py

@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_key_expiration_set_in_non_rbac(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                if not keyvault.properties.enable_rbac_authorization and keyvault.keys:
+                    report = Check_Report_Azure(self.metadata())
+                    report.subscription = subscription
+                    report.resource_name = keyvault.name
+                    report.resource_id = keyvault.id
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the keys with expiration date set."
+                    has_key_without_expiration = False
+                    for key in keyvault.keys:
+                        if (
+                            key.attributes
+                            and not key.attributes.expires
+                            and key.enabled
+                        ):
+                            report.status = "FAIL"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} without expiration date set."
+                            has_key_without_expiration = True
+                            findings.append(report)
+                    if not has_key_without_expiration:
+                        findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_key_rotation_enabled",
+  "CheckTitle": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.",
+  "Risk": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D). From Azure Portal 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under Objects select Keys. 5. Select a key to audit. 6. In the top row select Rotation policy. 7. Select an Expiry time. 8. Set Enable auto rotation to Enabled. 9. Set an appropriate Rotation option and Rotation time. 10. Optionally set the Notification time. 11. Select Save. 12. Repeat steps 3-11 for each Key Vault and Key. From PowerShell Run the following command for each key to update its policy: Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json",
+      "Url": "https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "There are an additional costs per operation in running the needed applications."
+}

prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.py

@@ -0,0 +1,29 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_key_rotation_enabled(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                if keyvault.keys:
+                    report = Check_Report_Azure(self.metadata())
+                    report.subscription = subscription
+                    report.resource_name = keyvault.name
+                    report.resource_id = keyvault.id
+                    for key in keyvault.keys:
+                        if (
+                            key.rotation_policy
+                            and key.rotation_policy.lifetime_actions
+                            and key.rotation_policy.lifetime_actions[0].action
+                            == "Rotate"
+                        ):
+                            report.status = "PASS"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} with rotation policy set."
+                        else:
+                            report.status = "FAIL"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} without rotation policy set."
+
+                        findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_non_rbac_secret_expiration_set",
+  "CheckTitle": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+  "Risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
+  "Remediation": {
+    "Code": {
+      "CLI": "az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets#terraform"
+    },
+    "Recommendation": {
+      "Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. Set an appropriate Expiration date on all secrets. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to Key vault, click on Access policies. 2. Click on Create and add an access policy with the Update permission (in the Secret Permissions - Secret Management Operations section). From PowerShell: For each Key vault with the EnableRbacAuthorization setting set to False or empty, run the following command. Set-AzKeyVaultSecret -VaultName <Vault Name> -Name <Secret Name> -Expires <DateTime>",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used."
+}

prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.py

@@ -0,0 +1,33 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_non_rbac_secret_expiration_set(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                if (
+                    not keyvault.properties.enable_rbac_authorization
+                    and keyvault.secrets
+                ):
+                    report = Check_Report_Azure(self.metadata())
+                    report.subscription = subscription
+                    report.resource_name = keyvault.name
+                    report.resource_id = keyvault.id
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the secrets with expiration date set."
+                    has_secret_without_expiration = False
+                    for secret in keyvault.secrets:
+                        if (
+                            secret.attributes
+                            and not secret.attributes.expires
+                            and secret.enabled
+                        ):
+                            report.status = "FAIL"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the secret {secret.name} without expiration date set."
+                            has_secret_without_expiration = True
+                            findings.append(report)
+                    if not has_secret_without_expiration:
+                        findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_private_endpoints",
+  "CheckTitle": "Ensure that Private Endpoints are Used for Azure Key Vault",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.",
+  "Risk": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Please see the additional information about the requirements needed before starting this remediation procedure. From Azure Portal 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select Networking in the left column. 5. Select Private endpoint connections from the top row. 6. Select + Create. 7. Select the subscription the Key Vault is within, and other desired configuration. 8. Select Next. 9. For resource type select Microsoft.KeyVault/vaults. 10. Select the Key Vault to associate the Private Endpoint with. 11. Select Next. 12. In the Virtual Networking field, select the network to assign the Endpoint. 13. Select other configuration options as desired, including an existing or new application security group. 14. Select Next. 15. Select the private DNS the Private Endpoints will use. 16. Select Next. 17. Optionally add Tags. 18. Select Next : Review + Create. 19. Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied. 20. Repeat steps 3-19 for each Key Vault. From Azure CLI 1. To create an endpoint, run the following command: az network private-endpoint create --resource-group <resourceGroup --vnet- name <vnetName> --subnet <subnetName> --name <PrivateEndpointName> -- private-connection-resource-id '/subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVa ultName>' --group-ids vault --connection-name <privateLinkConnectionName> -- location <azureRegion> --manual-request 2. To manually approve the endpoint request, run the following command: az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> –name <privateLinkName> 4. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created: 5. Look for the property networkInterfaces then id; the value must be placed in the variable <privateEndpointNIC> within step 7. az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName> 6. Look for the property networkInterfaces then id; the value must be placed on <privateEndpointNIC> in step 7. az network nic show --ids <privateEndpointName> 7. Create a Private DNS record within the DNS Zone you created for the Private Endpoint: az network private-dns record-set a add-record -g <resourcecGroupName> -z 'privatelink.vaultcore.azure.net' -n <keyVaultName> -a <privateEndpointNIC> 8. nslookup the private endpoint to determine if the DNS record is correct: nslookup <keyVaultName>.vault.azure.net nslookup <keyVaultName>.privatelink.vaultcore.azure.n",
+      "Url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint perpetabyte or more of networking traffic."
+}

prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_private_endpoints(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                report = Check_Report_Azure(self.metadata())
+                report.subscription = subscription
+                report.resource_name = keyvault.name
+                report.resource_id = keyvault.id
+                report.status = "FAIL"
+                report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not using private endpoints."
+                if (
+                    keyvault.properties
+                    and keyvault.properties.private_endpoint_connections
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is using private endpoints."
+                findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_rbac_enabled",
+  "CheckTitle": "Enable Role Based Access Control for Azure Key Vault",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.",
+  "Risk": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.",
+  "RelatedUrl": "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps",
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "From Azure Portal Key Vaults can be configured to use Azure role-based access control on creation. For existing Key Vaults: 1. From Azure Home open the Portal Menu in the top left corner 2. Select Key Vaults 3. Select a Key Vault to audit 4. Select Access configuration 5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message 6. Click Save 7. Select Access Control (IAM) 8. Select the Role Assignments tab 9. Reapply permissions as needed to groups or users",
+      "Url": "https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs."
+}

prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_rbac_enabled(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                report = Check_Report_Azure(self.metadata())
+                report.subscription = subscription
+                report.resource_name = keyvault.name
+                report.resource_id = keyvault.id
+                report.status = "FAIL"
+                report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not using RBAC for access control."
+                if (
+                    keyvault.properties
+                    and keyvault.properties.enable_rbac_authorization
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is using RBAC for access control."
+                findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_rbac_key_expiration_set",
+  "CheckTitle": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set",
+  "Risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
+  "Remediation": {
+    "Code": {
+      "CLI": "az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/key-expiration-check.html#",
+      "Terraform": "https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-keys#terraform"
+    },
+    "Recommendation": {
+      "Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name <keyName> --vault-name <vaultName> -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. From PowerShell: Set-AzKeyVaultKeyAttribute -VaultName <VaultName> -Name <KeyName> -Expires <DateTime>",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used."
+}

prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.py

@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_rbac_key_expiration_set(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                if keyvault.properties.enable_rbac_authorization and keyvault.keys:
+                    report = Check_Report_Azure(self.metadata())
+                    report.subscription = subscription
+                    report.resource_name = keyvault.name
+                    report.resource_id = keyvault.id
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the keys with expiration date set."
+                    has_key_without_expiration = False
+                    for key in keyvault.keys:
+                        if (
+                            key.attributes
+                            and not key.attributes.expires
+                            and key.enabled
+                        ):
+                            report.status = "FAIL"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the key {key.name} without expiration date set."
+                            has_key_without_expiration = True
+                            findings.append(report)
+                    if not has_key_without_expiration:
+                        findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_rbac_secret_expiration_set",
+  "CheckTitle": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
+  "Risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
+  "Remediation": {
+    "Code": {
+      "CLI": "az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": "https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets#terraform"
+    },
+    "Recommendation": {
+      "Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. For each enabled secret, ensure that an appropriate Expiration date is set. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Secrets Officer to the appropriate user. From PowerShell: Set-AzKeyVaultSecretAttribute -VaultName <Vault Name> -Name <Secret Name> - Expires <DateTime>",
+      "Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used."
+}

prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.py

@@ -0,0 +1,30 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_rbac_secret_expiration_set(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                if keyvault.properties.enable_rbac_authorization and keyvault.secrets:
+                    report = Check_Report_Azure(self.metadata())
+                    report.subscription = subscription
+                    report.resource_name = keyvault.name
+                    report.resource_id = keyvault.id
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has all the secrets with expiration date set."
+                    has_secret_without_expiration = False
+                    for secret in keyvault.secrets:
+                        if (
+                            secret.attributes
+                            and not secret.attributes.expires
+                            and secret.enabled
+                        ):
+                            report.status = "FAIL"
+                            report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} has the secret {secret.name} without expiration date set."
+                            has_secret_without_expiration = True
+                            findings.append(report)
+                    if not has_secret_without_expiration:
+                        findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.metadata.json

@@ -0,0 +1,30 @@
+{
+  "Provider": "azure",
+  "CheckID": "keyvault_recoverable",
+  "CheckTitle": "Ensure the Key Vault is Recoverable",
+  "CheckType": [],
+  "ServiceName": "keyvault",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "KeyVault",
+  "Description": "The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.",
+  "Risk": "There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault: 1. enableSoftDelete: Setting this parameter to 'true' for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged. 2. enablePurgeProtection: enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to 'true' ensures that the Key Vault and its objects cannot be purged. Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.",
+  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli",
+  "Remediation": {
+    "Code": {
+      "CLI": "az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=trueproperties.enableSoftDelete=true",
+      "NativeIaC": "",
+      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/enable-key-vault-recoverability.html#",
+      "Terraform": "https://docs.bridgecrew.io/docs/ensure-the-key-vault-is-recoverable#terraform"
+    },
+    "Recommendation": {
+      "Text": "To enable 'Do Not Purge' and 'Soft Delete' for a Key Vault: From Azure Portal 1. Go to Key Vaults 2. For each Key Vault 3. Click Properties 4. Ensure the status of soft-delete reads Soft delete has been enabled on this key vault. 5. At the bottom of the page, click 'Enable Purge Protection' Note, once enabled you cannot disable it. From Azure CLI az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault /vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true From PowerShell Update-AzKeyVault -VaultName <vaultName -ResourceGroupName <resourceGroupName -EnablePurgeProtection",
+      "Url": "https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible."
+}

prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.py

@@ -0,0 +1,23 @@
+from prowler.lib.check.models import Check, Check_Report_Azure
+from prowler.providers.azure.services.keyvault.keyvault_client import keyvault_client
+
+
+class keyvault_recoverable(Check):
+    def execute(self) -> Check_Report_Azure:
+        findings = []
+        for subscription, key_vaults in keyvault_client.key_vaults.items():
+            for keyvault in key_vaults:
+                report = Check_Report_Azure(self.metadata())
+                report.subscription = subscription
+                report.resource_name = keyvault.name
+                report.resource_id = keyvault.id
+                report.status = "FAIL"
+                report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is not recoverable."
+                if (
+                    keyvault.properties.enable_soft_delete
+                    and keyvault.properties.enable_purge_protection
+                ):
+                    report.status = "PASS"
+                    report.status_extended = f"Keyvault {keyvault.name} from subscription {subscription} is recoverable."
+                findings.append(report)
+        return findings

prowler/providers/azure/services/keyvault/keyvault_service.py

@@ -0,0 +1,147 @@
+from dataclasses import dataclass
+
+from azure.core.exceptions import HttpResponseError
+from azure.keyvault.keys import KeyClient
+from azure.mgmt.keyvault import KeyVaultManagementClient
+from azure.mgmt.keyvault.v2023_07_01.models import (
+    KeyAttributes,
+    SecretAttributes,
+    VaultProperties,
+)
+
+from prowler.lib.logger import logger
+from prowler.providers.azure.lib.service.service import AzureService
+
+
+########################## Storage
+class KeyVault(AzureService):
+    def __init__(self, audit_info):
+        super().__init__(KeyVaultManagementClient, audit_info)
+        self.key_vaults = self.__get_key_vaults__(audit_info)
+
+    def __get_key_vaults__(self, audit_info):
+        logger.info("KeyVault - Getting key_vaults...")
+        key_vaults = {}
+        for subscription, client in self.clients.items():
+            try:
+                key_vaults.update({subscription: []})
+                key_vaults_list = client.vaults.list()
+                for keyvault in key_vaults_list:
+                    resource_group = keyvault.id.split("/")[4]
+                    keyvault_name = keyvault.name
+                    keyvault_properties = client.vaults.get(
+                        resource_group, keyvault_name
+                    ).properties
+                    keys = self.__get_keys__(
+                        subscription, resource_group, keyvault_name, audit_info
+                    )
+                    secrets = self.__get_secrets__(
+                        subscription, resource_group, keyvault_name
+                    )
+                    key_vaults[subscription].append(
+                        KeyVaultInfo(
+                            id=getattr(keyvault, "id", ""),
+                            name=getattr(keyvault, "name", ""),
+                            location=getattr(keyvault, "location", ""),
+                            resource_group=resource_group,
+                            properties=keyvault_properties,
+                            keys=keys,
+                            secrets=secrets,
+                        )
+                    )
+            except Exception as error:
+                logger.error(
+                    f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                )
+        return key_vaults
+
+    def __get_keys__(self, subscription, resource_group, keyvault_name, audit_info):
+        logger.info(f"KeyVault - Getting keys for {keyvault_name}...")
+        keys = []
+        try:
+            client = self.clients[subscription]
+            keys_list = client.keys.list(resource_group, keyvault_name)
+            for key in keys_list:
+                keys.append(
+                    Key(
+                        id=getattr(key, "id", ""),
+                        name=getattr(key, "name", ""),
+                        enabled=getattr(key.attributes, "enabled", False),
+                        location=getattr(key, "location", ""),
+                        attributes=getattr(key, "attributes", None),
+                    )
+                )
+        except Exception as error:
+            logger.error(
+                f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+
+        try:
+            key_client = KeyClient(
+                vault_url=f"https://{keyvault_name}.vault.azure.net/",
+                credential=audit_info.credentials,
+            )
+            properties = key_client.list_properties_of_keys()
+            for prop in properties:
+                policy = key_client.get_key_rotation_policy(prop.name)
+                for key in keys:
+                    if key.name == prop.name:
+                        key.rotation_policy = policy
+
+        except HttpResponseError:
+            logger.error(
+                f"Subscription name: {subscription} -- has no access policy configured for keyvault {keyvault_name}"
+            )
+        return keys
+
+    def __get_secrets__(self, subscription, resource_group, keyvault_name):
+        logger.info(f"KeyVault - Getting secrets for {keyvault_name}...")
+        secrets = []
+        try:
+            client = self.clients[subscription]
+            secrets_list = client.secrets.list(resource_group, keyvault_name)
+            for secret in secrets_list:
+                secrets.append(
+                    Secret(
+                        id=getattr(secret, "id", ""),
+                        name=getattr(secret, "name", ""),
+                        enabled=getattr(secret.properties.attributes, "enabled", False),
+                        location=getattr(secret, "location", ""),
+                        attributes=getattr(secret.properties, "attributes", None),
+                    )
+                )
+        except Exception as error:
+            logger.error(
+                f"Subscription name: {subscription} -- {error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+        return secrets
+
+
+@dataclass
+class Key:
+    id: str
+    name: str
+    enabled: bool
+    location: str
+    attributes: KeyAttributes
+    rotation_policy: str = None
+
+
+@dataclass
+class Secret:
+    id: str
+    name: str
+    enabled: bool
+    location: str
+    attributes: SecretAttributes
+
+
+@dataclass
+class KeyVaultInfo:
+    id: str
+    name: str
+    location: str
+    resource_group: str
+    properties: VaultProperties
+    keys: list[Key] = None
+    secrets: list[Secret] = None

pyproject.toml

@@ -28,11 +28,13 @@ version = "3.14.0"
 alive-progress = "3.1.5"
 awsipranges = "0.3.3"
 azure-identity = "1.15.0"
+azure-keyvault-keys = "4.8.0"
 azure-mgmt-applicationinsights = "4.0.0"
 azure-mgmt-authorization = "4.0.0"
 azure-mgmt-compute = "30.5.0"
 azure-mgmt-cosmosdb = "9.4.0"
-azure-mgmt-network = "25.2.0"
+azure-mgmt-keyvault = "10.3.0"
+azure-mgmt-network = "25.3.0"
 azure-mgmt-rdbms = "10.1.0"
 azure-mgmt-security = "6.0.0"
 azure-mgmt-sql = "3.0.1"

tests/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac_test.py

@@ -0,0 +1,151 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_key_expiration_set_in_non_rbac:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
+                keyvault_key_expiration_set_in_non_rbac,
+            )
+
+            check = keyvault_key_expiration_set_in_non_rbac()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_no_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name="name",
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
+                keyvault_key_expiration_set_in_non_rbac,
+            )
+
+            check = keyvault_key_expiration_set_in_non_rbac()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_invalid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        key_name = "Key Name"
+        key = Key(
+            id="id",
+            name=key_name,
+            enabled=True,
+            location="location",
+            attributes=KeyAttributes(expires=None, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[key],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
+                keyvault_key_expiration_set_in_non_rbac,
+            )
+
+            check = keyvault_key_expiration_set_in_non_rbac()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_valid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        key = Key(
+            id="id",
+            name="name",
+            enabled=True,
+            location="location",
+            attributes=KeyAttributes(expires=49394, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[key],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_expiration_set_in_non_rbac.keyvault_key_expiration_set_in_non_rbac import (
+                keyvault_key_expiration_set_in_non_rbac,
+            )
+
+            check = keyvault_key_expiration_set_in_non_rbac()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the keys with expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled_test.py

@@ -0,0 +1,163 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicy
+from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_key_rotation_enabled:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
+                keyvault_key_rotation_enabled,
+            )
+
+            check = keyvault_key_rotation_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_no_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name="name",
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
+                keyvault_key_rotation_enabled,
+            )
+
+            check = keyvault_key_rotation_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_without_rotation_policy(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "keyvault_name"
+        key_name = "key_name"
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[
+                        Key(
+                            id="id",
+                            name=key_name,
+                            enabled=True,
+                            location="location",
+                            attributes=KeyAttributes(expires=None, enabled=True),
+                            rotation_policy=None,
+                        )
+                    ],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
+                keyvault_key_rotation_enabled,
+            )
+
+            check = keyvault_key_rotation_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without rotation policy set."
+            )
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == "id"
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+
+    def test_key_with_rotation_policy(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "keyvault_name"
+        key_name = "key_name"
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[
+                        Key(
+                            id="id",
+                            name=key_name,
+                            enabled=True,
+                            location="location",
+                            attributes=KeyAttributes(expires=None, enabled=True),
+                            rotation_policy=KeyRotationPolicy(
+                                lifetime_actions=[
+                                    KeyRotationLifetimeAction(
+                                        action="Rotate",
+                                        lifetime_action_type="Rotate",
+                                        lifetime_percentage=80,
+                                    )
+                                ]
+                            ),
+                        )
+                    ],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_key_rotation_enabled.keyvault_key_rotation_enabled import (
+                keyvault_key_rotation_enabled,
+            )
+
+            check = keyvault_key_rotation_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} with rotation policy set."
+            )
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == "id"
+            assert result[0].subscription == AZURE_SUBSCRIPTION

tests/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set_test.py

@@ -0,0 +1,210 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import (
+    KeyVaultInfo,
+    Secret,
+)
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_non_rbac_secret_expiration_set:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
+                keyvault_non_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_non_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_no_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name="name",
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
+                keyvault_non_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_non_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_invalid_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret_name = "Secret"
+        secret = Secret(
+            id="id",
+            name=secret_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[secret],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
+                keyvault_non_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_non_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_invalid_multiple_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret1_name = "Secret1"
+        secret2_name = "Secret2"
+        secret1 = Secret(
+            id="id",
+            name=secret1_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None),
+        )
+        secret2 = Secret(
+            id="id",
+            name=secret2_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=84934),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[secret1, secret2],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
+                keyvault_non_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_non_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret1_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_valid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret = Secret(
+            id="id",
+            name="name",
+            enabled=False,
+            location="location",
+            attributes=SecretAttributes(expires=None),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=False
+                    ),
+                    keys=[],
+                    secrets=[secret],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_non_rbac_secret_expiration_set.keyvault_non_rbac_secret_expiration_set import (
+                keyvault_non_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_non_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the secrets with expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints_test.py

@@ -0,0 +1,121 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import (
+    PrivateEndpointConnectionItem,
+    VaultProperties,
+)
+
+from prowler.providers.azure.services.keyvault.keyvault_service import KeyVaultInfo
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_private_endpoints:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
+                keyvault_private_endpoints,
+            )
+
+            check = keyvault_private_endpoints()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_no_private_endpoints(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=False,
+                        private_endpoint_connections=None,
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
+                keyvault_private_endpoints,
+            )
+
+            check = keyvault_private_endpoints()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not using private endpoints."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_using_private_endpoints(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        private_endpoint = PrivateEndpointConnectionItem(
+            id="id",
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=True,
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_private_endpoints.keyvault_private_endpoints import (
+                keyvault_private_endpoints,
+            )
+
+            keyvault_client.key_vaults[AZURE_SUBSCRIPTION][
+                0
+            ].properties.private_endpoint_connections = [private_endpoint]
+
+            check = keyvault_private_endpoints()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is using private endpoints."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled_test.py

@@ -0,0 +1,110 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import KeyVaultInfo
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_rbac_enabled:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
+                keyvault_rbac_enabled,
+            )
+
+            check = keyvault_rbac_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_no_rbac(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=False,
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
+                keyvault_rbac_enabled,
+            )
+
+            check = keyvault_rbac_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not using RBAC for access control."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_rbac(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=True,
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_enabled.keyvault_rbac_enabled import (
+                keyvault_rbac_enabled,
+            )
+
+            check = keyvault_rbac_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is using RBAC for access control."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set_test.py

@@ -0,0 +1,151 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import KeyAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import Key, KeyVaultInfo
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_rbac_key_expiration_set:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
+                keyvault_rbac_key_expiration_set,
+            )
+
+            check = keyvault_rbac_key_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_no_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name="name",
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
+                keyvault_rbac_key_expiration_set,
+            )
+
+            check = keyvault_rbac_key_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_invalid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        key_name = "Key Name"
+        key = Key(
+            id="id",
+            name=key_name,
+            enabled=True,
+            location="location",
+            attributes=KeyAttributes(expires=None, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[key],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
+                keyvault_rbac_key_expiration_set,
+            )
+
+            check = keyvault_rbac_key_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the key {key_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_valid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        key = Key(
+            id="id",
+            name="name",
+            enabled=True,
+            location="location",
+            attributes=KeyAttributes(expires=49394, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[key],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_key_expiration_set.keyvault_rbac_key_expiration_set import (
+                keyvault_rbac_key_expiration_set,
+            )
+
+            check = keyvault_rbac_key_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the keys with expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set_test.py

@@ -0,0 +1,210 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import (
+    KeyVaultInfo,
+    Secret,
+)
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_rbac_secret_expiration_set:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
+                keyvault_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_no_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id="id",
+                    name="name",
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
+                keyvault_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_invalid_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret_name = "Secret"
+        secret = Secret(
+            id="id",
+            name=secret_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[],
+                    secrets=[secret],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
+                keyvault_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_invalid_multiple_secrets(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret1_name = "Secret1"
+        secret2_name = "Secret2"
+        secret1 = Secret(
+            id="id",
+            name=secret1_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None),
+        )
+        secret2 = Secret(
+            id="id",
+            name=secret2_name,
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=84934),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[],
+                    secrets=[secret1, secret2],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
+                keyvault_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has the secret {secret1_name} without expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_valid_keys(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret = Secret(
+            id="id",
+            name="name",
+            enabled=False,
+            location="location",
+            attributes=SecretAttributes(expires=None),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid", sku="sku", enable_rbac_authorization=True
+                    ),
+                    keys=[],
+                    secrets=[secret],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_rbac_secret_expiration_set.keyvault_rbac_secret_expiration_set import (
+                keyvault_rbac_secret_expiration_set,
+            )
+
+            check = keyvault_rbac_secret_expiration_set()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} has all the secrets with expiration date set."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable_test.py

@@ -0,0 +1,182 @@
+from unittest import mock
+from uuid import uuid4
+
+from azure.mgmt.keyvault.v2023_07_01.models import SecretAttributes, VaultProperties
+
+from prowler.providers.azure.services.keyvault.keyvault_service import (
+    KeyVaultInfo,
+    Secret,
+)
+
+AZURE_SUBSCRIPTION = str(uuid4())
+
+
+class Test_keyvault_recoverable:
+    def test_no_key_vaults(self):
+        keyvault_client = mock.MagicMock
+        keyvault_client.key_vaults = {}
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
+                keyvault_recoverable,
+            )
+
+            check = keyvault_recoverable()
+            result = check.execute()
+            assert len(result) == 0
+
+    def test_key_vaults_no_purge(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=True,
+                        enable_soft_delete=True,
+                        enable_purge_protection=False,
+                    ),
+                    keys=[],
+                    secrets=[],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
+                keyvault_recoverable,
+            )
+
+            check = keyvault_recoverable()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not recoverable."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_no_soft_delete(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret1 = Secret(
+            id="id",
+            name="name",
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None, enabled=True),
+        )
+        secret2 = Secret(
+            id="id",
+            name="name",
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=84934, enabled=True),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=True,
+                        enable_soft_delete=True,
+                        enable_purge_protection=False,
+                    ),
+                    keys=[],
+                    secrets=[secret1, secret2],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
+                keyvault_recoverable,
+            )
+
+            check = keyvault_recoverable()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is not recoverable."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id
+
+    def test_key_vaults_valid_configuration(self):
+        keyvault_client = mock.MagicMock
+        keyvault_name = "Keyvault Name"
+        keyvault_id = str(uuid4())
+        secret = Secret(
+            id="id",
+            name="name",
+            enabled=True,
+            location="location",
+            attributes=SecretAttributes(expires=None, enabled=False),
+        )
+        keyvault_client.key_vaults = {
+            AZURE_SUBSCRIPTION: [
+                KeyVaultInfo(
+                    id=keyvault_id,
+                    name=keyvault_name,
+                    location="location",
+                    resource_group="resource_group",
+                    properties=VaultProperties(
+                        tenant_id="tenantid",
+                        sku="sku",
+                        enable_rbac_authorization=True,
+                        enable_soft_delete=True,
+                        enable_purge_protection=True,
+                    ),
+                    keys=[],
+                    secrets=[secret],
+                )
+            ]
+        }
+
+        with mock.patch(
+            "prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable.keyvault_client",
+            new=keyvault_client,
+        ):
+            from prowler.providers.azure.services.keyvault.keyvault_recoverable.keyvault_recoverable import (
+                keyvault_recoverable,
+            )
+
+            check = keyvault_recoverable()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Keyvault {keyvault_name} from subscription {AZURE_SUBSCRIPTION} is recoverable."
+            )
+            assert result[0].subscription == AZURE_SUBSCRIPTION
+            assert result[0].resource_name == keyvault_name
+            assert result[0].resource_id == keyvault_id

tests/providers/azure/services/keyvault/keyvault_service_test.py

@@ -0,0 +1,99 @@
+from unittest.mock import patch
+
+from prowler.providers.azure.services.keyvault.keyvault_service import (
+    Key,
+    KeyVault,
+    KeyVaultInfo,
+    Secret,
+)
+from tests.providers.azure.azure_fixtures import (
+    AZURE_SUBSCRIPTION,
+    set_mocked_azure_audit_info,
+)
+
+
+def mock_keyvault_get_key_vaults(_, __):
+    keyvault_info = KeyVaultInfo(
+        id="id",
+        name="name",
+        location="location",
+        resource_group="resource_group",
+        properties=None,
+        keys=[
+            Key(
+                id="id",
+                name="name",
+                enabled=True,
+                location="location",
+                attributes=None,
+                rotation_policy=None,
+            )
+        ],
+        secrets=[
+            Secret(
+                id="id",
+                name="name",
+                enabled=True,
+                location="location",
+                attributes=None,
+            )
+        ],
+    )
+    return {AZURE_SUBSCRIPTION: [keyvault_info]}
+
+
+@patch(
+    "prowler.providers.azure.services.keyvault.keyvault_service.KeyVault.__get_key_vaults__",
+    new=mock_keyvault_get_key_vaults,
+)
+class Test_keyvault_service:
+    def test__get_client__(self):
+        keyvault = KeyVault(set_mocked_azure_audit_info())
+        assert (
+            keyvault.clients[AZURE_SUBSCRIPTION].__class__.__name__
+            == "KeyVaultManagementClient"
+        )
+
+    def test__get_key_vaults__(self):
+        keyvault = KeyVault(set_mocked_azure_audit_info())
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].__class__.__name__
+            == "KeyVaultInfo"
+        )
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].id == "id"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].name == "name"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].location == "location"
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].resource_group
+            == "resource_group"
+        )
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].properties is None
+
+    def test__get_keys__(self):
+        keyvault = KeyVault(set_mocked_azure_audit_info())
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].__class__.__name__
+            == "Key"
+        )
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].id == "id"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].name == "name"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].enabled is True
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].location == "location"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].attributes is None
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].keys[0].rotation_policy is None
+        )
+
+    def test__get_secrets__(self):
+        keyvault = KeyVault(set_mocked_azure_audit_info())
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].__class__.__name__
+            == "Secret"
+        )
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].id == "id"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].name == "name"
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].enabled is True
+        assert (
+            keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].location == "location"
+        )
+        assert keyvault.key_vaults[AZURE_SUBSCRIPTION][0].secrets[0].attributes is None