Get Scan Keys report.

  • Published on Oct 18, 2025
  • 15 minute(s) read
Prev Next
Get
/api/v1/discovery/scans/{id}/key_usage_report/azure

Get Scan Keys report.

Security
OAuth

OAuth 2.0 client credential flow, see https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.

FlowClient Credentials
Token URLhttps://api.armor.fortanix.com/api/v1/iam/session/oauth2/token
Path parameters
id
string (uuid) Required
Query parameters
DiscoveryAzureKeyUsageParams
object
filter
string
limit
integer
previous_id
string
previous_sort_value
string
sort_by
string
Responses
2XX

Success result

Expand All
object
items
Array of object (DiscoveryAzureKeyUsageDetails)
object
key
object
details
OneOf
object
$type
string
Valid values[ "database" ]
OneOf
object
object
$db_variant
string
Valid values[ "sql_single_server" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

tier
string

The service tiers for SQL Single Server.

Valid values[ "server", "serverless" ]
object
object
$db_variant
string
Valid values[ "sql_managed_instance" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$db_variant
string
Valid values[ "sql_managed_instance_pool" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$db_variant
string
Valid values[ "cosmos_db" ]
api
string

The API a Cosmos databases exposes to applications. Some possible values currently available in Azure are "Sql", "MongoDB", "Cassandra", ... This may be directly exposed in the frontend.

properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$type
string
Valid values[ "kv_key_version" ]
analysis
object
crypto_policy_compliance
object
is_compliant
boolean

Represents if the crypto policy is compliant for the key.

violation_reason
string | null

Represents the violation reason if the non-compliant against the crypto policy, otherwise None.

is_shared
boolean

Defaults to false. Will be true only if underlying key is used to encrypt multiple services.

overly_permissive_key_violations
object
management_violations
Array of object (DiscoveryAzureKvKeyPolicyInfo)
object
principal_id
string
role_assignment_id
string
role_definition_id
string
usage_violations
Array of object (DiscoveryAzureKvKeyPolicyInfo)
object
principal_id
string
role_assignment_id
string
role_definition_id
string
usage_details
object
encrypt
object
service_count
integer
usages
Array of string (DiscoveryKeyUsage) | null
string
Valid values[ "encrypt", "unused" ]
is_current_version
boolean

True if this is the latest key version, False otherwise.

is_key_managed
boolean

True if the key version's lifetime is managed by key vault, False otherwise.

key_attributes
object
activation_date
string

The timestamp when the key will be activated. None, if the activation date is not set for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
created_at
string

The timestamp of creation of the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
expiry_date
string

The timestamp when the key will expire. None, if the expiry date is not scheduled for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
is_enabled
boolean

Represents true if the key is enabled, false otherwise.

is_exportable
boolean

Represents true if the key is exportable, false otherwise.

key_availability
OneOf
object
object
$type
string
Valid values[ "available" ]
object
object
$type
string
Valid values[ "soft_deleted" ]
deleted_on
string
Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
scheduled_purge_on
string
Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
recoverable_days
integer

Soft Delete data retention days. Value should be >=7 and <=90 when soft delete is enabled, otherwise 0.

Minimum0
Maximum4294967295
recovery_level
string
Valid values[ "customized_recoverable", "customized_recoverable_and_protected_subscription", "customized_recoverable_and_purgeable", "purgeable", "recoverable", "recoverable_and_protected_subscription", "recoverable_and_purgeable", "unknown" ]
updated_at
string

The timestamp when the key was last updated. By default, it will always have the key creation timestamp as the last updated time.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
key_name
string

The name associated with the key version.

key_ops
Array of string (DiscoveryAzureKvKeyOperation)

Allowed key operations on the key version.

string
Valid values[ "encrypt", "decrypt", "sign", "verify", "wrap_key", "unwrap_key", "import" ]
key_rotation_date
string

Returns the date when the key will be rotated. None, when the auto key rotation is not enabled for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
key_source
string
Valid values[ "kv", "fortanix", "other" ]
key_type
string
Valid values[ "rsa2048", "rsa3072", "rsa4096", "rsa_hsm2048", "rsa_hsm3072", "rsa_hsm4096", "ecc_nist_p256", "ecc_nist_p384", "ecc_nist_p521", "ecc_secg_p256k1", "ecc_nist_hsm_p256", "ecc_nist_hsm_p384", "ecc_nist_hsm_p521", "ecc_secg_hsm_p256k1", "oct", "oct_hsm", "unknown" ]
key_vault_access_tier
string
Valid values[ "standard", "premium" ]
key_vault_name
string

Represents the Azure Key Vault Name.

key_vault_uri
string

Represents the Azure key vault URI.

key_version
string

The key version of the scanned key.

source_scan_inventory_object
object
id
string (uuid)
scan_id
string (uuid)
tags
object

The tags associated with the key version.

property*
string additionalProperties
object
object
$type
string
Valid values[ "storage_account" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
blob_anonymous_access_enabled
boolean
encryption_settings
object
key_source

The encryption key source (provider).

OneOf
object
object
$type
string
Valid values[ "key_vault" ]
key_id
string
object
object
$type
string
Valid values[ "storage" ]
kind
string
Valid values[ "blob_storage", "block_blob_storage", "file_storage", "storage", "storage_v2", "unknown" ]
name
string
object
object
$type
string
Valid values[ "container_group" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
encryption_source
OneOf
object
object
$type
string
Valid values[ "microsoft_managed_key" ]
object
object
$type
string
Valid values[ "customer_managed_key" ]
key_id
string
name
string
object
object
$type
string
Valid values[ "managed_disk" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
disk_size_gb
integer (int32)
disk_state
string

Used to represent state of [AzureManagedDisk]. for reference: Documentation

Valid values[ "active_sas", "active_sas_frozen", "active_upload", "attached", "frozen", "ready_to_upload", "reserved", "unattached", "other" ]
disk_type
string

Used to represent SKU of [AzureManagedDisk]. For reference: Documentation

Valid values[ "premium_v2_lrs", "premium_lrs", "premium_zrs", "standard_ssd_lrs", "standard_ssd_zrs", "standard_lrs", "ultra_ssd_lrs" ]
encryption_settings

Used to describe Server-side encryption configuration of [AzureManagedDisks]

OneOf
object
object
$type
string
Valid values[ "encryption_at_rest_with_azure_managed_key" ]
object
object
$type
string
Valid values[ "confidential_vm_encrypted_with_azure_managed_key" ]
object
object
$type
string
Valid values[ "confidential_vm_encrypted_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_azure_and_customer_keys" ]
key_id
string
key_rotation_enabled
boolean
name
string
object
object
$type
string
Valid values[ "managed_cluster" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
disk_encryption_details
OneOf
object
object
$type
string
Valid values[ "encryption_at_rest_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_platform_key" ]
name
string
object
object
$type
string
Valid values[ "storage_account_blob" ]
analysis
object
encrypted_with_expired_key
boolean
encrypted_with_exportable_key
boolean
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
container_name
string
encryption_settings
object
key_source

The encryption key source (provider).

OneOf
object
object
$type
string
Valid values[ "key_vault" ]
key_id
string
object
object
$type
string
Valid values[ "storage" ]
name
string
storage_account_name
string
region
string
Valid values[ "asia", "asia_pacific", "australia", "australia_central", "australia_central2", "australia_east", "australia_south_east", "brazil", "brazil_south", "brazil_south_east", "brazil_us", "canada", "canada_central", "canada_east", "central_india", "central_us", "central_us_euap", "central_us_stage", "east_asia", "east_asia_stage", "east_us", "east_us_stage", "east_us_stg", "east_us2", "east_us2_stage", "east_us2_euap", "europe", "france", "france_central", "france_south", "germany", "germany_north", "germany_west_central", "global", "india", "israel", "israel_central", "italy", "italy_north", "japan", "japan_east", "japan_west", "jio_india_central", "jio_india_west", "korea", "korea_central", "korea_south", "new_zealand", "north_central_us", "north_central_us_stage", "north_europe", "norway", "norway_east", "norway_west", "poland", "poland_central", "qatar", "qatar_central", "singapore", "south_africa", "south_africa_north", "south_africa_west", "south_central_us", "south_central_us_stage", "south_east_asia", "south_east_asia_stage", "south_india", "sweden", "sweden_central", "switzerland", "switzerland_north", "switzerland_west", "uae", "uae_central", "uae_north", "uk", "uk_south", "uk_west", "united_states", "united_states_euap", "west_central_us", "west_europe", "west_india", "west_us", "west_us_stage", "west_us2", "west_us2_stage", "west_us3", "other" ]
resource_group
object
name
string
resource_id
string
subscription
object
id
string (uuid)
name
string
tenant_id
string (uuid)
key_id
string
protected_services
Array of object (DiscoveryAzureObject)
object
details
OneOf
object
$type
string
Valid values[ "database" ]
OneOf
object
object
$db_variant
string
Valid values[ "sql_single_server" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

tier
string

The service tiers for SQL Single Server.

Valid values[ "server", "serverless" ]
object
object
$db_variant
string
Valid values[ "sql_managed_instance" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$db_variant
string
Valid values[ "sql_managed_instance_pool" ]
properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$db_variant
string
Valid values[ "cosmos_db" ]
api
string

The API a Cosmos databases exposes to applications. Some possible values currently available in Azure are "Sql", "MongoDB", "Cassandra", ... This may be directly exposed in the frontend.

properties
object
deployment_name
string
encryption_details
object
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
key_source

Specifier for optional CMK Keys.

OneOf
object
object
$type
string
Valid values[ "deployment_level_customer_managed_key" ]
key_id
string
object
object
$type
string
Valid values[ "deployment_level_microsoft_managed_key" ]
object
object
$type
string
Valid values[ "database_level_customer_managed_key" ]
key_id
string
inner_databases_properties
Array of object (DiscoveryAzureDatabaseProperties)
object
database_name
string
is_tde_enabled
boolean

If true, encryption is in place either with a CMK (customer managed key) or MMK (microsoft managed key).

object
object
$type
string
Valid values[ "kv_key_version" ]
analysis
object
crypto_policy_compliance
object
is_compliant
boolean

Represents if the crypto policy is compliant for the key.

violation_reason
string | null

Represents the violation reason if the non-compliant against the crypto policy, otherwise None.

is_shared
boolean

Defaults to false. Will be true only if underlying key is used to encrypt multiple services.

overly_permissive_key_violations
object
management_violations
Array of object (DiscoveryAzureKvKeyPolicyInfo)
object
principal_id
string
role_assignment_id
string
role_definition_id
string
usage_violations
Array of object (DiscoveryAzureKvKeyPolicyInfo)
object
principal_id
string
role_assignment_id
string
role_definition_id
string
usage_details
object
encrypt
object
service_count
integer
usages
Array of string (DiscoveryKeyUsage) | null
string
Valid values[ "encrypt", "unused" ]
is_current_version
boolean

True if this is the latest key version, False otherwise.

is_key_managed
boolean

True if the key version's lifetime is managed by key vault, False otherwise.

key_attributes
object
activation_date
string

The timestamp when the key will be activated. None, if the activation date is not set for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
created_at
string

The timestamp of creation of the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
expiry_date
string

The timestamp when the key will expire. None, if the expiry date is not scheduled for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
is_enabled
boolean

Represents true if the key is enabled, false otherwise.

is_exportable
boolean

Represents true if the key is exportable, false otherwise.

key_availability
OneOf
object
object
$type
string
Valid values[ "available" ]
object
object
$type
string
Valid values[ "soft_deleted" ]
deleted_on
string
Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
scheduled_purge_on
string
Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
recoverable_days
integer

Soft Delete data retention days. Value should be >=7 and <=90 when soft delete is enabled, otherwise 0.

Minimum0
Maximum4294967295
recovery_level
string
Valid values[ "customized_recoverable", "customized_recoverable_and_protected_subscription", "customized_recoverable_and_purgeable", "purgeable", "recoverable", "recoverable_and_protected_subscription", "recoverable_and_purgeable", "unknown" ]
updated_at
string

The timestamp when the key was last updated. By default, it will always have the key creation timestamp as the last updated time.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
key_name
string

The name associated with the key version.

key_ops
Array of string (DiscoveryAzureKvKeyOperation)

Allowed key operations on the key version.

string
Valid values[ "encrypt", "decrypt", "sign", "verify", "wrap_key", "unwrap_key", "import" ]
key_rotation_date
string

Returns the date when the key will be rotated. None, when the auto key rotation is not enabled for the key.

Pattern^\d{4}\d{2}\d{2}T\d{2}\d{2}\d{2}Z$
Example20170509T070912Z
key_source
string
Valid values[ "kv", "fortanix", "other" ]
key_type
string
Valid values[ "rsa2048", "rsa3072", "rsa4096", "rsa_hsm2048", "rsa_hsm3072", "rsa_hsm4096", "ecc_nist_p256", "ecc_nist_p384", "ecc_nist_p521", "ecc_secg_p256k1", "ecc_nist_hsm_p256", "ecc_nist_hsm_p384", "ecc_nist_hsm_p521", "ecc_secg_hsm_p256k1", "oct", "oct_hsm", "unknown" ]
key_vault_access_tier
string
Valid values[ "standard", "premium" ]
key_vault_name
string

Represents the Azure Key Vault Name.

key_vault_uri
string

Represents the Azure key vault URI.

key_version
string

The key version of the scanned key.

source_scan_inventory_object
object
id
string (uuid)
scan_id
string (uuid)
tags
object

The tags associated with the key version.

property*
string additionalProperties
object
object
$type
string
Valid values[ "storage_account" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
blob_anonymous_access_enabled
boolean
encryption_settings
object
key_source

The encryption key source (provider).

OneOf
object
object
$type
string
Valid values[ "key_vault" ]
key_id
string
object
object
$type
string
Valid values[ "storage" ]
kind
string
Valid values[ "blob_storage", "block_blob_storage", "file_storage", "storage", "storage_v2", "unknown" ]
name
string
object
object
$type
string
Valid values[ "container_group" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
encryption_source
OneOf
object
object
$type
string
Valid values[ "microsoft_managed_key" ]
object
object
$type
string
Valid values[ "customer_managed_key" ]
key_id
string
name
string
object
object
$type
string
Valid values[ "managed_disk" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean | null
encrypted_with_overly_permissive_usage_key
boolean | null
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean | null
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
disk_size_gb
integer (int32)
disk_state
string

Used to represent state of [AzureManagedDisk]. for reference: Documentation

Valid values[ "active_sas", "active_sas_frozen", "active_upload", "attached", "frozen", "ready_to_upload", "reserved", "unattached", "other" ]
disk_type
string

Used to represent SKU of [AzureManagedDisk]. For reference: Documentation

Valid values[ "premium_v2_lrs", "premium_lrs", "premium_zrs", "standard_ssd_lrs", "standard_ssd_zrs", "standard_lrs", "ultra_ssd_lrs" ]
encryption_settings

Used to describe Server-side encryption configuration of [AzureManagedDisks]

OneOf
object
object
$type
string
Valid values[ "encryption_at_rest_with_azure_managed_key" ]
object
object
$type
string
Valid values[ "confidential_vm_encrypted_with_azure_managed_key" ]
object
object
$type
string
Valid values[ "confidential_vm_encrypted_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_azure_and_customer_keys" ]
key_id
string
key_rotation_enabled
boolean
name
string
object
object
$type
string
Valid values[ "managed_cluster" ]
analysis
object
encrypted_with_expired_key
boolean | null
encrypted_with_exportable_key
boolean | null
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean | null
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
disk_encryption_details
OneOf
object
object
$type
string
Valid values[ "encryption_at_rest_with_customer_key" ]
key_id
string
key_rotation_enabled
boolean
object
object
$type
string
Valid values[ "encryption_at_rest_with_platform_key" ]
name
string
object
object
$type
string
Valid values[ "storage_account_blob" ]
analysis
object
encrypted_with_expired_key
boolean
encrypted_with_exportable_key
boolean
encrypted_with_noncompliant_key
boolean
encrypted_with_overly_permissive_management_key
boolean
encrypted_with_overly_permissive_usage_key
boolean
encrypted_with_quantum_vulnerable_key
boolean
encrypted_with_shared_key
boolean
key_availability
string

This enum will be used for denoting key availability for all services in all cloud providers. Each variant corresponds to different states of key used to encrypt the service. If a service is not encrypted, the key will me marked as Unknown

Valid values[ "available", "soft_deleted", "purged", "cross_account", "unknown" ]
container_name
string
encryption_settings
object
key_source

The encryption key source (provider).

OneOf
object
object
$type
string
Valid values[ "key_vault" ]
key_id
string
object
object
$type
string
Valid values[ "storage" ]
name
string
storage_account_name
string
region
string
Valid values[ "asia", "asia_pacific", "australia", "australia_central", "australia_central2", "australia_east", "australia_south_east", "brazil", "brazil_south", "brazil_south_east", "brazil_us", "canada", "canada_central", "canada_east", "central_india", "central_us", "central_us_euap", "central_us_stage", "east_asia", "east_asia_stage", "east_us", "east_us_stage", "east_us_stg", "east_us2", "east_us2_stage", "east_us2_euap", "europe", "france", "france_central", "france_south", "germany", "germany_north", "germany_west_central", "global", "india", "israel", "israel_central", "italy", "italy_north", "japan", "japan_east", "japan_west", "jio_india_central", "jio_india_west", "korea", "korea_central", "korea_south", "new_zealand", "north_central_us", "north_central_us_stage", "north_europe", "norway", "norway_east", "norway_west", "poland", "poland_central", "qatar", "qatar_central", "singapore", "south_africa", "south_africa_north", "south_africa_west", "south_central_us", "south_central_us_stage", "south_east_asia", "south_east_asia_stage", "south_india", "sweden", "sweden_central", "switzerland", "switzerland_north", "switzerland_west", "uae", "uae_central", "uae_north", "uk", "uk_south", "uk_west", "united_states", "united_states_euap", "west_central_us", "west_europe", "west_india", "west_us", "west_us_stage", "west_us2", "west_us2_stage", "west_us3", "other" ]
resource_group
object
name
string
resource_id
string
subscription
object
id
string (uuid)
name
string
tenant_id
string (uuid)