Key Vault - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys should have an expiration date To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM should disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. |
Deny Disabled Audit |
||||||||
| Key Vault |
[Preview]: Configure Azure Key Vault Managed HSM to disable public network access Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm. |
Modify Disabled |
Modify Disabled |
|||||||
| Key Vault |
Azure Key Vault Managed HSM should have purge protection enabled Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Azure Key Vault should disable public network access Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink. |
Deny Disabled Audit |
||||||||
| Key Vault |
Azure Key Vault should have firewall enabled or public network access disabled Enable the key vault firewall so that the key vault is not accessible by default to any public IPs or disable public network access for your key vault so that it's not accessible over the public internet. Optionally, you can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security and https://aka.ms/akvprivatelink |
Audit Deny Disabled |
Audit Deny Disabled |
Audit Deny Disabled |
||||||
| Key Vault |
Azure Key Vault should use RBAC permission model Enable RBAC permission model across Key Vaults. Learn more at: https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-migration |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Azure Key Vaults should use private link Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/akvprivatelink. |
Audit Disabled |
||||||||
| Key Vault |
Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. |
Disabled deny disabled audit |
Disabled deny disabled audit |
|||||||
| Key Vault |
Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. |
Audit deny disabled audit |
Audit deny disabled audit |
|||||||
| Key Vault |
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |
Disabled deny disabled audit |
Disabled deny disabled audit |
disabled deny audit |
||||||
| Key Vault |
Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates should use allowed key types Manage your organizational compliance requirements by restricting the key types allowed for certificates. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates using elliptic curve cryptography should have allowed curve names Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |
Deny deny disabled audit |
Deny deny disabled audit |
|||||||
| Key Vault |
Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. |
DeployIfNotExists Disabled |
||||||||
| Key Vault |
Configure key vaults to enable firewall Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. You can then configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security |
Modify Disabled |
Modify Disabled |
|||||||
| Key Vault |
Deploy Activity Log Key Vault Delete Alert Policy to Deploy Activity Log Key Vault Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Key Vault |
Deploy Activity Log Managed HSMs Delete Alert Policy to Deploy Activity Log Managed HSMs Delete Alert |
deployIfNotExists disabled |
deployIfNotExists disabled |
deployIfNotExists disabled |
||||||
| Key Vault |
Deploy Key Vault Availability Alert Policy to audit/deploy KeyVault Availability Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Capacity Alert Policy to audit/deploy KeyVault Capacity Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Latency Alert Policy to audit/deploy KeyVault Latency Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Key Vault Requests Alert Policy to audit/deploy KeyVault Requests Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Managed HSMs Availability Alert Policy to audit/deploy Managed HSMs Availability Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Deploy Managed HSMs Latency Alert Policy to audit/deploy Managed HSMs Latency Alert |
disabled deployIfNotExists |
disabled deployIfNotExists |
disabled deployIfNotExists |
||||||
| Key Vault |
Key Vault keys should have an expiration date Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys. |
Audit Deny Disabled |
Audit Deny Disabled |
Disabled Deny Audit |
||||||
| Key Vault |
Key Vault secrets should have an expiration date Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets. |
Audit Deny Disabled |
Audit Deny Disabled |
Disabled Deny Audit |
||||||
| Key Vault |
Key vaults should have deletion protection enabled Malicious deletion of a key vault can lead to permanent data loss. You can prevent permanent data loss by enabling purge protection and soft delete. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. Keep in mind that key vaults created after September 1st 2019 have soft-delete enabled by default. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Key vaults should have soft delete enabled Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period. |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Key Vault |
Keys should be the specified cryptographic type RSA or EC Some applications require the use of keys backed by a specific cryptographic type. Enforce a particular cryptographic key type, RSA or EC, in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Audit Deny Disabled |
Audit Deny Disabled |
|||||||
| Key Vault |
Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Key Vault |
Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. |
Disabled Deny Audit |
Disabled Deny Audit |
|||||||
| Key Vault |
Keys using elliptic curve cryptography should have the specified curve names Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |
AuditIfNotExists Disabled |
||||||||
| Key Vault |
Secrets should have content type set A content type tag helps identify whether a secret is a password, connection string, etc. Different secrets have different rotation requirements. Content type tag should be set on secrets. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
Audit Deny Disabled |
Audit Deny Disabled |
|||||||
| Key Vault |
Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Key Vault |
Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. |
Disabled Deny Audit |
Disabled Deny Audit |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Key Vault |
[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
keyVaultHsmMinimumDaysBeforeExpirationV... = 90
|
keyVaultHsmMinimumDaysBeforeExpirationV... = 90
|
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment. |
keyVaultHmsCurveNamesValue = ["P-256", "P-256K", "P-384", "P-521"]
|
keyVaultHmsCurveNamesValue = ["P-256", "P-256K", "P-384", "P-521"]
|
|||||||
| Key Vault |
[Preview]: Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size To use this policy in preview, you must first follow these instructions at https://aka.ms/mhsmgovernance. Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
keyVaultManagedHsmMinimumRSAKeySizeValue = 2048
|
keyVaultManagedHsmMinimumRSAKeySizeValue = 2048
|
|||||||
| Key Vault |
Certificates should be issued by the specified integrated certificate authority Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign. |
keyVaultIntegratedCaValue = ["DigiCert", "GlobalSign"]
|
keyVaultIntegratedCaValue = ["DigiCert", "GlobalSign"]
|
|||||||
| Key Vault |
Certificates should be issued by the specified non-integrated certificate authority Manage your organizational compliance requirements by specifying one custom or internal certificate authorities that can issue certificates in your key vault. |
keyVaultNonIntegratedCaValue = `` | keyVaultNonIntegratedCaValue = `` | |||||||
| Key Vault |
Certificates should have the specified lifetime action triggers Manage your organizational compliance requirements by specifying whether a certificate lifetime action is triggered at a specific percentage of its lifetime or at a certain number of days prior to its expiration. |
maximumCertLifePercentageLife = 80minimumCertLifeDaysBeforeExpiry = 90
|
maximumCertLifePercentageLife = 80minimumCertLifeDaysBeforeExpiry = 90
|
|||||||
| Key Vault |
Certificates should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault. |
keyVaultCertValidPeriod = 12
|
keyVaultCertValidPeriod = 12
|
certificatesValidityPeriodInMonths = 12
|
||||||
| Key Vault |
Certificates should not expire within the specified number of days Manage certificates that will expire within a specified number of days to ensure your organization has sufficient time to rotate the certificate prior to expiration. |
keyVaultCertificateNotExpireWithinSpeci... = 90
|
keyVaultCertificateNotExpireWithinSpeci... = 90
|
|||||||
| Key Vault |
Certificates using RSA cryptography should have the specified minimum key size Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |
keyVaultMinimumRSACertificateSizeValue = 2048
|
keyVaultMinimumRSACertificateSizeValue = 2048
|
|||||||
| Key Vault |
Configure Azure Key Vaults to use private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink. |
azureKeyVaultPrivateDnsZoneId = --DNSZonePrefix--privatelink.vaultcore....
|
||||||||
| Key Vault |
Deploy Activity Log Key Vault Delete Alert Policy to Deploy Activity Log Key Vault Delete Alert |
activityKVDeleteAlertState = true
|
ALZMonitorResourceGroupLocation = eastusALZMonitorResourceGroupName = rg-amba-monitoring-001ALZMonitorResourceGroupTags = {"Project":"amba-monitoring"}activityKVDeleteAlertState = true
|
ALZMonitorResourceGroupLocation = eastusALZMonitorResourceGroupName = rg-amba-monitoring-001ALZMonitorResourceGroupTags = {"Project":"amba-monitoring"}activityKVDeleteAlertState = true
|
||||||
| Key Vault |
Deploy Activity Log Managed HSMs Delete Alert Policy to Deploy Activity Log Managed HSMs Delete Alert |
activityHSMsDeleteAlertState = true
|
activityHSMsDeleteAlertState = true
|
activityHSMsDeleteAlertState = true
|
||||||
| Key Vault |
Deploy Key Vault Availability Alert Policy to audit/deploy KeyVault Availability Alert |
KvAvailabilityAlertState = trueKvAvailabilityWindowSize = PT1MKVAvailabilityThreshold = 20KvAvailabilityEvaluationFrequency = PT1MKvAvailabilityAlertSeverity = 1
|
KvAvailabilityAlertState = trueKvAvailabilityWindowSize = PT1MKVAvailabilityThreshold = 20KvAvailabilityEvaluationFrequency = PT1MKvAvailabilityAlertSeverity = 1
|
KvAvailabilityAlertState = trueKvAvailabilityWindowSize = PT1MKVAvailabilityThreshold = 20KvAvailabilityEvaluationFrequency = PT1MKvAvailabilityAlertSeverity = 1
|
||||||
| Key Vault |
Deploy Key Vault Capacity Alert Policy to audit/deploy KeyVault Capacity Alert |
KVCapacityWindowSize = PT5MKVCapacityThreshold = 75KVCapacityAlertState = trueKVCapacityAlertSeverity = 1KVCapacityEvaluationFrequency = PT1M
|
KVCapacityWindowSize = PT5MKVCapacityThreshold = 75KVCapacityAlertState = trueKVCapacityAlertSeverity = 1KVCapacityEvaluationFrequency = PT1M
|
KVCapacityWindowSize = PT5MKVCapacityThreshold = 75KVCapacityAlertState = trueKVCapacityAlertSeverity = 1KVCapacityEvaluationFrequency = PT1M
|
||||||
| Key Vault |
Deploy Key Vault Latency Alert Policy to audit/deploy KeyVault Latency Alert |
KvLatencyAvailabilityEvaluationFrequency = PT5MKvLatencyAvailabilityWindowSize = PT5MKvLatencyAvailabilityAlertSeverity = 3KvLatencyAvailabilityAlertState = trueKvLatencyAvailabilityThreshold = 1000
|
KvLatencyAvailabilityEvaluationFrequency = PT5MKvLatencyAvailabilityWindowSize = PT5MKvLatencyAvailabilityAlertSeverity = 3KvLatencyAvailabilityAlertState = trueKvLatencyAvailabilityThreshold = 1000
|
KvLatencyAvailabilityEvaluationFrequency = PT5MKvLatencyAvailabilityWindowSize = PT5MKvLatencyAvailabilityAlertSeverity = 3KvLatencyAvailabilityAlertState = trueKvLatencyAvailabilityThreshold = 1000
|
||||||
| Key Vault |
Deploy Key Vault Requests Alert Policy to audit/deploy KeyVault Requests Alert |
KVRequestWindowSize = PT5MKVRequestEvaluationFrequency = PT5MKVRequestAlertState = trueKVRequestAlertSeverity = 2
|
KVRequestWindowSize = PT5MKVRequestEvaluationFrequency = PT5MKVRequestAlertState = trueKVRequestAlertSeverity = 2
|
KVRequestEvaluationFrequency = PT5MKVRequestWindowSize = PT5MALZMonitorDisableTagValues = ["true", "Test", "Dev", "Sandbox"]KVRequestAlertSeverity = 2KVRequestAlertState = trueALZMonitorDisableTagName = MonitorDisable
|
||||||
| Key Vault |
Deploy Managed HSMs Availability Alert Policy to audit/deploy Managed HSMs Availability Alert |
HSMsAvailabilityWindowSize = PT1MHSMsAvailabilityAlertState = trueHSMsAvailabilityAlertSeverity = 1HSMsAvailabilityEvaluationFrequency = PT1MHSMsAvailabilityThreshold = 20
|
HSMsAvailabilityWindowSize = PT1MHSMsAvailabilityAlertState = trueHSMsAvailabilityAlertSeverity = 1HSMsAvailabilityEvaluationFrequency = PT1MHSMsAvailabilityThreshold = 20
|
HSMsAvailabilityWindowSize = PT1MHSMsAvailabilityAlertState = trueHSMsAvailabilityAlertSeverity = 1HSMsAvailabilityEvaluationFrequency = PT1MHSMsAvailabilityThreshold = 20
|
||||||
| Key Vault |
Deploy Managed HSMs Latency Alert Policy to audit/deploy Managed HSMs Latency Alert |
HSMsLatencyAvailabilityAlertState = trueHSMsLatencyAvailabilityThreshold = 1000HSMsLatencyAvailabilityWindowSize = PT5MHSMsLatencyAvailabilityEvaluationFrequency = PT5MHSMsLatencyAvailabilityAlertSeverity = 3
|
HSMsLatencyAvailabilityAlertState = trueHSMsLatencyAvailabilityThreshold = 1000HSMsLatencyAvailabilityWindowSize = PT5MHSMsLatencyAvailabilityEvaluationFrequency = PT5MHSMsLatencyAvailabilityAlertSeverity = 3
|
HSMsLatencyAvailabilityAlertState = trueHSMsLatencyAvailabilityThreshold = 1000HSMsLatencyAvailabilityWindowSize = PT5MHSMsLatencyAvailabilityEvaluationFrequency = PT5MHSMsLatencyAvailabilityAlertSeverity = 3
|
||||||
| Key Vault |
Keys should have more than the specified number of days before expiration If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
minimumKeysLifeDaysBeforeExpiry = 90
|
minimumKeysLifeDaysBeforeExpiry = 90
|
|||||||
| Key Vault |
Keys should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a key can be valid within your key vault. |
keysValidityInDays = 90
|
keysValidityInDays = 90
|
|||||||
| Key Vault |
Keys should not be active for longer than the specified number of days Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years. |
keysActiveInDays = 90
|
keysActiveInDays = 90
|
|||||||
| Key Vault |
Keys using RSA cryptography should have a specified minimum key size Set the minimum allowed key size for use with your key vaults. Use of RSA keys with small key sizes is not a secure practice and doesn't meet many industry certification requirements. |
keyVaultMinimumRSAKeySizeValue = 2048
|
keyVaultMinimumRSAKeySizeValue = 2048
|
|||||||
| Key Vault |
Resource logs in Key Vault should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |
diagnosticsLogsInKeyVaultRetentionDays = 1
|
||||||||
| Key Vault |
Secrets should have more than the specified number of days before expiration If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure. |
minimumSecretsLifeDaysBeforeExpiry = 90
|
minimumSecretsLifeDaysBeforeExpiry = 90
|
|||||||
| Key Vault |
Secrets should have the specified maximum validity period Manage your organizational compliance requirements by specifying the maximum amount of time in days that a secret can be valid within your key vault. |
secretsValidityInDays = 90
|
secretsValidityInDays = 90
|
|||||||
| Key Vault |
Secrets should not be active for longer than the specified number of days If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration. |
secretsActiveInDays = 90
|
secretsActiveInDays = 90
|