question

GmezGonzlezMara-4121 avatar image
0 Votes"
GmezGonzlezMara-4121 asked GmezGonzlezMara-4121 commented

Policy to deny the creation of secrets without expiration date set in Key Vault

Hi, I'm trying to create a policy in order to deny the creation of secrets without expiration date set in Key Vault.

What I have is the following, but it's not working. It lets me create secrets no matter what. I don't know why is not applying. Could you help me please?


 {
   "mode": "All",
   "policyRule": {
     "if": {
       "allOf": [
         {
           "field": "type",
           "equals": "Microsoft.KeyVault/vaults/secrets"
         },
         {
           "field": "Microsoft.KeyVault/vaults/secrets/attributes.exp",
           "exists": false
         }
       ]
     },
     "then": {
       "effect": "[parameters('effect')]"
     }
   },
   "parameters": {
     "effect": {
       "type": "String",
       "metadata": {
         "displayName": "Effect",
         "description": "Deny creation of secrets withouth expiration date."
       },
       "allowedValues": [
         "Audit",
         "Deny",
         "Disabled"
       ],
       "defaultValue": "Deny"
     }
   }
 }



Thanks so much in advanced,
María



azure-key-vaultazure-policy
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered GmezGonzlezMara-4121 commented

@GmezGonzlezMara-4121
Thank you for your post!

When it comes to creating a policy where Secrets should have a defined expiration date and not be permanent, you should be able to do this via the Azure Policy built-in definitions for Key Vault.

Key Vault secrets should have an expiration date:

   "properties": {
     "displayName": "Key Vault secrets should have an expiration date",
     "policyType": "BuiltIn",
     "mode": "Microsoft.KeyVault.Data",
     "description": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.",
     "metadata": {
       "version": "1.0.2",
       "category": "Key Vault"
     },
     "parameters": {
       "effect": {
         "type": "String",
         "metadata": {
           "displayName": "Effect",
           "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
         },
         "allowedValues": [
           "Audit",
           "Deny",
           "Disabled"
         ],
         "defaultValue": "Audit"
       }
     },
     "policyRule": {
       "if": {
         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.KeyVault.Data/vaults/secrets"
           },
           {
             "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
             "exists": false
           }
         ]
       },
       "then": {
         "effect": "[parameters('effect')]"
       }

For your specific policy, it looks like you might have to change attributes.exp to /attributes.expiresOn:

         "allOf": [
           {
             "field": "type",
             "equals": "Microsoft.KeyVault.Data/vaults/secrets"
           },
           {
             "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
             "exists": false

Additional Built-in Policies:
198588-image.png


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (47.7 KiB)
· 19
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image JamesTran-MSFT ·

@GmezGonzlezMara-4121
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

0 Votes 0 ·
GmezGonzlezMara-4121 avatar image GmezGonzlezMara-4121 ·

Hi, sorry for not replying sooner, I was working and wasn't able to answer.

The thing is I don't have permissions to change built-in policies that's why I want to create a 'custom' one. But the thing is I can't use'/attributes.expiresOn' because that's only accesible from 'built-in' policies. Is there anyother way to do this? Or I have to use a 'built-in' policy no matter what?

Thanks so much for you quick answer.

0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT GmezGonzlezMara-4121 ·

@GmezGonzlezMara-4121
Thank you for following up on this!

For the custom policy that you built - how long after applying the policy, did you wait to create a Secret with no expiration date?

I'm asking because based off our Integrate Azure Key Vault with Azure Policy documentation and some internal support cases, there's a feature limitation where assigning a policy with a "deny" effect may take up to 30 mins (average case) and 1 hour (worst case) to start denying the creation of non-compliant resources. For more info.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·
GmezGonzlezMara-4121 avatar image GmezGonzlezMara-4121 JamesTran-MSFT ·

Hi again,

I just try creating a secret without expiration day now and it let me do it without a problem, so the policy is not working.

Thanks againg for your answer.

0 Votes 0 ·
Show more comments