last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

Storage account keys should not be expired

Name Storage account keys should not be expired
Azure Portal
Id 044985bb-afe1-42cd-8a36-9d5d42424537
Version 3.0.0
details on versioning
Category Storage
Microsoft docs
Description Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-07-30 15:17:20 change Major (2.0.0 > 3.0.0)
2021-07-07 15:26:31 change Major (1.0.0 > 2.0.0)
2021-05-11 14:06:18 add 044985bb-afe1-42cd-8a36-9d5d42424537
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Preview
JSON Changes

JSON
{
  "properties": {
    "displayName": "Storage account keys should not be expired",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.",
    "metadata": {
      "version": "3.0.0",
      "category": "Storage"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Audit allows a non-compliant resource to be created, but flags it as non-compliant. Deny blocks the resource creation and update. Disable turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
              "value": "[utcNow()]",
              "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key1'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              },
              {
              "value": "[utcNow()]",
              "greater": "[if(and(not(empty(coalesce(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), ''))), not(empty(string(coalesce(field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays'), ''))))), addDays(field('Microsoft.Storage/storageAccounts/keyCreationTime.key2'), field('Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays')), utcNow())]"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "044985bb-afe1-42cd-8a36-9d5d42424537"
}