AzPolicyAdvertizer

last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Certificates should use allowed key types

Name Certificates should use allowed key types
Azure Portal
Id 1151cede-290b-4ba0-8b38-0ad145ac888f
Version 2.0.1
details on versioning
Category Key Vault
Microsoft docs
Description Manage your organizational compliance requirements by restricting the key types allowed for certificates.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (2.0.0-preview > 2.0.1)
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage allowed certificate key types
2019-11-19 11:26:09 change Previous DisplayName: [Preview]: Certificates should have the specified key types
Used in Initiatives none
JSON Changes

JSON 
{
  "displayName": "Certificates should use allowed key types",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "Manage your organizational compliance requirements by restricting the key types allowed for certificates.",
  "metadata": {
    "version": "2.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "allowedKeyTypes": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed key types",
        "description": "The list of allowed certificate key types."
      },
      "allowedValues": [
        "RSA",
        "RSA-HSM",
        "EC",
        "EC-HSM"
      ],
      "defaultValue": [
        "RSA",
        "RSA-HSM"
      ]
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/certificates"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
          "notIn": "[parameters('allowedKeyTypes')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}