last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Bring your own key data protection should be enabled for PostgreSQL servers

Name Bring your own key data protection should be enabled for PostgreSQL servers
Azure Portal
Id 18adea5e-f416-4d0f-8aa8-d24321e3e274
Version 1.0.1
details on versioning
Category SQL
Microsoft docs
Description Using customer-managed keys for encrypting data at rest in your Azure Database for PostgreSQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management. The use of customer-managed keys is sometimes required for compliance purposes.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-04-28 14:50:57 add 18adea5e-f416-4d0f-8aa8-d24321e3e274
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Bring your own key data protection should be enabled for PostgreSQL servers",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Using customer-managed keys for encrypting data at rest in your Azure Database for PostgreSQL database servers enables implementing a separation of duties in the management of keys and data. When you configure a customer-managed key, the key is used to protect and control access to the key that encrypts your data. You have full control and responsibility for the key lifecycle, including rotation and management.  The use of customer-managed keys is sometimes required for compliance purposes.",
    "metadata": {
      "version": "1.0.1",
      "category": "SQL"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.DBforPostgreSQL/servers"
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.DBforPostgreSQL/servers/keys",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/serverKeyType",
                "equals": "AzureKeyVault"
              },
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/uri",
                "notEquals": ""
              },
              {
                "field": "Microsoft.DBforPostgreSQL/servers/keys/uri",
                "exists": "true"
              }
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "18adea5e-f416-4d0f-8aa8-d24321e3e274"
}