last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Keys should have more than the specified number of days before expiration

Name Keys should have more than the specified number of days before expiration
Azure Portal
Id 5ff38825-c5d8-47c5-b70e-069a21955146
Version 1.0.1
details on versioning
Category Key Vault
Microsoft docs
Description If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2020-10-16 12:27:50 add 5ff38825-c5d8-47c5-b70e-069a21955146
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "Keys should have more than the specified number of days before expiration",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.",
  "metadata": {
    "version": "1.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "minimumDaysBeforeExpiration": {
      "type": "Integer",
      "metadata": {
        "displayName": "The minimum days before expiration",
        "description": "Specify the minimum number of days that a key should remain usable prior to expiration."
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/keys"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
          "exists": true
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/keys/attributes.expiresOn",
          "less": "[addDays(utcNow(), parameters('minimumDaysBeforeExpiration'))]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}