AzPolicyAdvertizer

last sync: 2025-Jul-25 17:39:48 UTC

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

Azure BuiltIn Policy definition

Source

Azure Portal

Display name

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

84d327c3-164a-4685-b453-900478614456

Version

2.0.0-preview
Details on versioning

Versioning

Versions supported for Versioning: 1
2.0.0-preview
Built-in Versioning [Preview]

Category

Key Vault
Microsoft Learn

Description

Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.

Cloud environments

AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown

Available in AzUSGov

Unknown, no evidence if Policy definition is/not available in AzureUSGovernment

Mode

Indexed

Type

BuiltIn

Preview

True

Deprecated

False

Effect

Default
Modify
Allowed
Modify, Disabled

RBAC role(s)

Role Name	Role Id
Managed HSM contributor	18500a29-7fe2-46b2-a342-b16a415e101d

Rule aliases

IF (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction	Microsoft.KeyVault	managedHSMs	properties.networkAcls.defaultAction	True		True

THEN-Operations (1)

Alias	Namespace	ResourceType	Path	PathIsDefault	DefaultPath	Modifiable
Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction	Microsoft.KeyVault	managedHSMs	properties.networkAcls.defaultAction	True		True

Rule resource types

IF (1)

Microsoft.KeyVault/managedHSMs

Compliance

Not a Compliance control

Initiatives usage

Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, **[empty]**, **[nonempty]**, **rgx:**
Learn more
TableFilter v0.7.3
https://www.tablefilter.com/
©2015-2025 Max Guglielmi
Close
?
Page of 1
Initiative DisplayName	Initiative Id	Initiative Category	State	Type	polSet in AzUSGov

Enforce additional recommended guardrails for Key Vault	Enforce-Guardrails-KeyVault-Sup	Key Vault	GA	ALZ

History

Date/Time (UTC ymd) (i)	Change type	Change detail
2021-09-27 15:52:17	change	Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
2021-09-13 16:35:32	add	84d327c3-164a-4685-b453-900478614456

JSON compare

compare mode: version left: version right:

1.0.0-preview → 2.0.0-preview RENAMED Viewed

@@ -3,9 +3,9 @@
     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.",
     "metadata": {
-        "version": "1.0.0-preview",
         "category": "Key Vault",
         "preview": true
     },
     "parameters": {
@@ -39,9 +39,9 @@
             "effect": "[parameters('effect')]",
             "details": {
                 "conflictEffect": "audit",
                 "roleDefinitionIds": [
-                    "/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778"
                 ],
                 "operations": [
                     {
                         "operation": "addOrReplace",

     "policyType": "BuiltIn",
     "mode": "Indexed",
     "description": "Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.",
     "metadata": {
+        "version": "2.0.0-preview",
         "category": "Key Vault",
         "preview": true
     },
     "parameters": {
             "effect": "[parameters('effect')]",
             "details": {
                 "conflictEffect": "audit",
                 "roleDefinitionIds": [
+                    "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d"
                 ],
                 "operations": [
                     {
                         "operation": "addOrReplace",

JSON

api-version=2021-06-01
EPAC

{7 itemsdisplayName: "[Preview]: Configure Azure Key Vault Managed HSM to disable public network access",
policyType: "BuiltIn",
mode: "Indexed",
description: "Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.",
metadata: {3 itemsversion: "2.0.0-preview",
category: "Key Vault",
preview: true
},
parameters: {1 itemeffect: {4 itemstype: "String",
metadata: {2 itemsdisplayName: "Effect",
description: "Enable or disable the execution of the policy"
},
allowedValues: [2 items"Modify",
"Disabled"
],
defaultValue: "Modify"
}
},
policyRule: {2 itemsif: {1 itemallOf: [2 items{2 itemsfield: "type",
equals: "Microsoft.KeyVault/managedHSMs"
},
{2 itemsfield: "Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction",
notEquals: "Deny"
}
]
},
then: {2 itemseffect: "[parameters('effect')]",
details: {3 itemsconflictEffect: "audit",
roleDefinitionIds: [1 item"/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d" Managed HSM contributor 
],
operations: [1 item{3 itemsoperation: "addOrReplace",
field: "Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction",
value: "Deny"
}
]
}
}
}
}

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

Azure BuiltIn Policy definition

TableFilter v0.7.3