last sync: 2021-Nov-26 17:15:01 UTC

Azure Policy definition

[Preview]: Configure Azure Key Vault Managed HSM to disable public network access

Name [Preview]: Configure Azure Key Vault Managed HSM to disable public network access
Azure Portal
Id 84d327c3-164a-4685-b453-900478614456
Version 2.0.0-preview
details on versioning
Category Key Vault
Microsoft docs
Description Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.
Mode Indexed
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: Modify
Allowed: (Modify, Disabled)
Used RBAC Role
Role Name Role Id
Managed HSM contributor 18500a29-7fe2-46b2-a342-b16a415e101d
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-09-27 15:52:17 change Major, suffix remains equal (1.0.0-preview > 2.0.0-preview)
2021-09-13 16:35:32 add 84d327c3-164a-4685-b453-900478614456
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "[Preview]: Configure Azure Key Vault Managed HSM to disable public network access",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Disable public network access for your Azure Key Vault Managed HSM so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/key-vault/managed-hsm/private-link#allow-trusted-services-to-access-managed-hsm.",
  "metadata": {
    "version": "2.0.0-preview",
    "category": "Key Vault",
    "preview": true
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Modify",
        "Disabled"
      ],
      "defaultValue": "Modify"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/managedHSMs"
        },
        {
          "field": "Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction",
          "notEquals": "Deny"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "conflictEffect": "audit",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d"
        ],
        "operations": [
          {
            "operation": "addOrReplace",
            "field": "Microsoft.KeyVault/managedHSMs/networkAcls.defaultAction",
            "value": "Deny"
          }
        ]
      }
    }
  }
}