last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Secrets should have more than the specified number of days before expiration

Name Secrets should have more than the specified number of days before expiration
Azure Portal
Id b0eb591a-5e70-4534-a8bf-04b9c489584a
Version 1.0.1
details on versioning
Category Key Vault
Microsoft docs
Description If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2020-10-16 12:27:50 add b0eb591a-5e70-4534-a8bf-04b9c489584a
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "Secrets should have more than the specified number of days before expiration",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "If a secret is too close to expiration, an organizational delay to rotate the secret may result in an outage. Secrets should be rotated at a specified number of days prior to expiration to provide sufficient time to react to a failure.",
  "metadata": {
    "version": "1.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "minimumDaysBeforeExpiration": {
      "type": "Integer",
      "metadata": {
        "displayName": "The minimum days before expiration",
        "description": "Specify the minimum number of days that a secret should remain usable prior to expiration."
      }
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/secrets"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
          "exists": true
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",
          "less": "[addDays(utcNow(), parameters('minimumDaysBeforeExpiration'))]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}