last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Certificates using elliptic curve cryptography should have allowed curve names

Name Certificates using elliptic curve cryptography should have allowed curve names
Azure Portal
Id bd78111f-4953-4367-9fd5-7e08808b54bf
Version 2.0.1
details on versioning
Category Key Vault
Microsoft docs
Description Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (2.0.0-preview > 2.0.1)
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
2019-11-02 10:12:34 add bd78111f-4953-4367-9fd5-7e08808b54bf
Used in Initiatives none
JSON Changes

JSON
{
  "displayName": "Certificates using elliptic curve cryptography should have allowed curve names",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.",
  "metadata": {
    "version": "2.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "allowedECNames": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed elliptic curve names",
        "description": "The list of allowed curve names for elliptic curve cryptography certificates."
      },
      "allowedValues": [
        "P-256",
        "P-256K",
        "P-384",
        "P-521"
      ],
      "defaultValue": [
        "P-256",
        "P-256K",
        "P-384",
        "P-521"
      ]
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/certificates"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
          "in": [
            "EC",
            "EC-HSM"
          ]
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName",
          "notIn": "[parameters('allowedECNames')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}