last sync: 2020-Dec-02 15:37:49 UTC

Azure Policy definition

[Preview]: Certificates using elliptic curve cryptography should have allowed curve names

Name [Preview]: Certificates using elliptic curve cryptography should have allowed curve names
Azure Portal
Id bd78111f-4953-4367-9fd5-7e08808b54bf
Version 2.0.0-preview
details on versioning
Category Key Vault
Microsoft docs
Description Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage allowed curve names for elliptic curve cryptography certificates
2019-11-02 10:12:34 add bd78111f-4953-4367-9fd5-7e08808b54bf
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Preview]: Certificates using elliptic curve cryptography should have allowed curve names",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "Manage the allowed elliptic curve names for ECC Certificates stored in key vault. More information can be found at https://aka.ms/akvpolicy.",
    "metadata": {
      "version": "2.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "allowedECNames": {
        "type": "Array",
        "metadata": {
        "displayName": "[Preview]: Allowed elliptic curve names",
          "description": "The list of allowed curve names for elliptic curve cryptography certificates."
        },
        "allowedValues": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ],
        "defaultValue": [
          "P-256",
          "P-256K",
          "P-384",
          "P-521"
        ]
      },
      "effect": {
        "type": "String",
        "metadata": {
        "displayName": "[Preview]: Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "audit",
          "deny",
          "disabled"
        ],
        "defaultValue": "audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/certificates"
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
            "in": [
              "EC",
              "EC-HSM"
            ]
          },
          {
            "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName",
          "notIn": "[parameters('allowedECNames')]"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "bd78111f-4953-4367-9fd5-7e08808b54bf"
}