AzPolicyAdvertizer

last sync: 2025-Aug-20 17:22:59 UTC

Keys should not be active for longer than the specified number of days

Azure BuiltIn Policy definition

Source Azure Portal
Display name Keys should not be active for longer than the specified number of days
Id c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Version 1.0.1
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.1
Built-in Versioning [Preview]
Category Key Vault
Microsoft Learn
Description Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.0.1'
Repository: Azure-Policy c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types none
Compliance Not a Compliance control
Initiatives usage
Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Enforce recommended guardrails for Azure Key Vault Enforce-Guardrails-KeyVault Key Vault GA ALZ
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (1.0.0-preview > 1.0.1)
2020-10-16 12:27:50 add c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
JSON compare
compare mode: version left: version right:
1.0.0-preview → 1.0.1 RENAMED
@@ -1,13 +1,12 @@
1
  {
2
- "displayName": "[Preview]: Keys should not be active for longer than the specified number of days",
3
  "policyType": "BuiltIn",
4
  "mode": "Microsoft.KeyVault.Data",
5
  "description": "Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.",
6
  "metadata": {
7
- "version": "1.0.0-preview",
8
- "category": "Key Vault",
9
- "preview": true
10
  },
11
  "parameters": {
12
  "maximumValidityInDays": {
13
  "type": "Integer",
 
1
  {
2
+ "displayName": "Keys should not be active for longer than the specified number of days",
3
  "policyType": "BuiltIn",
4
  "mode": "Microsoft.KeyVault.Data",
5
  "description": "Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.",
6
  "metadata": {
7
+ "version": "1.0.1",
8
+ "category": "Key Vault"
 
9
  },
10
  "parameters": {
11
  "maximumValidityInDays": {
12
  "type": "Integer",
JSON
api-version=2021-06-01
EPAC 
{7 items
  • displayName: "Keys should not be active for longer than the specified number of days",
  • policyType: "BuiltIn",
  • mode: "Microsoft.KeyVault.Data",
  • description: "Specify the number of days that a key should be active. Keys that are used for an extended period of time increase the probability that an attacker could compromise the key. As a good security practice, make sure that your keys have not been active longer than two years.",
  • metadata: {2 items
    • version: "1.0.1",
    • category: "Key Vault"
    },
  • parameters: {2 items},
  • policyRule: {2 items
    • if: {1 item
      • allOf: [2 items
        • {2 items
          • field: "type",
          • equals: "Microsoft.KeyVault.Data/vaults/keys"
          },
        • {2 items
          • value: "[utcNow()]",
          • greater: 🔍"[
    addDays(
        if(
            empty(
                field('Microsoft.KeyVault.Data/vaults/keys/attributes.notBefore')
            ),
            field('Microsoft.KeyVault.Data/vaults/keys/attributes.createdOn'),
            field('Microsoft.KeyVault.Data/vaults/keys/attributes.notBefore')
        ),
        parameters('maximumValidityInDays')
    )
]"
          }
        ]
      },
    • then: {1 item
      • effect: "[parameters('effect')]"
      }
    }
}