last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Certificates using RSA cryptography should have the specified minimum key size

Name Certificates using RSA cryptography should have the specified minimum key size
Azure Portal
Id cee51871-e572-4576-855c-047c820360f0
Version 2.0.1
details on versioning
Category Key Vault
Microsoft docs
Description Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (2.0.0-preview > 2.0.1)
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage minimum key size for RSA certificates
2019-11-19 11:26:09 change Previous DisplayName: [Preview]: Certificate key sizes should be sufficiently large
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: CMMC Level 3 b5629c75-5c77-4422-87b9-2509e680f8de Regulatory Compliance Preview
JSON Changes

JSON
{
  "displayName": "Certificates using RSA cryptography should have the specified minimum key size",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault.",
  "metadata": {
    "version": "2.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "minimumRSAKeySize": {
      "type": "Integer",
      "metadata": {
        "displayName": "Minimum RSA key size",
        "description": "The minimum key size for RSA certificates."
      },
      "allowedValues": [
        2048,
        3072,
        4096
      ]
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/certificates"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType",
          "in": [
            "RSA",
            "RSA-HSM"
          ]
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize",
          "less": "[parameters('minimumRSAKeySize')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}