last sync: 2020-Oct-23 19:29:54 UTC

Azure Policy

[Preview]: Secrets should not be active for longer than the specified number of days

Name [Preview]: Secrets should not be active for longer than the specified number of days
Id e8d99835-8a06-45ae-a8e0-87a91941ccfe
Version 1.0.0-preview
details on versioning
Category Key Vault
Description If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview True
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit,Deny,Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-10-16 12:27:50 add e8d99835-8a06-45ae-a8e0-87a91941ccfe
Used in Initiatives none
Json
{
  "properties": {
  "displayName": "[Preview]: Secrets should not be active for longer than the specified number of days",
    "policyType": "BuiltIn",
    "mode": "Microsoft.KeyVault.Data",
    "description": "If your secrets were created with an activation date set in the future, you must ensure that your secrets have not been active for longer than the specified duration.",
    "metadata": {
      "version": "1.0.0-preview",
      "category": "Key Vault",
      "preview": true
    },
    "parameters": {
      "maximumValidityInDays": {
        "type": "Integer",
        "metadata": {
          "displayName": "The maximum validity period in days",
          "description": "Specify the maximum number of days a secret can be valid for after activation."
        }
      },
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault.Data/vaults/secrets"
          },
          {
          "value": "[utcNow()]",
          "greater": "[addDays(if(empty(field('Microsoft.KeyVault.Data/vaults/secrets/attributes.notBefore')), field('Microsoft.KeyVault.Data/vaults/secrets/attributes.createdOn'), field('Microsoft.KeyVault.Data/vaults/secrets/attributes.notBefore')), parameters('maximumValidityInDays'))]"
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "e8d99835-8a06-45ae-a8e0-87a91941ccfe"
}