Enforce or audit Key Vault requirements of certificates, secrets, and keys by leveraging Azure Policy

During discussions about Azure security, Azure Key Vault is regularly discussed. More and more organizations are aware that sensitive data such as secrets and keys can be stored here, while other resources can make use of it. But also the next question that often follows is: “How do I get a better grip on the requirements that we as an organization place on the content of this data?” In doing so, I point out the possibilities that Azure Policy has to offer, but most still find this cumbersome.

It is now made a lot easier for all these organizations, as Microsoft has defined various standard (built-in) policy definitions. This allows you to influence the requirements set for secrets, keys, and certificates. Think of the maximum validity period of a certificate, the cryptographic type of a key, that a key should be backed by a hardware security module (HSM) or that secrets should have an expiration date set.

For all these policy definitions, you can only audit which components are not compliant (will not cause any breaking changes to your environment), or you can enforce them (for new resources, existing non-compliant resources within a key vault are not affected).

Below is an overview of the full list of new policy definitions that apply to Azure Key Vault:

Name	Policy Definition
Certificates should have the specified maximum validity period (preview)	/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560
Certificates should use allowed key types (preview)	/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f
Certificates should have the specified lifetime action triggers (preview)	/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417
Certificates should be issued by the specified integrated certificate authority (preview)	/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82
Certificates should be issued by the specified non-integrated certificate authority (preview)	/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341
Certificates using elliptic curve cryptography should have allowed curve names (preview)	/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf
Certificates using RSA cryptography Manage minimum key size for RSA certificates (preview)	/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0
Manage certificates that are within a specified number of days of expiration (preview)	/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427
Keys should not be active for longer than the specified number of days (preview)	/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Keys should be the specified cryptographic type RSA or EC (preview)	/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb
Keys using elliptic curve cryptography should have the specified curve names (preview)	/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255
Keys should have expirations dates set (preview)	/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0
Keys should have more than the specified number of days before expiration (preview)	/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146
Keys should be backed by a hardware security module (preview)	/providers/Microsoft.Authorization/policyDefinitions/587c79fe-dd04-4a5e-9d0b-f89598c7261b
Keys using RSA cryptography should have a specified minimum key size (preview)	/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9
Keys should have the specified maximum validity period (preview)	/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9
Secrets should not be active for longer than the specified number of days (preview)	/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe
Secrets should have content type set (preview)	/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3
Secrets should have expiration date set (preview)	/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37
Secrets should have more than the specified number of days before expiration (preview)	/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a
Secrets should have the specified maximum validity period (preview)	/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f

For more information about the integration of Key Vault with Azure Policy see the following documentation:

https://docs.microsoft.com/en-us/azure/key-vault/general/azure-policy?tabs=certificates