Policy to deny the creation of secrets without expiration date set in Key Vault

Gómez González María 11

Hi, I'm trying to create a policy in order to deny the creation of secrets without expiration date set in Key Vault.

What I have is the following, but it's not working. It lets me create secrets no matter what. I don't know why is not applying. Could you help me please?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults/secrets"
        },
        {
          "field": "Microsoft.KeyVault/vaults/secrets/attributes.exp",
          "exists": false
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Deny creation of secrets withouth expiration date."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    }
  }
}

Thanks so much in advanced,
María

1 answer

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-03T23:38:53.47+00:00
@Gómez González María
Thank you for your post!

When it comes to creating a policy where Secrets should have a defined expiration date and not be permanent, you should be able to do this via the Azure Policy built-in definitions for Key Vault.

Key Vault secrets should have an expiration date:

"properties": { "displayName": "Key Vault secrets should have an expiration date", "policyType": "BuiltIn", "mode": "Microsoft.KeyVault.Data", "description": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.", "metadata": { "version": "1.0.2", "category": "Key Vault" }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." }, "allowedValues": [ "Audit", "Deny", "Disabled" ], "defaultValue": "Audit" } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.KeyVault.Data/vaults/secrets" }, { "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn", "exists": false } ] }, "then": { "effect": "[parameters('effect')]" }

For your specific policy, it looks like you might have to change attributes.exp to /attributes.expiresOn:

"allOf": [ { "field": "type", "equals": "Microsoft.KeyVault.Data/vaults/secrets" }, { "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn", "exists": false

Additional Built-in Policies:

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.

1 person found this answer helpful.
JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-04T17:10:48.907+00:00

@Gómez González María
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

Gómez González María 11 Reputation points

2022-05-04T17:58:06.467+00:00

Hi, sorry for not replying sooner, I was working and wasn't able to answer.

The thing is I don't have permissions to change built-in policies that's why I want to create a 'custom' one. But the thing is I can't use'/attributes.expiresOn' because that's only accesible from 'built-in' policies. Is there anyother way to do this? Or I have to use a 'built-in' policy no matter what?

Thanks so much for you quick answer.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-05T22:52:22.653+00:00

@Gómez González María
Thank you for following up on this!

For the custom policy that you built - how long after applying the policy, did you wait to create a Secret with no expiration date?

I'm asking because based off our Integrate Azure Key Vault with Azure Policy documentation and some internal support cases, there's a feature limitation where assigning a policy with a "deny" effect may take up to 30 mins (average case) and 1 hour (worst case) to start denying the creation of non-compliant resources. For more info.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Gómez González María 11 Reputation points

2022-05-06T06:24:07.727+00:00

Hi again,

I just try creating a secret without expiration day now and it let me do it without a problem, so the policy is not working.

Thanks againg for your answer.

Gómez González María 11 Reputation points

2022-05-06T07:07:20.057+00:00

The thing with the policy is that if I see its compliance it's not affecting any resource. It's like it's not evaluting the secrets of the key vault.

Thanks againg, I just want it to comment that.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-06T21:19:42.4+00:00

@Gómez González María
Thank you for following up on this and for sharing that your policy still isn't applying even after waiting more than 1hr.

I've reached out to our Azure Key Vault engineering team to see if they can share any insights or workaround since you can't use/attributes.expiresOn, because that's only accessible from 'built-in' policies, and you'd like to use custom policies to do this.

If you have any other questions in the meantime, please let me know.
Thank you for your time and patience throughout this issue!

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-17T23:32:17.557+00:00

@Gómez González María
Thank you for your time and patience throughout this!

When it comes to the Policy assignment, can you confirm if you selected the "Deny" parameter?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Gómez González María 11 Reputation points

2022-05-18T09:27:16.957+00:00

Hi againg, yes I selected the 'Deny' parameter but it still doesn't work. If I see the compliance of the policy, as you can see in the image it doesn't apply to any resource when i created a key without expiration date set.

I don't know what could be the reason for it.

Thanks so much for answering me.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-05-18T17:25:48.377+00:00

@Gómez González María
Thank you for the quick follow up on this!

I've passed this info along to our KV engineering team and will update as soon as possible. If you want our support engineers to take a closer look into this issue, please let me know and I can enable your subscription for a free one-time technical support request to get this issue resolved.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue!

María Gómez González 1 Reputation point

2022-06-02T09:44:15.21+00:00

Hi againg, are there any news about this issue? Did the KV engineering team tell you anything?

Thans so much, regards!
María Gómez

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-02T16:41:29.72+00:00

@Gómez González María
Thank you for following up!

I was able to get a point of contact within the KV PG team for this issue and they should be looking into this by the end of next week. I'll follow-up with them again Wednesday/Thursday to see if there are any updates that they could share.

I'll definitely keep you updated of anything that I receive from their end.
Thank you again for your time and patience throughout this issue!

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-08T20:14:05.597+00:00

@Gómez González María
Thank you for your time and patience on this!

I wanted to follow-up and let you know that our KV PG team is actively looking into this issue, and I'll update as soon as I receive anything from their end.

If you have any other questions, please let me know.
Thank you!

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-09T20:38:16.727+00:00

@Gómez González María
Thank you for your time and patience!

When it comes to your issue, can you share your specific use-case and why the existing built-in policy won't work?

I know previously you shared that you don't have permissions to change built-in policies, which is why you want to create a custom policy. However, our KV team wants to better understand your issue and see why the existing built-in policy to deny the creation of secrets without an expiration date won't work for your environment.

If you have any other questions, please let me know.
Thank you!

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-13T21:56:42.2+00:00

@Gómez González María
I just wanted to check in and see if you had any other questions or if you had a chance to review my previous post?

Gómez González María 11 Reputation points

2022-06-20T06:45:46.793+00:00

Sorry to replying so late, I was on vacation and unable to answer.

The thing is the built-in policy won't work for us because it only audits it doesn't deny because we can't change the parameter 'audit for 'deny'. That's why we need to create a custom policy in order to do that. And we tried to do it with the policy I showed you in the first comment but that one does't work.

Thansk so much for still following this issue, regards
María

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-23T19:55:45.757+00:00

@Gómez González María
Thank you for following up on this!

I've passed this info along to our KV team and will update if I receive anything from their end regarding your specific use-case.

I also wanted to add that I received an update on the expiresOn attribute within a custom policy, and it looks like expiresOn is only supported in Data Plane policies for Azure Governance, and we currently don't support custom policies for Data Plane.

Since this seems to be a feature limitation, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

María Gómez González 1 Reputation point

2022-06-24T07:31:53.507+00:00

Okay, thank you so much I'll wait for anwser.

In the meantime, I have another doubt that I don't know if you could resolve it. Is it possible that a custom policy only affects new resources? I mean I created a 'Deny' policy and I want only to affect when I create a new resource . I say this because i created one and after passing the policy, the policy audits againg the resource and it gives a false positive.

Thanks so much.

JamesTran-MSFT 36,376 Reputation points Microsoft Employee

2022-06-24T16:16:51.78+00:00

@Gómez González María
Thank you for following up on this!

When you say - the built-in policy won't work for us because it only audits it doesn't deny because we can't change the parameter 'audit for 'deny'. You also mentioned earlier that you don't have permissions to change built-in policies that's why I want to create a 'custom' one.

When changing the audit parameter to deny, this should be possible when assigning the Policy, can you expand on this some more? Is this an RBAC permissions issue, policy, etc.?
After assigning the policy you should also be able to change the Effect by going to Edit assignment -> Parameters.

For your question regarding having a custom policy only affect new resource, I'd recommend posting a new Q&A question under the azure-policy tag so our Azure Policy team/community can take a closer look into this and hopefully point you in the right direction.

If you have any other questions, please let me know.
Thank you so much for your time and patience throughout this issue!

Gómez González María 11 Reputation points

2022-07-06T08:16:40.45+00:00

Hi again, I don't have the option to change 'Parameters' when I assing the policy, nor in the 'built-in' one nor in the custom one.

Is there any possibility that you could send me a custom policy with the characteristics I told you in order for me to try it in my enviroment?

Thanks so much,
María
Sign in to comment