Policy to deny the creation of secrets without expiration date set in Key Vault

Gómez González María 11 Reputation points
2022-05-03T10:20:49.103+00:00

Hi, I'm trying to create a policy in order to deny the creation of secrets without expiration date set in Key Vault.

What I have is the following, but it's not working. It lets me create secrets no matter what. I don't know why is not applying. Could you help me please?

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault/vaults/secrets"
        },
        {
          "field": "Microsoft.KeyVault/vaults/secrets/attributes.exp",
          "exists": false
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Deny creation of secrets withouth expiration date."
      },
      "allowedValues": [
        "Audit",
        "Deny",
        "Disabled"
      ],
      "defaultValue": "Deny"
    }
  }
}

Thanks so much in advanced,
María

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,184 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2022-05-03T23:38:53.47+00:00

    @Gómez González María
    Thank you for your post!

    When it comes to creating a policy where Secrets should have a defined expiration date and not be permanent, you should be able to do this via the Azure Policy built-in definitions for Key Vault.

    Key Vault secrets should have an expiration date:

      "properties": {  
        "displayName": "Key Vault secrets should have an expiration date",  
        "policyType": "BuiltIn",  
        "mode": "Microsoft.KeyVault.Data",  
        "description": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.",  
        "metadata": {  
          "version": "1.0.2",  
          "category": "Key Vault"  
        },  
        "parameters": {  
          "effect": {  
            "type": "String",  
            "metadata": {  
              "displayName": "Effect",  
              "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."  
            },  
            "allowedValues": [  
              "Audit",  
              "Deny",  
              "Disabled"  
            ],  
            "defaultValue": "Audit"  
          }  
        },  
        "policyRule": {  
          "if": {  
            "allOf": [  
              {  
                "field": "type",  
                "equals": "Microsoft.KeyVault.Data/vaults/secrets"  
              },  
              {  
                "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",  
                "exists": false  
              }  
            ]  
          },  
          "then": {  
            "effect": "[parameters('effect')]"  
          }  
    

    For your specific policy, it looks like you might have to change attributes.exp to /attributes.expiresOn:

            "allOf": [  
              {  
                "field": "type",  
                "equals": "Microsoft.KeyVault.Data/vaults/secrets"  
              },  
              {  
                "field": "Microsoft.KeyVault.Data/vaults/secrets/attributes.expiresOn",  
                "exists": false  
    

    Additional Built-in Policies:
    198588-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.