You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/managed-hsm/azure-policy.md
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,9 +45,17 @@ This policy audits all keys in your Managed HSMs and flags keys that do not have
45
45
46
46
If a key is too close to expiration, an organizational delay to rotate the key may result in an outage. Keys should be rotated at a specified number of days before expiration to provide sufficient time to react to a failure. This policy audits keys too close to their expiration date and allows you to set this threshold in days. You can also use this policy to prevent the creation of new keys too close to their expiration date.
47
47
48
+
### Keys should be the specified cryptographic type
49
+
50
+
You may be subject to audit and certification standards that mandate the use of a specific cryptographic algorithm or key type. This policy allows you to configure an allowed list of cryptographic key types for Managed HSM keys. You can audit keys that do not meet this requirement. This policy can also be used to restrict the cryptographic key types that can be created or imported into your Managed HSMs.
51
+
48
52
### Keys using RSA cryptography should have a specified minimum key size
49
53
50
-
Using RSA keys with smaller key sizes is not a secure design practice. You may be subject to audit and certification standards that mandate the use of a minimum key size. The following policy allows you to set a minimum key size requirement on your Managed HSM. You can audit keys that do not meet this minimum requirement. This policy can also be used to block the creation of new keys that do not meet the minimum key size requirement.
54
+
Using RSA keys with smaller key sizes is not a secure design practice. You may be subject to audit and certification standards that mandate the use of a minimum key size. The following policy allows you to set a minimum key size requirement on your Managed HSM. You can audit keys that do not meet this minimum requirement. This policy can also be used to block the creation or import of keys that do not meet the minimum key size requirement.
55
+
56
+
### Keys using AES cryptography should have a specified minimum key size
57
+
58
+
Using oct-HSM keys for AES algorithms with insufficient key sizes is not a secure design practice and may violate organizational or regulatory security requirements. This policy allows you to enforce a minimum key size for oct-HSM keys stored in your Managed HSM. You can audit keys that do not meet this minimum requirement. The policy can also be used to block the creation or import of keys that do not meet the minimum key size requirement.
51
59
52
60
## Enabling and managing a Managed HSM policy through the Azure CLI
53
61
@@ -80,8 +88,10 @@ az keyvault role assignment create --scope / --role "Managed HSM Crypto Auditor"
80
88
Policy assignments have concrete values defined for policy definitions' parameters. In the [Azure portal](https://portal.azure.com/?Microsoft_Azure_ManagedHSM_assettypeoptions=%7B%22ManagedHSM%22:%7B%22options%22:%22%22%7D%7D&Microsoft_Azure_ManagedHSM=true&feature.canmodifyextensions=true}), go to "Policy", filter on the "Key Vault" category, find these four preview key governance policy definitions. Select one, then select "Assign" button on top. Fill in each field. If the policy assignment is for request denials, use a clear name about the policy because, when a request is denied, the policy assignment's name appears in the error. Select Next, uncheck "Only show parameters that need input or review", and enter values for parameters of the policy definition. Skip the "Remediation", and create the assignment. The service needs up to 30 minutes to enforce "Deny" assignments.
81
89
82
90
- Azure Key Vault Managed HSM keys should have an expiration date
91
+
- Azure Key Vault Managed HSM keys should be the specified cryptographic type
83
92
- Azure Key Vault Managed HSM keys using RSA cryptography should have a specified minimum key size
84
-
- Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration
93
+
- Azure Key Vault Managed HSM keys using AES cryptography should have a specified minimum key size
94
+
- Azure Key Vault Managed HSM keys should have more than the specified number of days before expiration
85
95
- Azure Key Vault Managed HSM keys using elliptic curve cryptography should have the specified curve names
86
96
87
97
You can also do this operation using the Azure CLI. See [Create a policy assignment to identify noncompliant resources with Azure CLI](/azure/governance/policy/assign-policy-azurecli).
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments