AzPolicyAdvertizer

last sync: 2024-Sep-18 17:50:24 UTC

Storage account keys should not be expired

Azure BuiltIn Policy definition

Source Azure Portal
Display name Storage account keys should not be expired
Id 044985bb-afe1-42cd-8a36-9d5d42424537
Version 3.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
3.0.0
Built-in Versioning [Preview]
Category Storage
Microsoft Learn
Description Ensure the user storage account keys are not expired when key expiration policy is set, for improving security of account keys by taking action when the keys are expired.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (3)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Storage/storageAccounts/keyCreationTime.key1 Microsoft.Storage storageAccounts properties.keyCreationTime.key1 True False
Microsoft.Storage/storageAccounts/keyCreationTime.key2 Microsoft.Storage storageAccounts properties.keyCreationTime.key2 True False
Microsoft.Storage/storageAccounts/keyPolicy.keyExpirationPeriodInDays Microsoft.Storage storageAccounts properties.keyPolicy.keyExpirationPeriodInDays True False
Rule resource types IF (1)
Microsoft.Storage/storageAccounts
Compliance
The following 3 compliance controls are associated with this Policy definition 'Storage account keys should not be expired' (044985bb-afe1-42cd-8a36-9d5d42424537)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
New_Zealand_ISM 17.1.58.C.01 New_Zealand_ISM_17.1.58.C.01 New_Zealand_ISM_17.1.58.C.01 17. Cryptography Cryptographic Fundamentals - Key Refresh and Retirement n/a All cryptographic keys have a limited useful life after which the key should be replaced or retired. Typically the useful life of the cryptographic key (cryptoperiod) is use 3
NZ_ISM_v3.5 GS-2 NZ_ISM_v3.5_GS-2 NZISM Security Benchmark GS-2 Gateway security 19.1.11 Using Gateways Customer n/a Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment ??? refer to Section 22.2 ??? Virtualisation and Section 22.3 ??? Virtual Local Area Networks link 10
NZISM_Security_Benchmark_v1.1 GS-2 NZISM_Security_Benchmark_v1.1_GS-2 NZISM Security Benchmark GS-2 Gateway security 19.1.11 Using Gateways Customer Agencies MUST ensure that: all agency networks are protected from networks in other security domains by one or more gateways; all gateways contain mechanisms to filter or limit data flow at the network and content level to only the information necessary for business purposes; and all gateway components, discrete and virtual, are physically located within an appropriately secured server room. Physically locating all gateway components inside a secure server room will reduce the risk of unauthorised access to the device(s). The system owner of the higher security domain of connected security domains would be most familiar with the controls required to protect the more sensitive information and as such is best placed to manage any shared components of gateways. In some cases where multiple security domains from different agencies are connected to a gateway, it may be more appropriate to have a qualified third party manage the gateway on behalf of all connected agencies. Gateway components may also reside in a virtual environment – refer to Section 22.2 – Virtualisation and Section 22.3 – Virtual Local Area Networks link 8
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Deprecated]: New Zealand ISM Restricted d1a462af-7e6d-4901-98ac-61570b4ed22a Regulatory Compliance Deprecated BuiltIn
[Deprecated]: New Zealand ISM Restricted v3.5 93d2179e-3068-c82f-2428-d614ae836a04 Regulatory Compliance Deprecated BuiltIn
Enforce recommended guardrails for Storage Account Enforce-Guardrails-Storage Storage GA ALZ
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-07-30 15:17:20 change Major (2.0.0 > 3.0.0)
2021-07-07 15:26:31 change Major (1.0.0 > 2.0.0)
2021-05-11 14:06:18 add 044985bb-afe1-42cd-8a36-9d5d42424537
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC