module/ConfigurationProvider/ControlConfigurations/Services/KeyVault.json
|
{
"FeatureName": "KeyVault", "Reference": "aka.ms/azsktcp/keyvault", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_Access_policies", "Description": "All Key Vault access policies must be defined with minimum required permissions to keys and secrets", "Id": "KeyVault140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAccessPolicies", "DisplayName": "All Key Vault access policies must be defined with minimum required permissions to keys and secrets", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Granting minimum access by defining Key Vault access policies ensures that applications/users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Use command Set-AzKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -PermissionsToKeys '{PermissionsToKeys}' -PermissionsToSecrets '{PermissionsToSecrets}' -PermissionsToCertificates '{PermissionsToCertificates}' -ObjectId '{ObjectId}'. Refer: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/Set-AzKeyVaultAccessPolicy", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC", "KeyVault" ], "ControlEvaluationDetails": { "RequiredProperties": [] }, "Enabled": false, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_AuthZ_Configure_Advanced_Access_Policies", "Description": "Advanced access policies must be configured on a need basis", "Id": "KeyVault150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAdvancedAccessPolicies", "DisplayName": "Advanced access policies must be configured on a need basis", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Advanced access policy allows Azure services (Azure Resource Manager, Virtual Machine, Disk Encryption etc.) to seamlessly access Key Vault. To avoid unintentional access to Key Vault from Azure services, advanced access policies must be configured only as required.", "Recommendation": "Remove any advanced policies that are not required using the command: Remove-AzKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption. Refer: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/Remove-AzKeyVaultAccessPolicy", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "KeyVault", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_SI_Enable_SoftDelete", "Description": "Soft delete must be enabled to allow recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it.", "Id": "KeyVault230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyVaultSoftDelete", "DisplayName": "Soft delete must be enabled to allow recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Enabling soft delete feature on Key Vault acts as a safety measure to recover inadvertently or maliciously deleted Key Vault and any objects (keys, secrets, etc.) contained in it.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell to enable soft delete feature on Key Vault.", "Tags": [ "SDL", "TCP", "Automated", "KeyVault", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled for Key Vault", "Id": "KeyVault180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs must be enabled for Key Vault", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-key-vault-deprecated.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "KeyVault", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSetting" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "365", "DiagnosticLogs": [ "AuditEvent" ] }, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_SI_Check_Credentials_Expiration_Trial", "Description": "[Trial] Key Vault credentials (keys/secrets/certificates) must have an expiration date", "Id": "KeyVault250", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckCredentialsExpirationTrial", "DisplayName": "[Trial] Key Vault credentials (keys/secrets/certificates) must have an expiration date", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Key vault credentials (keys/secrets/certificates) should have a defined expiration date and not be permanent. Credentials that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on key vault credentials.", "Recommendation": "Azure Portal: Log in to the Azure Portal > Navigate to 'Microsoft Defender for Cloud'. > Recommendations (under General) > Secure score recommendations > Search \"Key Vault keys should have an expiration date\" (optionally, modify filters as required) > Expand 'Implement security best practices' > Select this recommendation > Follow 'Remediation steps' to define expiration time for every affected key in the key vaults listed under Affected resources > Unhealthy resources. Selecting the key vault will list the affected keys. Repeat these steps for two more recommendations - 1. Key Vault secrets should have an expiration date. 2. Validity period of certificates stored in Azure Key Vault should not exceed 12 months. If the policy is disabled from getting evaluated, refer https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy#enable-a-security-policy to enable the policy. Refer https://docs.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource#define-an-exemption for information on exempted recommendations.", "Tags": [ "SDL", "TCP", "Automated", "SI", "KeyVault", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "1aabfa0d-7585-f9f5-1d92-ecb40291d9f2", "14257785-9437-97fa-11ae-898cfb24302b", "fc84abc0-eee6-4758-8372-a7681965ca44" ] }, "Enabled": true, "ControlSettings": { "AssessmentProperties": [ { "AssessmentKey": "1aabfa0d-7585-f9f5-1d92-ecb40291d9f2", "AssessmentDisplayName": "Key Vault keys should have an expiration date" }, { "AssessmentKey": "14257785-9437-97fa-11ae-898cfb24302b", "AssessmentDisplayName": "Key Vault secrets should have an expiration date" }, { "AssessmentKey": "fc84abc0-eee6-4758-8372-a7681965ca44", "AssessmentDisplayName": "Validity period of certificates stored in Azure Key Vault should not exceed 12 months" } ] }, "CustomTags": [ "Daily", "Trial" ] }, { "ControlID": "Azure_KeyVault_NetSec_Disable_Public_Network_Access_Trial", "Description": "[Trial] Key Vault must have public access disabled.", "Id": "KeyVault260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "[Trial] Key Vault must have public access disabled.", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Key vault firewall should be enabled so that the key vault is not accessible by default to any public IPs.", "Recommendation": "Go to Azure Portal --> your Key vault resource --> Networking --> Firewalls and virtual networks and choose between disable public access or allow public access from specific virtual networks and IP addresses. You can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "KeyVault", "Baseline", "Daily", "Trial" ], "Enabled": true, "CustomTags": [] } ] } |