Framework/Configurations/SVT/Services/KeyVault.json
|
{
"FeatureName": "KeyVault", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_KeyVault_AuthN_Use_Cert_Auth_for_Apps", "Description": "Azure Active Directory applications, which have access to Key Vault, must use certificate to authenticate to Key Vault", "Id": "KeyVault110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppAuthenticationCertificate", "Recommendation": "Remove the password credentials from Azure AD Applications. Run command Remove-AzureADApplicationPasswordCredential -InformationAction '{ActionPreference}' -InformationVariable '{InformationVariable}' -KeyId '{KeyId}' -ObjectId '{ObjectId}'. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadapplicationpasswordcredential?view=azureadps-2.0", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthN_Dont_Share_KeyVault_Unless_Trust", "Description": "Application must not share Key Vault unless they trust each other and they need access to same secret value at runtime.", "Id": "KeyVault120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppsSharingKayVault", "Recommendation": "Validate that Azure AD Applications having access to Key Vault. Application which trust each other must share Key Vault keys/secrets values.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_RBAC_Access", "Description": "All Users/Identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "KeyVault130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Clean up any unauthorized access on the Key Vault. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}}' -RoleDefinitionName {role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' to get the complete details about this command.Assign 'Key Vault Contributor' RBAC role to developers who will manages keyvault configurations. Refer Links - https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_Access_policies", "Description": "All Key Vault access policies must be defined with minimum required permissions to Key and Secret", "Id": "KeyVault140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAccessPolicies", "Recommendation": "Use command Set-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -PermissionsToKeys '{PermissionsToKeys}' -PermissionsToSecrets '{PermissionsToSecrets}' -PermissionsToCertificates '{PermissionsToCertificates}' -ObjectId '{ObjectId}'. Do not Provide 'All' permissions on Keys, Secrets and Certificates. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Configure_Advanced_Access_Policies", "Description": "Advanced access policies must be configured on a need basis", "Id": "KeyVault150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAdvancedAccessPolicies", "Recommendation": "Use command Remove-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption. Refer Link - https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurermkeyvaultaccesspolicy?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Keys_Protect_By_HSM", "Description": "All Keys in Key Vault must be protected by HSM [Key Type = HSM Protected Key]", "Id": "KeyVault160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyHSMProtected", "Recommendation": "Remove the non-HSM keys and recreate the removed ones with destination set as HSM. Run command Remove-AzureKeyVaultKey -VaultName '{KeyVaultName}' -Name '{KeyName}' to remove non-HSM key. Use command Add-AzureKeyVaultKey -VaultName '{VaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Destination 'HSM' -KeyOps '{KeyOps}'. Refer Links - https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/add-azurekeyvaultkey?view=azurermps-3.8.0, https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurekeyvaultkey?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Keys_Secrets_Set_Expiry_Date", "Description": "All Keys and Secrets in Key Vault must have expiration dates", "Id": "KeyVault170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyExpirationDate", "Recommendation": "Add 'Expiry date' to keys, Run command Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}'. Expiry Date should not be more than $($this.ControlSettings.KeyVault.KeyRotationDuration_Days) days for Key. Add 'Expiry date' to Secrets Run command Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{SecreName}' -Expires '{ExpiryDate}', Expiry Date should not be more than $($this.ControlSettings.KeyVault.SecretRotationDuration_Days) days for Key", "Tags": [ "SDL", "TCP", "Automated", "DP", "KeyRotation" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "KeyVault180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Run command Set-AzureRmDiagnosticSetting -ResourceId {'ResourceId'} -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays 365 -RetentionEnabled $true Refer Link - https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthN_Key_Min_Operation", "Description": "Keys must be configured to perform minimum required operations", "Id": "KeyVault190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckKeyMinimumOperations", "Recommendation": "Key vault users must be permitted with only required key operations on Key vault. Run command Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -KeyOps '{KeyOps}'. Refer Link -https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultkeyattribute?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Identify_Roles", "Description": "Key Vault owner must identify roles (e.g.: Security team/Developer/Operator/Auditor) and provide minimum required access", "Id": "KeyVault200", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Key Vault owner must identify different roles to control acess on keyvault keys/secrets. Refer Link - https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Rotate_Key_Periodocally", "Description": "Keys/secrets must be rotated periodically", "Id": "KeyVault210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Rotate the Keys/secrets at regular intervals. Run command Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for key. Run command Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for secret.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_Audit_Review_Logs", "Description": "Diagnostic logs for Key Vault must be reviewed periodically", "Id": "KeyVault220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Review diagnostic logs at regular intervals for different operations carried out on Key/Secrete by different user. Refer Link - https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true } ] } |