Framework/Configurations/SVT/Services/KeyVault.json
|
{
"FeatureName": "KeyVault", "Reference": "aka.ms/azsdkosstcp", "IsManintenanceMode": false, "Controls": [ { "ControlID": "Azure_KeyVault_AuthN_Use_Cert_Auth_for_Apps", "Description": "Azure Active Directory applications, which have access to Key Vault, must use certificate to authenticate to Key Vault", "Id": "KeyVault110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppAuthenticationCertificate", "Recommendation": "Remove any password credentials from Azure AD Applications and use certificate credentials instead. Run command Remove-AzureADApplicationPasswordCredential -InformationAction '{ActionPreference}' -InformationVariable '{InformationVariable}' -KeyId '{KeyId}' -ObjectId '{ObjectId}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureadapplicationpasswordcredential?view=azureadps-2.0", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthN_Dont_Share_KeyVault_Unless_Trust", "Description": "Application must not share a Key Vault unless they trust each other and they need access to the same secrets at runtime", "Id": "KeyVault120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppsSharingKayVault", "Recommendation": "Ensure that there is a clear need for apps to share secrets if they are sharing a Key Vault. Else setup independent Key Vaults for each application.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_RBAC_Access", "Description": "All users/identities must be granted minimum required permissions using Role Based Access Control (RBAC)", "Id": "KeyVault130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRBACAccess", "Recommendation": "Remove any excessive privileges granted on the Key Vault. Run command Remove-AzureRmRoleAssignment -SignInName '{signInName}' -Scope '{scope}' -RoleDefinitionName '{role definition name}'. Run 'Get-Help Remove-AzureRmRoleAssignment -full' for more help. Assign 'Key Vault Contributor' RBAC role to developers who need to manage Key Vault configurations. Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault, https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Grant_Min_Access_policies", "Description": "All Key Vault access policies must be defined with minimum required permissions to keys and secrets", "Id": "KeyVault140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAccessPolicies", "Recommendation": "Use command Set-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -PermissionsToKeys '{PermissionsToKeys}' -PermissionsToSecrets '{PermissionsToSecrets}' -PermissionsToCertificates '{PermissionsToCertificates}' -ObjectId '{ObjectId}'. Do not Provide 'All' permissions on Keys, Secrets and Certificates. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurermkeyvaultaccesspolicy?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthZ_Configure_Advanced_Access_Policies", "Description": "Advanced access policies must be configured on a need basis", "Id": "KeyVault150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAdvancedAccessPolicies", "Recommendation": "Remove any advanced policies that are not required using the command: Remove-AzureRmKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurermkeyvaultaccesspolicy?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Keys_Protect_By_HSM", "Description": "All Keys in Key Vault must be protected by HSM [Key Type = HSM Protected Key]", "Id": "KeyVault160", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyHSMProtected", "Recommendation": "Remove the non-HSM keys and recreate the removed ones within a destination Key Vault of type HSM. Run command Remove-AzureKeyVaultKey -VaultName '{KeyVaultName}' -Name '{KeyName}' to remove non-HSM key. Use command Add-AzureKeyVaultKey -VaultName '{VaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Destination 'HSM' -KeyOps '{KeyOps}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/add-azurekeyvaultkey?view=azurermps-3.8.0, https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/remove-azurekeyvaultkey?view=azurermps-3.8.0 ", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Keys_Secrets_Set_Expiry_Date", "Description": "All Keys and Secrets in Key Vault must have expiration dates", "Id": "KeyVault170", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyExpirationDate", "Recommendation": "To add an expiry date to keys, run command: Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}'. Expiry date should not be more than $($this.ControlSettings.KeyVault.KeyRotationDuration_Days) days keys. To add an expiry date to secrets, run command: Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{SecreName}' -Expires '{ExpiryDate}', Expiry date should not be more than $($this.ControlSettings.KeyVault.SecretRotationDuration_Days) days for secrets.", "Tags": [ "SDL", "TCP", "Automated", "DP", "KeyRotation" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_Audit_Enable_Diagnostics_Log", "Description": "Diagnostics logs must be enabled with a retention period of at least $($this.ControlSettings.Diagnostics_RetentionPeriod_Min) days.", "Id": "KeyVault180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "Recommendation": "Run command: Set-AzureRmDiagnosticSetting -ResourceId '{ResourceId}' -Enable $true -StorageAccountId '{StorageAccountId}' -RetentionInDays ($this.ControlSettings.Diagnostics_RetentionPeriod_Min) -RetentionEnabled $true Refer: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_AuthN_Key_Min_Operation", "Description": "Restrict the cryptographic operations permitted using keys to the ones actually required", "Id": "KeyVault190", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckKeyMinimumOperations", "Recommendation": "Run command Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -KeyOps '{KeyOps}'. Refer: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultkeyattribute?view=azurermps-3.8.0", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Identify_Roles", "Description": "Key Vault owner must grant minimum required access to keys/secrets based on individual roles (Developer/Operator/Auditor/Security Team)", "Id": "KeyVault200", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Recommendation": "Key Vault owner must identify different roles that need various levels of access on keyvault keys/secrets and configure them using a least privilege model. Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_DP_Rotate_Key_Periodocally", "Description": "Keys/secrets must be rotated periodically", "Id": "KeyVault210", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Rotate the keys and secrets at regular intervals. Run command: Set-AzureKeyVaultKeyAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for key. Run command: Set-AzureKeyVaultSecretAttribute -VaultName '{KeyVaultName}' -Name '{KeyName}' -Expires '{ExpiryDate}' -Version '{Version}' to generate new version for secret.", "Tags": [ "SDL", "TCP", "Manual", "DP" ], "Enabled": true }, { "ControlID": "Azure_KeyVault_Audit_Review_Logs", "Description": "Diagnostic logs for Key Vault must be reviewed periodically", "Id": "KeyVault220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Recommendation": "Review diagnostic logs at regular intervals for different operations carried out on keys and secrets. Refer: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-azure-key-vault", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true } ] } |