module/ConfigurationProvider/ControlConfigurations/Services/KeyVault.json
|
{
"FeatureName": "KeyVault", "Reference": "aka.ms/azsktcp/keyvault", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "Azure_KeyVault_AuthZ_Configure_Advanced_Access_Policies", "Description": "Advanced access policies must be configured on a need basis", "Id": "KeyVault150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAdvancedAccessPolicies", "DisplayName": "Advanced access policies must be configured on a need basis", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "Advanced access policy allows Azure services (Azure Resource Manager, Virtual Machine, Disk Encryption etc.) to seamlessly access Key Vault. To avoid unintentional access to Key Vault from Azure services, advanced access policies must be configured only as required.", "Recommendation": "Remove any advanced policies that are not required using the command: Remove-AzKeyVaultAccessPolicy -VaultName '{VaultName}' -ResourceGroupName '{ResourceGroupName}' -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption. Refer: https://docs.microsoft.com/en-us/powershell/module/az.keyvault/Remove-AzKeyVaultAccessPolicy", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "KeyVault", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_SI_Enable_SoftDelete", "Description": "Soft delete must be enabled to allow recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it.", "Id": "KeyVault230", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckKeyVaultSoftDelete", "DisplayName": "Soft delete must be enabled to allow recovery of deleted Key Vault and any objects (keys, secrets, etc.) contained in it", "Category": "Vulnerabilities must be remediated", "ControlRequirements": "Vulnerability scans must be performed and vulnerabilities remediated according to prescribed organizational guidance", "Rationale": "Enabling soft delete feature on Key Vault acts as a safety measure to recover inadvertently or maliciously deleted Key Vault and any objects (keys, secrets, etc.) contained in it.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-powershell to enable soft delete feature on Key Vault.", "Tags": [ "SDL", "TCP", "Automated", "KeyVault", "Baseline", "Weekly" ], "ControlEvaluationDetails": { "RequiredProperties": [] }, "Enabled": true, "CustomTags": [] }, { "ControlID": "Azure_KeyVault_Audit_Enable_Diagnostic_Settings", "Description": "Diagnostics logs and metrics must be enabled for Key Vault", "Id": "KeyVault180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDiagnosticsSettings", "DisplayName": "Diagnostics logs and metrics must be enabled for Key Vault", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Logs should be retained for a long enough period so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. A period of 1 year is typical for several compliance requirements as well.", "Recommendation": "You can change the diagnostic settings from the Azure Portal by following the steps given here: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/azure-key-vault-deprecated.", "Tags": [ "SDL", "TCP", "Automated", "Audit", "Diagnostics", "KeyVault", "Baseline" ], "ControlEvaluationDetails": { "RequiredProperties": [ "DiagnosticSettings" ] }, "Enabled": true, "ControlSettings": { "DiagnosticForeverRetentionValue": "0", "DiagnosticMinRetentionPeriod": "90", "DiagnosticLogs": [ "AuditEvent" ], "DiagnosticMetrics": [ "AllMetrics" ] }, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_KeyVault_SI_Check_Credentials_Expiration_Trial", "Description": "[Trial] Key Vault credentials (keys/secrets/certificates) must have an expiration date", "Id": "KeyVault250", "ControlSeverity": "Medium", "Automated": "Yes", "ControlScanSource": "MDCandReader", "MethodName": "CheckCredentialsExpirationTrial", "DisplayName": "[Trial] Key Vault credentials (keys/secrets/certificates) must have an expiration date", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Key vault credentials (keys/secrets/certificates) should have a defined expiration date and not be permanent. Credentials that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on key vault credentials.", "Recommendation": "Azure Portal: Log in to the Azure Portal > Navigate to 'Microsoft Defender for Cloud'. > Recommendations (under General) > Secure score recommendations > Search \"Key Vault keys should have an expiration date\" (optionally, modify filters as required) > Expand 'Implement security best practices' > Select this recommendation > Follow 'Remediation steps' to define expiration time for every affected key in the key vaults listed under Affected resources > Unhealthy resources. Selecting the key vault will list the affected keys. Repeat these steps for two more recommendations - 1. Key Vault secrets should have an expiration date. 2. Validity period of certificates stored in Azure Key Vault should not exceed 12 months. If the policy is disabled from getting evaluated, refer https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy#enable-a-security-policy to enable the policy. Refer https://docs.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource#define-an-exemption for information on exempted recommendations.", "Tags": [ "SDL", "TCP", "Automated", "SI", "KeyVault", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "1aabfa0d-7585-f9f5-1d92-ecb40291d9f2", "14257785-9437-97fa-11ae-898cfb24302b", "fc84abc0-eee6-4758-8372-a7681965ca44" ] }, "Enabled": false, "ControlSettings": { "AssessmentProperties": [ { "AssessmentKey": "1aabfa0d-7585-f9f5-1d92-ecb40291d9f2", "AssessmentDisplayName": "Key Vault keys should have an expiration date" }, { "AssessmentKey": "14257785-9437-97fa-11ae-898cfb24302b", "AssessmentDisplayName": "Key Vault secrets should have an expiration date" }, { "AssessmentKey": "fc84abc0-eee6-4758-8372-a7681965ca44", "AssessmentDisplayName": "Validity period of certificates stored in Azure Key Vault should not exceed 12 months" } ] }, "CustomTags": [ "Daily", "Trial" ] }, { "ControlID": "Azure_KeyVault_NetSec_Disable_Public_Network_Access", "Description": "Key Vault must have public access disabled", "Id": "KeyVault260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicNetworkAccess", "DisplayName": "Key Vault must have public access disabled", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "Rationale": "Key Vault firewall should be enabled so that the key vault is not accessible by default to any public IPs.", "Recommendation": "Go to Azure Portal --> Your Key Vault resource --> Networking --> Firewalls and virtual networks and choose between disable public access or allow public access from specific virtual networks and IP addresses. You can configure specific IP ranges to limit access to those networks. Learn more at: https://docs.microsoft.com/azure/key-vault/general/network-security", "Tags": [ "SDL", "TCP", "Automated", "NetSec", "KeyVault", "Baseline", "Daily" ], "Enabled": true, "CustomTags": [ "Preview", "TenantBaseline","EDPreview","SMTPreview", "MSD", "TBv7", "CAIPreview", "SN:KeyVault_DisablePublicAccess" ] }, { "ControlID": "Azure_KeyVault_SI_Enable_Purge_Protection_MCSB", "Description": "[MCSB] Key vaults should have purge protection enabled", "Id": "KeyVault270", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Key vaults should have purge protection enabled", "Category": "Data persistence should be ensured", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Rationale": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", "Recommendation": "To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to Enable purge protection. 4. Select Save. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to Enable soft delete first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "4ed62ae4-5072-f9e7-8d94-51c76c48159a" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_SI_Enable_Soft_Delete_MCSB", "Description": "[MCSB] Key vaults should have soft delete enabled", "Id": "KeyVault280", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Key vaults should have soft delete enabled", "Category": "Data persistence should be ensured", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Rationale": "Enabling soft delete feature on Key Vault acts as a safety measure to recover inadvertently or maliciously deleted Key Vault and any objects (keys, secrets, etc.) contained in it.", "Recommendation": "To enable soft delete protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the properties tab. 3. Select the radio button corresponding to Enable soft delete. 4. Enter a retention period in days. Select Save. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "78211c00-15a9-336e-17c4-0b48613dadf4" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_SI_Certificates_Max_Validity_MCSB", "Description": "[MCSB] Key Vault Certificates should have the specified maximum validity period", "Id": "KeyVault290", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Key Vault Certificates should have the specified maximum validity period", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "If a certificate gets compromised, the assets accessible to the user can be accessed/manipulated by unauthorized users. Minimizing the validity period of the certificate ensures that the window of time available to an attacker in the event of compromise is small.", "Recommendation": "To remediate you must create a new version of the certificate. Ensure that your application or service will be able to get a new version of the certificate before proceeding. Select a key vault from the list below. The list of certificates with a validity period that exceeds 12 months will appear. From the Azure Portal, open Azure Key Vault and select the vault with the certificate that needs to be replaced. Select the relevant certificate and the certificate details page opens. 1. On the certificate details page, select New Version. Then Create a Certificate pane opens. 2. Change the Validity period (in months) field to 12 or less. 3. Select Create. 4. Ensure that you have set up auto-renewal, or have a process to renew your certificate prior to expiration.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "fc84abc0-eee6-4758-8372-a7681965ca44" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_SI_Secrets_Expiration_Date_MCSB", "Description": "[MCSB] Key Vault secrets should have an expiration date", "Id": "KeyVault300", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Key Vault secrets should have an expiration date", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets.", "Recommendation": "To enable an expiration date on your secret: 1. Log in to the Azure portal and select your key vault. 2. Click on the Secrets tab. 3. Find all secrets in the table that do not have an expiration date. 4. Click on a secret. 5. Click the current version of the secret. 6. Check the box corresponding to Set expiration date. 7. Select Save.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "14257785-9437-97fa-11ae-898cfb24302b" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_SI_Keys_Expiration_Date_MCSB", "Description": "[MCSB] Key Vault keys should have an expiration date", "Id": "KeyVault310", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Key Vault keys should have an expiration date", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.", "Recommendation": "To enable an expiration date on your key: 1. Log in to the Azure portal and select your key vault. 2. Open the Keys tab. 3. Find all keys in the table that do not have an expiration date. 4. Select a key. 5. Select the current version of the key. 6. Select the box corresponding to Set expiration date. 7. Select Save.", "Tags": [ "SDL", "Automated", "Baseline", "SI" ], "AssessmentProperties": { "AssessmentNames": [ "1aabfa0d-7585-f9f5-1d92-ecb40291d9f2" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_NetSec_Disable_Public_Network_Access_MCSB", "Description": "[MCSB] Azure Key Vault should disable public network access", "Id": "KeyVault320", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Azure Key Vault should disable public network access", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Disabling public network access for your key vault provides a extra layer of security by making it not accessible over the public internet. This can reduce data leakage risks.", "Recommendation": "To disable public network access, please refer: https://learn.microsoft.com/en-us/azure/key-vault/general/how-to-azure-key-vault-network-security?tabs=azure-portal", "Tags": [ "Automated", "NetSec", "KeyVault", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "52f7826a-ace7-3107-dd0d-4875853c1576" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_NetSec_Configure_Private_Endpoint_Connections_MCSB", "Description": "[MCSB] Private endpoint should be configured for Key Vault", "Id": "KeyVault330", "ControlSeverity": "High", "Automated": "Yes", "DisplayName": "[MCSB] Private endpoint should be configured for Key Vault", "Category": "Deploy controls to restrict network traffic", "ControlRequirements": "Restrict network traffic flows", "ControlScanSource": "MDC", "Rationale": "Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration.", "Recommendation": "To configure private endpoint, please refer: https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal#establish-a-private-link-connection-to-an-existing-key-vault to configure private endpoint.", "Tags": [ "Automated", "NetSec", "KeyVault", "Baseline" ], "AssessmentProperties": { "AssessmentNames": [ "2e96bc2f-1972-e471-9e70-ae58d41e9d2a" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_Audit_Enable_Resource_Logs_MCSB", "Description": "[MCSB] Resource logs in Key Vault should be enabled", "Id": "KeyVault340", "ControlSeverity": "High", "Automated": "Yes", "ControlScanSource": "MDC", "DisplayName": "[MCSB] Resource logs in Key Vault should be enabled", "Category": "Monitoring must be correctly configured", "ControlRequirements": "Monitoring and auditing must be enabled and correctly configured according to prescribed organizational guidance", "Rationale": "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised.", "Recommendation": "To enable logs in Azure Key Vault, please refer: https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-portal#enable-logging", "Tags": [ "Audit", "Automated", "Baseline", "KeyVault" ], "AssessmentProperties": { "AssessmentNames": [ "88bbc99c-e5af-ddd7-6105-6150b2bfa519" ], "AssessmentStatusMappings": [ { "AssessmentStatusCode": "NotApplicable", "EffectiveVerificationResult": "Failed", "AssessmentStatusCausePatterns": "(.)*OffByPolicy|Exempt(.)*", "AppendMessageToStatusReason": "Disabling or exempting the policy from getting evaluated is not recommended. The Control will be marked as Failed." } ] }, "Enabled": false, "CustomTags": [ "Daily", "MCSB" ] }, { "ControlID": "Azure_KeyVault_AuthZ_Remove_Orphan_Applications", "Description": "Remove Orphan Applications from Key Vault Access policies", "Id": "KeyVault350", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOrphanApplications", "DisplayName": "Remove Orphan Applications from Key Vault Access policies", "Category": "Least privilege access to subscription and resources", "ControlRequirements": "Access to data, networks, services, utilities, tools, and applications must be controlled by authentication and authorization mechanisms", "Rationale": "An application will become an orphan if all its owners leave the organization. Despite not being present in AAD, ex-employees (previous app owners) can access corporate resources where application has access, using application secrets/certificates that they have retained.To avoid unintentional access to Key Vault from Azure services remove Orphan Applications.", "Recommendation": "To remove Orphan Applications from Key Vault: Go to Azure portal --> Key Vault services --> Your Key Vault --> 'Access policies --> Select your Orphan Application --> 'Delete'.", "Tags": [ "Automated", "AuthZ", "KeyVault", "Baseline" ], "Enabled": true, "CustomTags": [ "Weekly" ] }, { "ControlID": "Azure_KeyVault_BCDR_Enable_SoftDelete_and_PurgeProtection", "Description": "Key Vaults must have Soft Delete and Purge Protection enabled", "Id": "KeyVault360", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSoftDeletePurgeProtectionEnabled", "DisplayName": "Key Vaults must have Soft Delete and Purge Protection enabled", "Category": "Business Continuity and Disaster Recovery", "ControlRequirements": "Data should be backed to ensure quicker and efficient recovery", "Rationale": "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period.", "Recommendation": "To enable purge protection for your key vault: 1. Log in to the Azure portal and select your key vault. 2. Click on the 'Properties' tab. 3. Select the radio button corresponding to Enable purge protection. 4. Select Save. Soft delete is a pre-requisite for purge protection, if you have not already enabled this option, please select the radio button corresponding to Enable soft delete first. Please visit https://aka.ms/keyvaultsoftdelete for detailed configuration steps.", "Tags": [ "Automated", "Baseline", "BCDR", "KeyVault" ], "Enabled": true, "CustomTags": [ "Daily", "TenantBaseline", "EDPreview", "SMTPreview", "MSD", "TBv10", "SN:KeyVault_PurgeProtection" ] } ] } |