Azure
[Policy]: Enforce recommended guardrails for Azure Key Vault Managed HSM
Policy Definition or Initiative
Initiative
Built-in/Custom
Custom
Built-in policy definition or initiative ID
Custom policy definition or initiative description
For the organizations that use Managed HSM. It should be similar to “Enforce recommended guardrails for Azure Key Vault” (Enforce-Guardrails-KeyVault) just with Managed HSM instead.
Scope
Intermediate Root
Default Assignment
- [ ] Yes
Comments/thoughts
This is best practice and most secure to use AKV Managed HSM.
Hi @vegazbabz, thanks for raising this. We're looking into how we can best accommodate managed HSM key management in ALZ, as part of this reference implementation.
| AKV policy | HSM equivalent |
|---|---|
| Key Vault keys should have an expiration date | [Preview]: Azure Key Vault Managed HSM keys should have an expiration date |
| - Key vaults should have deletion protection enabled - Key vaults should have soft delete enabled |
Azure Key Vault Managed HSM should have purge protection enabled |
| Keys should have more than the specified number of days before expiration | [Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration |
| Azure Key Vault should have firewall enabled | [Preview]: Azure Key Vault Managed HSM should disable public network access |
Consider adding more custom policies such as this one https://www.azadvertizer.net/azpolicyadvertizer/61cbe0c0-05d8-4853-8233-9b9e89c8456d.html
@vegazbabz please review the latest release with the additional KeyVault params, and advise on any gaps. Closing as we have an HSM story but if you find gaps please let us know.