Jan 27 2021 01:31 AM
Hi All,
Is there any Custom Azure Policy which we can use to enforce Azure Key vault Soft deletion retention period as per our Requirement. By default its 90 days but we want to set as 10 for all of key vault.
Jan 28 2021 06:52 AM
Based on the portal, I don't think you can change that retention period after Soft-Delete has been turned on, which now happens at creation time. This means a policy wouldn't be able to remediate an existing Vault with Soft Delete already active.
However, if you were looking for a policy that enforced this at time of creation that should be possible with a custom policy. Duplicating the policy "Key vaults should have soft delete enabled" would be a good starting point, and then alongside the existing test for "Microsoft.KeyVault/vaults/enableSoftDelete" add an entry to make sure "Microsoft.KeyVault/vaults/softDeleteRetentionInDays" is set to your chosen value of 10.
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults has some details around the template settings you can check for. https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-custom-policy-definition has a guide on creating a custom policy if you haven't jumped into that before.
Jan 29 2021 12:51 AM
@nirmalmcse02 I've done a quick test and can confirm this works. The custom policy, when assigned and set to "Deny" will stop Vaults being created without the Soft Delete retention being set to 10 days.
Here's the "policyRule" section of my test custom policy- based on the "Key vaults should have soft delete enabled" policy.
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults"
},
{
"anyOf": [
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"exists": "false"
},
{
"field": "Microsoft.KeyVault/vaults/enableSoftDelete",
"equals": "false"
},
{
"field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays",
"notEquals": 10
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
Jan 29 2021 03:49 AM
Solution
There is no builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or Arm or another Infra as Code tool) .
By doing that you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied .
Jan 29 2021 03:49 AM
Solution
There is no builtin policy to do that and i would suggest to automate this in a declarative or imperative way ( Powershell or Arm or another Infra as Code tool) .
By doing that you will have config files with the right values and minimize the remediation tasks ( which are not applicable every time ) and the management overhead . Once you have done that you will simply customize a builtin policy to ensure that every deployment which have a value different from 10 will be denied .