Managing Azure key vault using Azure Policy
In this, we will discuss and learn about managing key vaults with Azure Policy. Starting with Azure Policy, it’s a governance solution that allows customers to audit and manage their Azure environment at a large scale. It also allows you to put guardrails on Azure resources to guarantee that they follow the set policy rules. Azure Policy enables users to audit, enforce, and remediate their Azure environment in real-time. Users will be able to identify which resources and components are compliant and which are not based on the outcomes of the policy’s audits, which will be shown in a compliance dashboard.
Allowing and managing a Key Vault policy with Azure portal
Selecting a Policy Definition
- Firstly, Log in to the Azure portal.
- Secondly, Search “Policy” in the Search Bar and then, Select Policy.
- After that, in the Policy window, select Definitions.
- Then, in the Category Filter, Unselect Select All and select Key Vault.
- There you should be able to see all the policies available for Public Preview, for Azure Key Vault.
- Lastly, make sure you have read and understood the policy guidance section and select a policy you want to assign to a scope.
Assigning a Policy to a Scope
- Firstly, select a policy you want to apply. For example, select the Manage Certificate Validity Period policy. Then, click the assign button in the top-left corner.
- After that, select the subscription where you want the policy to be applied. There you can choose to restrict the scope to only a single resource group within a subscription. And, if you want to apply the policy to the entire subscription and exclude some resource groups, you can also configure an exclusion list. Then, set the policy enforcement selector to Enabled if you want the effect of the policy to occur or Disabled to turn the effect off.
- Lastly, click on the parameters tab at the top of the screen for specifying the maximum validity period in months that you want. Then, select, audit or deny for the effect of the policy following the guidance. Then select the review + create button.
Process of Viewing Compliance Results
- Firstly, go back to the Policy blade and select the compliance tab. Then, click on the policy assignment you wish to view compliance results for.
- Using this page you can filter results by compliant or non-compliant vaults. There you can see a list of non-compliant key vaults within the scope of the policy assignment. However, a vault is considered non-compliant if any of the components in the vault are non-compliant.
- Thirdly, view the name of the components within a vault that are non-compliant.
- Lastly, if you need to check whether users are being denied the ability to create resources within a key vault, you can click on the Component Events tab. This will show the summary of denied certificate operations with the requestor and timestamps of requests.
Reference: Microsoft Documentation
Are you preparing for Microsoft Azure Architect Design AZ-304 exam?Take a Quiz