Best practice rules for KeyVault
Trend Micro Cloud One™ – Conformity monitors KeyVault with the following rules:
- App Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Azure cloud application tier.
- Azure Key Vault Cross-Subscription Access
Ensure that Azure key vaults don't allow unknown cross-subscription access.
- Check for Allowed Certificate Key Types
Ensure that Azure Key Vault certificates are using the appropriate key type(s).
- Check for Azure Key Vault Keys Expiration Date
Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date.
- Check for Azure Key Vault Secrets Expiration Date
Ensure that your Azure Key Vault secrets are renewed prior to their expiration date.
- Check for Certificate Minimum Key Size
Ensure that Azure Key Vault RSA certificates are using the appropriate key size.
- Check for Key Vault Full Administrator Permissions
Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults.
- Check for Sufficient Certificate Auto-Renewal Period
Ensure there is a sufficient period configured for the SSL certificates auto-renewal.
- Database Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud database tier.
- Enable AuditEvent Logging for Azure Key Vaults
Ensure that logging for Azure KeyVault is 'Enabled'
- Enable Certificate Transparency
Ensure that certificate transparency is enabled for all your Azure Key Vault certificates.
- Enable Key Vault Recoverability
Ensure that your Microsoft Azure Key Vault instances are recoverable.
- Enable SSL Certificate Auto-Renewal
Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates.
- Enable Trusted Microsoft Services for Key Vault Access
Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates).
- Restrict Default Network Access for Azure Key Vaults
Ensure that default network access (i.e. public access) rule is set to "Deny" within your Azure Key Vaults configuration.
- Set Azure Secret Key Expiration
Ensure that an expiration date is set for all your Microsoft Azure secret keys.
- Set Encryption Key Expiration
Ensure that an expiration date is configured for all your Microsoft Azure encryption keys.
- Web Tier Customer-Managed Key In Use
Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier.