Azure Policy Regulatory Compliance controls for Azure Key Vault

Regulatory Compliance in Azure Policy

provides Azure created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure Key Vault. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Azure Security Benchmark v1

The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Azure Security Benchmark, see the Azure Security Benchmark mapping files.

Domain Control ID Control title Policy
(Azure portal)		 Policy version
(GitHub)
Network Security 1.1 Protect resources using Network Security Groups or Azure Firewall on your Virtual Network Key Vault should use a virtual network service endpoint 1.0.0
Logging and Monitoring 2.3 Enable audit logging for Azure resources Resource logs in Key Vault should be enabled 5.0.0
Secure Configuration 7.11 Manage Azure secrets securely Key vaults should have deletion protection enabled 2.1.0
Data Recovery 9.4 Ensure protection of backups and customer managed keys Key vaults should have deletion protection enabled 2.1.0

CIS Azure Foundations Benchmark 1.1.0

Domain Control ID Control title Policy
(Azure portal)		 Policy version
(GitHub)
Logging and Monitoring 5.1.7 Ensure that logging for Azure KeyVault is 'Enabled' Diagnostic logs in Key Vault should be enabled 3.0.0
Other Security Considerations 8.4 Ensure the key vault is recoverable Key Vault objects should be recoverable 1.0.0

HIPAA HITRUST 9.2

Domain Control ID Control title Policy
(Azure portal)		 Policy version
(GitHub)
Segregation in Networks 0805.01m1Organizational.12 - 01.m The organization's security gateways (e.g. firewalls) enforce security policies and are configured to filter traffic between domains, block unauthorized access, and are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet) including DMZs and enforce access control policies for each of the domains. Key Vault should use a virtual network service endpoint 1.0.0
Segregation in Networks 0806.01m2Organizational.12356 - 01.m The organizations network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; and traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. Key Vault should use a virtual network service endpoint 1.0.0
Segregation in Networks 0894.01m2Organizational.7 - 01.m Networks are segregated from production-level networks when migrating physical servers, applications or data to virtualized servers. Key Vault should use a virtual network service endpoint 1.0.0
Audit Logging 1211.09aa3System.4 - 09.aa The organization verifies every ninety (90) days for each extract of covered information recorded that the data is erased or its use is still required. Diagnostic logs in Key Vault should be enabled 3.0.0
Network Controls 0865.09m2Organizational.13 - 09.m The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny all, permit by exception policy for allowing connections from the information system to other information systems outside of the organization; and (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. Key Vault should use a virtual network service endpoint 1.0.0
Business Continuity and Risk Assessment 1635.12b1Organizational.2 - 12.b Information security aspects of business continuity are (i) based on identifying events (or sequence of events) that can cause interruptions to the organization's critical business processes (e.g., equipment failure, human errors, theft, fire, natural disasters acts of terrorism); (ii) followed by a risk assessment to determine the probability and impact of such interruptions, in terms of time, damage scale and recovery period; (iii) based on the results of the risk assessment, a business continuity strategy is developed to identify the overall approach to business continuity; and (iv) once this strategy has been created, endorsement is provided by management, and a plan created and endorsed to implement this strategy. Key Vault objects should be recoverable 1.0.0

Next steps

  • Last updated on