You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/general/azure-policy.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,17 +27,17 @@ Example Usage Scenarios:
27
27
28
28
When enforcing a policy, you can determine its effect over the resulting evaluation. Each policy definition allows you to choose one of multiple effects. Therefore, policy enforcement may behave differently depending on the type of operation you are evaluating. In general, the effects for policies that integrate with Key Vault include:
29
29
30
-
-[**Audit**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#audit): when the effect of a policy is set to `Audit`, the policy will not cause any breaking changes to your environment. It will only alert you to components such as certificates that do not comply with the policy definitions within a specified scope, by marking these components as non-compliant in the policy compliance dashboard. Audit is default if no policy effect is selected.
30
+
-[**Audit**](../../governance/policy/concepts/effects#audit): when the effect of a policy is set to `Audit`, the policy will not cause any breaking changes to your environment. It will only alert you to components such as certificates that do not comply with the policy definitions within a specified scope, by marking these components as non-compliant in the policy compliance dashboard. Audit is default if no policy effect is selected.
31
31
32
-
-[**Deny**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#deny): when the effect of a policy is set to `Deny`, the policy will block the creation of new components such as certificates as well as block new versions of existing components that do not comply with the policy definition. Existing non-compliant resources within a Key Vault are not affected. The 'audit' capabilities will continue to operate.
32
+
-[**Deny**](../../governance/policy/concepts/effects#deny): when the effect of a policy is set to `Deny`, the policy will block the creation of new components such as certificates as well as block new versions of existing components that do not comply with the policy definition. Existing non-compliant resources within a Key Vault are not affected. The 'audit' capabilities will continue to operate.
33
33
34
-
-[**Disabled**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#disabled): when the effect of a policy is set to `Disabled`, the policy will still be evaluated but enforcement will not take effect, thus being compliant for the condition with `Disabled` effect. This is useful to disable the policy for a specific condition as opposed to all conditions.
34
+
-[**Disabled**](../../governance/policy/concepts/effects#disabled): when the effect of a policy is set to `Disabled`, the policy will still be evaluated but enforcement will not take effect, thus being compliant for the condition with `Disabled` effect. This is useful to disable the policy for a specific condition as opposed to all conditions.
35
35
36
-
-[**Modify**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#modify): when the effect of a policy is set to `Modify`, you can perform addition of resource tags, such as adding the `Deny` tag to a network. This is useful to disable access to a public network for Azure Key Vault managed HSM. It is necessary to [configure a manage identity](https://learn.microsoft.com/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `Modify` effect.
36
+
-[**Modify**](../../governance/policy/concepts/effects#modify): when the effect of a policy is set to `Modify`, you can perform addition of resource tags, such as adding the `Deny` tag to a network. This is useful to disable access to a public network for Azure Key Vault managed HSM. It is necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `Modify` effect.
37
37
38
-
-[**DeployIfNotExists**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#deployifnotexists): when the effect of a policy is set to `DeployIfNotExists`, a deployment template is executed when the condition is met. This can be used to configure diagnostic settings for Key Vault to log analytics workspace. It is necessary to [configure a manage identity](https://learn.microsoft.com/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.
38
+
-[**DeployIfNotExists**](../../governance/policy/concepts/effects#deployifnotexists): when the effect of a policy is set to `DeployIfNotExists`, a deployment template is executed when the condition is met. This can be used to configure diagnostic settings for Key Vault to log analytics workspace. It is necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.
39
39
40
-
-[**AuditIfNotExists**](https://learn.microsoft.com/azure/governance/policy/concepts/effects#deployifnotexists): when the effect of a policy is set to `AuditIfNotExists`, you can identify resources that lack the properties specified in the details of the policy condition. This is useful to identify Key Vaults that have no resource logs enabled. It is necessary to [configure a manage identity](https://learn.microsoft.com/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.
40
+
-[**AuditIfNotExists**](../../governance/policy/concepts/effects#deployifnotexists): when the effect of a policy is set to `AuditIfNotExists`, you can identify resources that lack the properties specified in the details of the policy condition. This is useful to identify Key Vaults that have no resource logs enabled. It is necessary to [configure a manage identity](../../governance/policy/how-to/remediate-resources?tabs=azure-portal#configure-the-managed-identity) for the policy definition via the `roleDefinitionIds` parameter to utilize the `DeployIfNotExists` effect.
41
41
42
42
43
43
## Available Built-In Policy Definitions
@@ -49,7 +49,7 @@ Predetermined policies, referred to as 'built-ins', facilitate governance over y
49
49
50
50
#### Network Access
51
51
52
-
Reduce the risk of data leakage by restricting public network access, enabling [Azure Private Link](https://azure.microsoft.com/products/private-link/) connections, creating private DNS zones to override DNS resolution for a private endpoint, and enabling [firewall protection](https://learn.microsoft.com/azure/key-vault/general/network-security) so that the Key Vault is not accessible by default to any public IP.
52
+
Reduce the risk of data leakage by restricting public network access, enabling [Azure Private Link](https://azure.microsoft.com/products/private-link/) connections, creating private DNS zones to override DNS resolution for a private endpoint, and enabling [firewall protection](../../key-vault/general/network-security) so that the Key Vault is not accessible by default to any public IP.
53
53
54
54
-[Azure Key Vault should disable public network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F405c5871-3e91-4644-8a63-58e19d68ff5b)
55
55
</br>Effects: Audit _(Default)_, Deny, Disabled
@@ -81,7 +81,7 @@ Reduce the risk of data leakage by restricting public network access, enabling [
81
81
82
82
#### Deletion Protection
83
83
84
-
Prevent permanent data loss of your Key Vault and its objects by enabling [soft-delete and purge protection](https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview). While soft-delete allows you to recover an accidentally deleted Key Vault for a configurable retention period, purge protection protects you from insider attacks by enforcing a mandatory retention period for soft-deleted Key Vaults. Purge protection can only be enabled once soft-delete is enabled. No one inside your organization or Microsoft will be able to purge your Key Vaults during the soft delete retention period.
84
+
Prevent permanent data loss of your Key Vault and its objects by enabling [soft-delete and purge protection](../../key-vault/general/soft-delete-overview). While soft-delete allows you to recover an accidentally deleted Key Vault for a configurable retention period, purge protection protects you from insider attacks by enforcing a mandatory retention period for soft-deleted Key Vaults. Purge protection can only be enabled once soft-delete is enabled. No one inside your organization or Microsoft will be able to purge your Key Vaults during the soft delete retention period.
85
85
86
86
-[Key Vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d)</br>Effects: Audit _(Default)_, Deny, Disabled
0 commit comments