/
Keys_EC_AllowedCurveNames.json
76 lines (76 loc) · 2.22 KB
/
Keys_EC_AllowedCurveNames.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
{
"properties": {
"displayName": "Keys using elliptic curve cryptography should have the specified curve names",
"policyType": "BuiltIn",
"mode": "Microsoft.KeyVault.Data",
"description": "Keys backed by elliptic curve cryptography can have different curve names. Some applications are only compatible with specific elliptic curve keys. Enforce the types of elliptic curve keys that are allowed to be created in your environment.",
"metadata": {
"version": "1.0.1",
"category": "Key Vault"
},
"version": "1.0.1",
"parameters": {
"allowedECNames": {
"type": "Array",
"metadata": {
"displayName": "Allowed elliptic curve names",
"description": "The list of allowed curve names for elliptic curve cryptography certificates."
},
"allowedValues": [
"P-256",
"P-256K",
"P-384",
"P-521"
],
"defaultValue": [
"P-256",
"P-256K",
"P-384",
"P-521"
]
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault.Data/vaults/keys"
},
{
"field": "Microsoft.KeyVault.Data/vaults/keys/keyType",
"in": [
"EC",
"EC-HSM"
]
},
{
"field": "Microsoft.KeyVault.Data/vaults/keys/ellipticCurveName",
"notIn": "[parameters('allowedECNames')]"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
},
"versions": [
"1.0.1"
]
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
"name": "ff25f3c8-b739-4538-9d07-3d6d25cfb255"
}