Ensure that only allowed key types are in use for Azure Key Vault Certificate

HIGH

Description

Some Azure Key Vault Certificate keys may not be compliant, making them vulnerable.

Remediation

Certificate key types cannot be altered once they are created. To create a new certificate with a more secure key type, follow the steps below.

In Azure Console -

  1. Open the Azure Portal and go to Key Vaults.
  2. Choose the Key vault you wish to edit.
  3. Under Objects, select Certificates.
  4. Generate or upload a new certificate with the appropriate key type.

In Terraform -

  1. In the azurerm_key_vault_certificate resource, create certificates with a key_properties.key_type of RSA, RSA-HSM, EC, or EC-HSM.

References:
https://learn.microsoft.com/en-us/azure/key-vault/general/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate#key_properties

Policy Details

Rule Reference ID: AC_AZURE_0165
CSP: Azure
Remediation Available: Yes
Resource Category: Management
Resource Type: Key Vault

Frameworks