Detections
Analytics

Ensure that only Azure integrated certificate authorities are in use for issuing certificates used in Azure Key Vault Certificate

MEDIUM

Description

Azure Key Vault certificate's issuer name is not using Azure integrated certificate authorities. This may lead to security issues such as: spoofed identity and inability to revoke the certificates.

Remediation

Certificate issuers cannot be altered once they are created. To create a new certificate with a valid issuer, follow the steps below.

In Azure Console -

  1. Open the Azure Portal and go to Key Vaults.
  2. Choose the Key vault you wish to edit.
  3. Under Objects, select Certificates.
  4. Generate or upload a new certificate with the appropriate key type.

In Terraform -

  1. In the azurerm_key_vault_certificate resource, create certificates with an issuer_parameters.name set to a valid issuer such as DigiCert or GlobalSign.

References:
https://learn.microsoft.com/en-us/azure/key-vault/general/overview
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate#issuer_parameters

Policy Details

Rule Reference ID: AC_AZURE_0219
CSP: Azure
Remediation Available: Yes
Domain: Compliance Validation
Resource: azurerm_key_vault_certificate
Resource Category: Management
Resource Type: Key Vault

Frameworks