[Policy]: Enforce recommended guardrails for Azure Key Vault Managed HSM

[vegazbabz]

Policy Definition or Initiative

Initiative

Built-in/Custom

Custom

Built-in policy definition or initiative ID

### Custom policy definition or initiative description For the organizations that use Managed HSM. It should be similar to “Enforce recommended guardrails for Azure Key Vault” ([Enforce-Guardrails-KeyVault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html)) just with Managed HSM instead. ### Scope Intermediate Root ### Default Assignment - [ ] Yes ### Comments/thoughts This is best practice and most secure to use AKV Managed HSM.

[Springstone]

Hi @vegazbabz, thanks for raising this. We're looking into how we can best accommodate managed HSM key management in ALZ, as part of this reference implementation.

[vegazbabz]

AKV policy	HSM equivalent
Key Vault keys should have an expiration date	[Preview]: Azure Key Vault Managed HSM keys should have an expiration date
- Key vaults should have deletion protection enabled - Key vaults should have soft delete enabled	Azure Key Vault Managed HSM should have purge protection enabled
Keys should have more than the specified number of days before expiration	[Preview]: Azure Key Vault Managed HSM Keys should have more than the specified number of days before expiration
Azure Key Vault should have firewall enabled	[Preview]: Azure Key Vault Managed HSM should disable public network access

Consider adding more custom policies such as this one https://www.azadvertizer.net/azpolicyadvertizer/61cbe0c0-05d8-4853-8233-9b9e89c8456d.html

[Springstone]

@vegazbabz please review the latest release with the additional KeyVault params, and advise on any gaps. Closing as we have an HSM story but if you find gaps please let us know.