Policy waiver exemptions must expire

Security · Policy · Rule · 2021_06 · Awareness

Configure policy waiver exemptions to expire.

Description

Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the Mitigated category when the issue intent has been met through an another method.

Recommendation

Consider configuring an expiry for policy exemption waivers within the maximum threshold.

Examples

Azure templates

To deploy policy assignments that pass this rule:

• Set the properties.expiresOn property with a valid date earlier than the maximum number of days.

For example:

Azure Template snippet

{
    "comments": "An example exemption.",
    "name": "exemption-001",
    "type": "Microsoft.Authorization/policyExemptions",
    "apiVersion": "2020-07-01-preview",
    "properties": {
        "policyAssignmentId": "<assignment_id>",
        "policyDefinitionReferenceIds": [],
        "exemptionCategory": "Waiver",
        "expiresOn": "2021-04-27T14:00:00Z",
        "displayName": "Exemption 001",
        "description": "An example exemption.",
        "metadata": {
            "requestedBy": "Apps team",
            "approvedBy": "Security team",
            "createdBy": "DevOps pipeline"
        }
    }
}

Notes

This rule fails:

• When the exemption is configured not to expire.
• The exemption expiry date is greater than the maximum threshold.

Rule configuration

AZURE_POLICY_WAIVER_MAX_EXPIRY

Configure AZURE_POLICY_WAIVER_MAX_EXPIRY to set the maximum expiry date threshold.

# YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option
configuration:
  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366

Links

• SE:01 Security baseline
• Azure Policy exemption structure
• Azure deployment reference

Comments