Skip to content

Policy waiver exemptions must expire#

Security · Policy · Rule · 2021_06 · Awareness

Configure policy waiver exemptions to expire.

Description#

Azure Policy waiver exemptions are intended to be temporary acceptance of a non-compliance state. Use the Mitigated category when the issue intent has been met through an another method.

Recommendation#

Consider configuring an expiry for policy exemption waivers within the maximum threshold.

Examples#

Azure templates#

To deploy policy assignments that pass this rule:

  • Set the properties.expiresOn property with a valid date earlier than the maximum number of days.

For example:

Azure Template snippet
{
    "comments": "An example exemption.",
    "name": "exemption-001",
    "type": "Microsoft.Authorization/policyExemptions",
    "apiVersion": "2020-07-01-preview",
    "properties": {
        "policyAssignmentId": "<assignment_id>",
        "policyDefinitionReferenceIds": [],
        "exemptionCategory": "Waiver",
        "expiresOn": "2021-04-27T14:00:00Z",
        "displayName": "Exemption 001",
        "description": "An example exemption.",
        "metadata": {
            "requestedBy": "Apps team",
            "approvedBy": "Security team",
            "createdBy": "DevOps pipeline"
        }
    }
}

Notes#

This rule fails:

  • When the exemption is configured not to expire.
  • The exemption expiry date is greater than the maximum threshold.

Rule configuration#

AZURE_POLICY_WAIVER_MAX_EXPIRY

Configure AZURE_POLICY_WAIVER_MAX_EXPIRY to set the maximum expiry date threshold.

# YAML: The default AZURE_POLICY_WAIVER_MAX_EXPIRY configuration option
configuration:
  AZURE_POLICY_WAIVER_MAX_EXPIRY: 366

Comments