Azure- Cloud Custodian Policies for CIS Microsoft Azure Foundations Benchmark (Part 3)

CIS Azure Foundations Benchmark v1.4.0–11–26–2021

8.1 Ensure that the expiration date is set on all keys in RBAC Key Vaults (Automated) Level 1

policies:
- name: cis-keyvault-keys-older-than-90-days
  resource: azure.keyvault-key
  description: |
     Find all Keys in the KeyVaults that are older than 90 days.
     This policy runs every Sunday at 8:55AM UTC.
  filters:
    - type: value
      key: attributes.created
      op: gt 
      value: 90 
      value_type: age
  mode:
    type: azure-periodic
    schedule: 0 55 8 * * 0
    provision-options:
    identity:
      type: UserAssigned
      id: exampleid
    execution-options:
      output_dir: azure://example.blob.abcd.windows.net/{account_id}

8.5 Ensure that Resource Locks are set for Mission Critical Azure Resources — Manual — Level 2

policies:
- name: cis-resourcegroup-lock-absent
  resource: azure.resourcegroup
  description: |
     Find all resource group where lock has not been set. 
     This policy runs every Sunday at 8:55AM UTC.
  filters:
    - type: resource-lock
      lock-type: Absent
  mode:
    type: azure-periodic
    schedule: 0 55 8 * * 0
    provision-options:
    identity:
      type: UserAssigned
      id: exampleid
    execution-options…