Control: 8.2 Ensure that the expiration date is set on all Secrets
Description
It is recommended that all Secrets in the Azure Key Vault have an expiration time set. The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used.
As default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration time for all secrets.
Remediation
From Console
- Login and go to
Key vaults
. - For each Key vault, go to
Settings
section and click onSecrets
. - Make sure
Status
isEnabled
. - Set an appropriate
Expiration Date
on all secrets.
From Command Line
Command to update the Expiration Date
for the secret
az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_8_2
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_8_2 --share
SQL
This control uses a named query:
keyvault_secret_expiration_set