Control: 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services
Description
Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.
Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.
Remediation
Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period
. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).
From Azure Portal
- From Azure Portal select the Portal Menu in the top left.
- Select Key Vaults.
- Select a Key Vault to audit.
- Under
Objects
selectKeys
. - Select a key to audit.
- In the top row select
Rotation policy
. - Select an
Expiry time
. - Set
Enable auto rotation
toEnabled
. - Set an appropriate
Rotation option
andRotation time
. - Optionally set the
Notification time
. - Select
Save
. - Repeat steps 3-11 for each Key Vault and Key.
From Azure CLI
Run the following command for each key to update its policy to be auto-rotated:
az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>
Note: It is easiest to supply the policy flags in a .json file. An example json file would be:
{ "lifetimeActions": [ { "trigger": { "timeAfterCreate": "<timespanInISO8601Format>", "timeBeforeExpiry" : null }, "action": { "type": "Rotate" } }, { "trigger": { "timeBeforeExpiry" : "<timespanInISO8601Format>" }, "action": { "type": "Notify" } } ], "attributes": { "expiryTime": "<timespanInISO8601Format>" }}
From PowerShell
Run the following command for each key to update its policy:
Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json
Note: It is easiest to supply the policy flags in a .json file. An example json file would be:
<#rotation_policy.json{ "lifetimeActions": [ { "trigger": { "timeAfterCreate": "P<timespanInISO8601Format>M", "timeBeforeExpiry": null }, "action": { "type": "Rotate" } }, { "trigger": { "timeBeforeExpiry": "P<timespanInISO8601Format>D" }, "action": { "type": "Notify" } } ], "attributes": { "expiryTime": "P<timespanInISO8601Format>Y" }}#>
Default Value
By default, Automatic Key Rotation is not enabled.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v300_3_3_8
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v300_3_3_8 --share
SQL
This control uses a named query:
manual_control