Control: 8.3.11 Ensure certificate 'Validity Period (in months)' is less than or equal to '12'
Description
Restrict the validity period of certificates stored in Azure Key Vault to 12 months or less.
Limiting certificate validity reduces the risk of misuse if compromised and helps ensure timely renewal, improving security and reliability.
Remediation
Remediate from Azure Portal
For existing certificates:
- Go to
Key vaults. - Click the name of a key vault.
- Under
Objects, clickCertificates. - Click the name of a certificate.
- Click
Issuance Policy. - Set
Validity Period (in months)to an integer between 1 and 12, inclusive. - Click
Save. - Repeat steps 1-7 for each key vault and certificate requiring remediation.
Remediate from PowerShell
For each certificate requiring remediation, run the following command to set ValidityInMonths to an integer between 1 and 12, inclusive:
Set-AzKeyVaultCertificatePolicy -VaultName $vault.VaultName -Name <certificate-name> -ValidityInMonths <validity-in-months>
Default Value
Validity Period (in months) is set to 12 by default.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_8_3_11Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_8_3_11 --shareSQL
This control uses a named query:
select c.id as resource, case when (x509_certificate_properties -> 'validity_months')::int <= 12 then 'ok' else 'alarm' end as status, c.title || ' validity period is ' || (x509_certificate_properties -> 'validity_months') || ' month(s).' as reason , sub.display_name as subscriptionfrom azure_key_vault_certificate as c left join azure_subscription as sub on sub.subscription_id = c.subscription_id;