Control: 8.1 Ensure that the expiration date is set on all keys
Description
It is recommended that all keys in Azure Key Vault have an expiration time set. Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for a cryptographic operation.
As default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration time for all keys.
Remediation
From Console
- Login and go to
Key vaults. - For each Key vault, go to
Settingssection and click onKeys. - Make sure
StatusisEnabled. - Set an appropriate
Expiration Dateon all keys.
From Command Line
Command to update the Expiration Date for the key
az keyvault key set-attributes --name <keyName> --vault-name <vaultName> -- expires Y-m-d'T'H:M:S'Z'
Note
- In order to access expiration time on all keys in Azure Key Vault using Microsoft API requires List Key permission
- By default, keys do not expire
- To provide required access follow below steps
- Go to Key vaults
- For each Key vault, click on Access Policy
- Add access policy with Key permission as
List
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_8_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_8_1 --shareSQL
This control uses a named query:
select kvk.id as resource, case when enabled and expires_at is null then 'alarm' else 'ok' end as status, vault_name || ' key ' || name || case when enabled and expires_at is null then ' expiration date not set.' when not enabled then ' disabled.' else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' end as reason , kvk.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault_key kvk left join azure_subscription as sub on sub.subscription_id = kvk.subscription_id;