Control: 8.2 Ensure that the expiration date is set on all Secrets
Description
It is recommended that all Secrets in the Azure Key Vault have an expiration time set. The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used.
As default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration time for all secrets.
Remediation
From Console
- Login and go to
Key vaults. - For each Key vault, go to
Settingssection and click onSecrets. - Make sure
StatusisEnabled. - Set an appropriate
Expiration Dateon all secrets.
From Command Line
Command to update the Expiration Date for the secret
az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_8_2Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_8_2 --shareSQL
This control uses a named query:
select kvs.id as resource, case when enabled and expires_at is null then 'alarm' else 'ok' end as status, vault_name || ' secret ' || name || case when enabled and expires_at is null then ' expiration date not set.' when not enabled then ' disabled.' else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' end as reason , kvs.resource_group as resource_group , sub.display_name as subscriptionfrom azure_key_vault_secret as kvs left join azure_subscription as sub on sub.subscription_id = kvs.subscription_id;