Control: 8.3.9 Ensure automatic key rotation is enabled within Azure Key Vault

Description

Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. A key rotation policy can be defined for each individual key.

Remediation

Note: Azure CLI and PowerShell use the ISO8601 duration format for time spans. The format is P<timespanInISO8601Format>(Y,M,D). The leading P is required and is referred to as period. The (Y,M,D) are for the duration of Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be P2Y2M2D. For Azure CLI and PowerShell, it is easiest to supply the policy flags in a .json file, for example:

{
 "lifetimeActions": [
    {
    "trigger": {
    "timeAfterCreate": "P<timespanInISO8601Format>(Y,M,D)",
    "timeBeforeExpiry" : null
    },
  "action": {
    "type": "Rotate"
    }
  },
  {
  "trigger": {
      "timeBeforeExpiry" : "P<timespanInISO8601Format>(Y,M,D)"
    },
  "action": {
  "type": "Notify"
    }
    }
 ],
 "attributes": {
 "expiryTime": "P<timespanInISO8601Format>(Y,M,D)"
  }
}

Remediate from Azure Portal

Go to Key Vaults.
Select a Key Vault.
Under Objects, select Keys.
Select a key.
From the top row, select Rotation policy.
Select an appropriate Expiry time.
Set Enable auto rotation to Enabled.
Set an appropriate Rotation option and Rotation time.
Optionally, set a Notification time.
Click Save.
Repeat steps 1-10 for each Key Vault and Key.

Remediate from Azure CLI

Run the following command for each key to enable automatic rotation:

az keyvault key rotation-policy update --vault-name <vault-name> --name <keyname> --value <path/to/policy.json>

Remediate from PowerShell

Run the following command for each key to enable automatic rotation:

Set-AzKeyVaultKeyRotationPolicy -VaultName <vault-name> -Name <key-name> -PolicyPath <path/to/policy.json>

Default Value

By default, automatic key rotation is not enabled.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v500_8_3_9

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v500_8_3_9 --share

SQL

This control uses a named query:

with key_rotation_policy as (
  select
    id
  from
    azure_key_vault_key,
    jsonb_array_elements(rotation_policy -> 'lifetimeActions') as lifetimeActions
  where
    lifetimeActions -> 'action' ->> 'type' = 'Rotate'
    and lifetimeActions -> 'trigger' -> 'timeAfterCreate' is not null
)
select
  kvk.id as resource,
  case
    when p.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when p.id is not null then vault_name || ' key ' || kvk.name || ' automatic rotation enabled.'
    else vault_name || ' key ' || kvk.name || ' automatic rotation disabled.'
  end as reason
  
  , kvk.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_key_vault_key kvk
  left join key_rotation_policy as p on p.id = kvk.id
  left join azure_subscription sub on sub.subscription_id = kvk.subscription_id;