Control: Key Vault keys should have an expiration date
Description
Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.keyvault_key_expiration_setSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.keyvault_key_expiration_set --shareSQL
This control uses a named query:
select address as resource, case when (attributes_std ->> 'expiration_date') is null then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when (attributes_std ->> 'expiration_date') is null then ' expiration_date not set' else ' expiration_date is set' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_key_vault_key';