Ensure all keys have an expiration date

ID

key_expiration_date

Severity

critical

Vendor

Azure

Resource

Azure Key Vault

Tags

reachable

Description

Not all keys have an expiration date.

Azure Key Vault (AKV) is a cloud service for securely storing and accessing keys within the Microsoft Azure environment.

Rotating keys on a regular basis help meet industry standards and cryptographic best practices. Key rotation reduces the amount of content encrypted with a single key.

The exp (expiration time) attribute identifies the expiration time on or after which the key must not be used for a cryptographic operation. Keys are not set to expire by default.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/keys",
      "name": "bad",    (1)
      "apiVersion": "2018-02-14",
      "location": "[parameters('location')]",
      "properties": {
        "value": "[parameters('secretValue')]",
        "attributes": {
          "enabled": "true"
        }
      }
    }
  ]
}
1 is a key resource which is not setting the expiration time.

Terraform

resource "azurerm_key_vault_key" "bad" {
  name         = "my-public-key
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]
  // no expiration
}

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults/keys",
      "name": "good",    (1)
      "apiVersion": "2018-02-14",
      "location": "[parameters('location')]",
      "properties": {
        "value": "[parameters('secretValue')]",
        "attributes": {
          "enabled": "true",
          "exp": "1594389505"
        }
      }
    }
  ]
}
1 is a key resource which is setting the expiration time.

Terraform

resource "azurerm_key_vault_key" "good" {
  name         = "my-public-key
  key_vault_id = azurerm_key_vault.example.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

  expiration_date = "2024-01-01T00:00:00Z" (1)
}
1 Fixed, key expiration is explicit

Runtime

Azure Portal

To change the policy Log in to Azure Portal and then:

  • Navigate to Key vaults, and for each of them:

    • Click Keys and navigate to Settings.

    • Set Enabled? to Yes.

    • Set a proper expiration date.

CLI Command

  • To set an expiration date on all secrets, use the following command:

$ az keyvault key set-attributes--name <secret name> --vault-name <vault name> --expires Y-m-d'T'H:M:S'Z'

See Managing keys.