Ensure all secrets have an expiration date
ID |
secret_expiration_date |
Severity |
critical |
Vendor |
Azure |
Resource |
Azure Key Vault |
Tags |
reachable |
Description
Not all secrets have an expiration date.
Azure Key Vault (AKV) is a cloud service for securely storing and accessing secrets within the Microsoft Azure environment.
Rotating secrets on a regular basis help meet industry standards and cryptographic best practices.
The exp (expiration time) attribute identifies the expiration time on or after which the secret must not be used for a cryptographic operation. Secrets are not set to expire by default.
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "bad", (1)
"apiVersion": "2018-02-14",
"location": "[parameters('location')]",
"properties": {
"value": "[parameters('secretValue')]",
"attributes": {
"enabled": "true"
}
}
}
]
}| 1 | is a secret resource without expiration. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "good", (1)
"apiVersion": "2018-02-14",
"location": "[parameters('location')]",
"properties": {
"value": "[parameters('secretValue')]",
"attributes": {
"enabled": "true",
"exp": "1594389505"
}
}
}
]
}| 1 | is a secret resource which is setting the expiration time. |
Runtime
Azure Portal
To change the policy Log in to Azure Portal and then:
-
Navigate to
Key vaults, and for each of them:-
Click
Secretsand navigate toSettings. -
Set Enabled? to Yes.
-
Set a proper
expiration date.
-
CLI Command
-
To set an
expiration dateon all secrets, use the following command:
$ az keyvault secret set-attributes--name <secret name> --vault-name <vault name> --expires Y-m-d'T'H:M:S'Z'See Managing secrets.