Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Automatic Key Rotation

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Automatic Key Rotation feature is enabled for your Azure Key Vault keys in order to meet security and compliance requirements. Once enabled, this security feature automatically generates a new cryptographic key version at a frequency that you specify.

Security
Operational
excellence

To enhance security and reduce the chances of unauthorized access if your cryptographic keys get compromised, it's important to periodically rotate (regenerate) your Microsoft Azure Key Vault keys. Regularly updating these keys helps protect sensitive information and maintains the system's integrity. When you set up the key rotation policy, the Automatic Key Rotation feature takes care of renewing the keys for you, so you don't have to worry about manual updates when a key expires at the specified time.

Audit

To determine if Automatic Key Rotation is enabled for your Azure Key Vault keys, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

05 Click on the name (link) of the Azure Key Vault that you want to examine.

06 In the resource navigation panel, under Objects, select Keys to access the list of cryptographic keys managed by the selected Key Vault.

07 Click on the name (link) of the cryptographic key that you want to examine, listed in the Name column.

08 Choose Rotation policy from the top menu and check the Enable auto rotation setting status to determine if Automatic Key Rotation is enabled for the selected key. If Enable auto rotation is set to Disabled, the Automatic Key Rotation feature is not enabled for the selected Azure Key Vault key.

09 Repeat steps no. 7 and 8 for each cryptographic key available within the selected Azure Key Vault.

10 Repeat steps no. 5 – 8 for each Key Vault provisioned in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run keyvault list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure Key Vault available in the selected Azure subscription: 

az keyvault list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested Key Vault names: 

Name                   ResourceGroup
---------------------  ------------------------------
cc-project5-key-vault  cloud-shell-storage-westeurope
cc-production-vault    cloud-shell-storage-westeurope

06 Run keyvault key list command (Windows/macOS/Linux) with custom output filters to list the name of each cryptographic key managed by the selected Azure Key Vault: 

az keyvault key list
	--vault-name cc-project5-key-vault
	--output table
	--query '[*].{"KeyName":name}'

07 The command output should return the requested key identifiers (names): 

KeyName
---------------
cc-project5-key
cc-app-auth-key

08 Run keyvault key rotation-policy show command (Windows/macOS/Linux) to determine if Automatic Key Rotation is enabled for the selected cryptographic key: 

az keyvault key rotation-policy show
	--name cc-project5-key
	--vault-name cc-project5-key-vault
	--query 'lifetimeActions[].action'

09 The command output should return the action(s) configured for the rotation policy associated with the selected key: 

[
	"Notify"
]

If the "Rotate" action is not included in the list of actions returned by the rotation-policy show command, the Automatic Key Rotation feature is not enabled for the selected Azure Key Vault key.

10 Repeat steps no. 8 and 9 for each cryptographic key available in the selected Azure Key Vault.

11 Repeat steps no. 6 - 10 for each Key Vault available within the selected Azure subscription.

12 Repeat steps no. 3 – 11 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable the Automatic Key Rotation feature for your Azure Key Vault cryptographic keys, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 From the Type equalls all filter box, choose Equals, select Key vault, and choose Apply to list only the Key Vaults available in the selected Azure subscription.

05 Click on the name (link) of the Azure Key Vault that you want to configure.

06 In the resource navigation panel, under Objects, select Keys to access the list of cryptographic keys managed by the selected Key Vault.

07 Click on the name (link) of the cryptographic key that you want to configure, listed in the Name column.

08 Choose Rotation policy from the top menu and perform the following actions to enable and configure the Automatic Key Rotation feature for your cryptographic key:

  1. For Expiry time, configure an expiration date for the selected key.
  2. In the Rotation section, select Enabled for Enable auto rotation, choose the appropriate rotation method for Rotation option, and select a key rotation interval for Rotation time.
  3. (Optional) In the Notification section, choose a notification interval for Notification time to send Event Grid notifications. This setting requires Expiry time set on the rotation policy and Expiration date set on the key.
  4. Choose Save to apply the changes and enable Automatic Key Rotation for the selected key.

09 Repeat steps no. 7 and 8 for each cryptographic key available within the selected Azure Key Vault.

10 Repeat steps no. 5 – 9 for each Key Vault that you want to configure, available in the selected subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Define the rotation policy for your Azure Key Vault cryptographic key and save the policy document to a JSON file named rotation-policy.json: 

{
	"lifetimeActions": [
		{
			"trigger": {
				"timeAfterCreate": "P90D",
				"timeBeforeExpiry" : null
			},
			"action": {
				"type": "Rotate"
			}
		},
		{
			"trigger": {
				"timeBeforeExpiry" : "P7D"
			},
			"action": {
				"type": "Notify"
			}
		}
	],
	"attributes": {
		"expiryTime": "P2Y"
	}
}

05 Run keyvault key rotation-policy update command (OSX/Linux/UNIX) to enable the Automatic Key Rotation feature for the specified cryptographic key using the rotation policy defined at the previous step (i.e., rotation-policy.json). As an example, the following rotation policy sets the key expiration interval to 2 years, enable automatic rotation and sets the key rotation interval to 90 days, and sets notification time to 7 days before expiration: 

az keyvault key rotation-policy update
	--name cc-project5-key
	--vault-name cc-project5-key-vault
	--value rotation-policy.json

06 The command output should return the configuration information available for the new rotation policy: 

{
	"createdOn": "2025-01-10T10:00:00+00:00",
	"expiresIn": "P2Y",
	"id": "https://cc-project5-key-vault.vault.azure.net/keys/cc-project5-key/rotationpolicy",
	"lifetimeActions": [
		{
			"action": "Rotate",
			"timeAfterCreate": "P90D",
			"timeBeforeExpiry": null
		},
		{
			"action": "Notify",
			"timeAfterCreate": null,
			"timeBeforeExpiry": "P30D"
		}
	],
	"updatedOn": "2025-01-10T12:00:00+00:00"
}

07 Repeat steps no. 4 - 6 for each cryptographic key available in the selected Azure Key Vault.

08 Repeat steps no. 4 - 7 for each Key Vault that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Feb 13, 2025

Related KeyVault rules