Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Set Encryption Key Expiration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-002

Ensure that all the encryption keys available within your Microsoft Azure Key Vault have an expiration time set in order to follow security best practices and promote encryption key rotation. The expiration attribute configured for an encryption key identifies the expiration date and time after which the key must not be used anymore for a cryptographic operations.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Azure Key Vault enables you to store and use encryption keys within your Azure cloud environment. By default, the encryption keys stored within a vault never expire. Therefore, Cloud Conformity highly recommends that you configure all your keys with an explicit expiration time, so that these keys can't be used beyond their assigned lifetime. This should significantly reduce the chance that a compromised key could be used without your knowledge to access valuable Azure cloud resources.

Audit

To determine if your Azure Key Vault encryption keys have an expiration time set, perform the following:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name (link) of the Key Vault instance that you want to examine.

05 In the navigation panel, under Settings, select Keys to access the encryption keys stored within the selected Key Vault.

06 Click on the name of the active cryptographic key that you want to examine. An active encryption key has its STATUS set to Enabled.

07 On the selected key overview page, check the date available in the EXPIRATION DATE column for the current version of the key. If there is no date available in the EXPIRATION DATE column, the selected Azure Key Vault cryptographic key does not have an expiration time set.

08 Repeat step no. 6 and 7 for each active encryption key created in the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Microsoft Azure Key Vault instance available in the current subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the identifiers (names) of all Key Vault instances available in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure resource names: 

[
  "cc-production-vault",
  "cc-main-key-vault",
  "cc-project5-vault"
]

03 Run keyvault key list command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the cryptographic keys available within the selected vault: 

az keyvault key list
	--vault-name cc-production-vault
	--output table
	--query '[*].{"kid":kid,"enabled":attributes.enabled}'

04 The command output should return the ID and the status of each encryption key available in the vault: 

Kid                                                                           Enabled
---------------------------------------------------------------------------   -------
https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key   True
https://cc-production-vault.vault.azure.net/keys/cc-project5-encryption-key   False

05 Run keyvault key show command (Windows/macOS/Linux) using the ID of the active encryption key that you want to examine as identifier parameter and custom query filters to get the expiration date/time for the specified Azure Key Vault cryptographic key. An active encryption key has its status set to Enabled (i.e. Enabled: True): 

az keyvault key show
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--query '{"expires":attributes.expires}'

06 The command output should return the expiration date for the specified key as value for the "expires" attribute: 

{
  "expires": null
}

If the command output returns null as value for the "expires" attribute, as shown in the example above, the selected Azure Key Vault encryption key does not have an expiration date configured.

07 Repeat step no. 5 and 6 for each active encryption key available in the selected Azure Key Vault.

08 Repeat steps no. 3 – 7 for each Microsoft Azure Key Vault provisioned in the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure an expiration date for all your Microsoft Azure encryption keys in order to enforce periodic rotation, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Azure Key Vault instance that you want to access.

05 In the navigation panel, under Settings, select Keys to access the encryption keys stored in the selected Key Vault.

06 Click on the name of the active key that you want to reconfigure (see Audit section part I to identify the right key).

07 On the selected key overview page, in the CURRENT VERSION section, choose and open the current version of the encryption key.

08 On the selected key version page, within the Settings section, select Set expiration date? checkbox and use the date and time picker (DTP) controls to configure when the resource will become inactive. Click Save to apply the chosen expiration date and time to the specified cryptographic key.

09 Repeat steps no. 6 – 8 for each active encryption key that requires an expiration date, available in the selected Azure Key Vault.

10 Repeat steps no. 4 – 9 for each Microsoft Azure Key Vault instance within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault key set-attributes command (Windows/macOS/Linux) using the ID of the active encryption key that you want to reconfigure as identifier parameter (see Audit section part II to identify the right key) and the --expires parameter to configure the expiration date/time for the specified Azure Key Vault cryptographic key. For example, the following command request sets the expiration time for an encryption key identified by the ID "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key" to Friday, September 18, 2020 08:05:00 UTC: 

az keyvault key set-attributes
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--expires "2020-09-18T08:05:00Z"

02 The command output should return the metadata for the reconfigured Azure Key Vault encryption key: 

{
  "attributes": {
    "created": "2019-09-18T08:03:07+00:00",
    "enabled": true,
    "expires": "2020-09-18T08:05:00+00:00",
    "notBefore": "2019-09-18T08:02:59+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-09-18T10:16:47+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey",
      "encrypt",
      "decrypt"
    ],
    "kid": "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key/0abcdabcdabcdabcdabcdabcdbabcdab",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

03 Repeat step no. 1 and 2 for each active encryption key that requires an expiration date/time, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Related KeyVault rules