Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Set Azure Secret Key Expiration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: KeyVault-003

Ensure that all the secret keys available within your Microsoft Azure Key Vault have an expiration date/time set in order to follow security best practices and promote secret key rotation. The expiration parameter configured for an Azure secret identifies the expiration time after which the secret key must not be used anymore for storing sensitive data such as passwords and database connection strings.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Azure Key Vault enables you to store and keep secrets within your Azure cloud environment. By default, these secret keys never expire, therefore it is strongly recommended to configure all the secret keys with an explicit expiration date/time to enforce secret rotation as an additional layer of protection. This should significantly reduce the chance that a compromised secret could be used without your knowledge to access important Azure resources such as SQL databases.

Audit

To determine if your Azure Key Vault secret keys have an expiration time set, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Key Vault instance that you want to examine.

05 In the navigation panel, under Settings, select Secrets to access the secret keys stored in the selected Azure Key Vault.

06 Click on the name of the active secret key that you want to examine. An active Azure secret has its STATUS set to Enabled.

07 On the selected secret overview page, check the date available within the EXPIRATION DATE column for the current version of the secret key. If there is no date available in the EXPIRATION DATE column, the selected Azure Key Vault secret does not have an expiration date/time set.

08 Repeat step no. 6 and 7 for each active secret key created in the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Microsoft Azure Key Vault instance available in the current subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to describe the names of all Key Vault instances created in the current Azure subscription: 

az keyvault list
	--query '[*].name'

02 The command output should return the requested Microsoft Azure resource names: 

[
  "cc-production-vault",
  "cc-project5-vault"
]

03 Run keyvault secret list command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the secret keys stored within the selected vault: 

az keyvault secret list
	--vault-name cc-production-vault
	--output table
	--query '[*].{"id":id,"enabled":attributes.enabled}'

04 The command output should return the ID and the status for each secret available in the vault: 

Id                                                                        Enabled
------------------------------------------------------------------------  -------
https://cc-production-vault.vault.azure.net/secrets/cc-internal-api-key   True
https://cc-production-vault.vault.azure.net/secrets/cc-project5-api-key   False

05 Run keyvault secret show command (Windows/macOS/Linux) using the ID of the active secret key that you want to examine as identifier parameter and custom query filters to obtain the expiration date/time for the specified Azure Key Vault secret. An active secret key has its status set to Enabled (i.e. Enabled: True): 

az keyvault secret show
	--id https://cc-production-vault.vault.azure.net/secrets/cc-internal-api-key
	--query '{"expires":attributes.expires}'

06 The command output should return the expiration date for the specified secret as value for the "expires" attribute: 

{
  "expires": null
}

If the keyvault secret show command output returns null as value for the "expires" attribute, as shown in the example above, the selected Azure Key Vault secret key does not have an expiration date configured.

07 Repeat step no. 5 and 6 for each active secret stored within the selected Azure Key Vault.

08 Repeat steps no. 3 – 7 for each Microsoft Azure Key Vault provisioned in the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure an expiration date and time for your Microsoft Azure secrets in order to enforce periodic rotation of secret keys, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Microsoft Azure Key Vault instance that you want to access.

05 In the navigation panel, under Settings, select Secrets to access the secret keys stored in the selected Key Vault.

06 Click on the name of the active Azure secret that you want to reconfigure (see Audit section part I to identify the right secret key).

07 On the selected secret overview page, in the CURRENT VERSION section, choose and open the current version of the secret key.

08 On the selected secret version page, inside the Settings section, select Set expiration date? checkbox and use the date and time picker (DTP) controls to configure when the resource will become inactive. Click Save to apply the chosen expiration date and time to the specified Microsoft Azure secret.

09 Repeat steps no. 6 – 8 for each active secret key that requires an expiration date, stored within the selected Azure Key Vault.

10 Repeat steps no. 4 – 9 for each Microsoft Azure Key Vault instance in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault secret set-attributes command (Windows/macOS/Linux) using the ID of the active Azure secret that you want to reconfigure as identifier parameter (see Audit section part II to identify the right secret key) and the --expires parameter to configure the expiration date and time for the specified Azure Key Vault secret. For example, the following command request sets the expiration time for an Azure secret identified by the ID "https://cc-production-vault.vault.azure.net/secrets/cc-internal-api-key" to Monday, September 21, 2020 10:30:00 UTC: 

az keyvault secret set-attributes
	--id https://cc-production-vault.vault.azure.net/secrets/cc-internal-api-key
	--expires "2020-09-21T10:30:00Z"

02 The command output should return the metadata for the reconfigured Microsoft Azure secret: 

{
  "attributes": {
    "created": "2019-09-21T11:59:31+00:00",
    "enabled": true,
    "expires": "2020-09-21T10:30:00+00:00",
    "notBefore": "2019-09-21T11:59:10+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-09-18T12:26:12+00:00"
  },
  "contentType": null,
  "id": "https://cc-production-vault.vault.azure.net/secrets/cc-internal-api-key/0abcdabcdabcdabcdabcdabcdbabcdab",
  "kid": null,
  "managed": null,
  "tags": null,
  "value": null
}

03 Repeat step no. 1 and 2 for each active secret key that requires an expiration date/time, created within the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Related KeyVault rules