lacework-global-575
8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults (Automated)
Profile Applicability
• Level 1
Description
Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set.
Rationale
Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp
(expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration time for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.
Impact
Keys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.
Audit
From Azure Portal
- Go to
Key vaults
- For each Key vault, click on
Keys
. - Under the
Settings
section, Make sureEnabled?
is set toYes
- Then ensure that each key in the vault has
EXPIRATION DATE
set as appropriate
From Azure CLI
Get a list of all the keyvaults in your Azure environment by running the following command:
az keyvault list
Then for each keyvault listed ensure that the output of the below command contains Key ID (kid), enabled status as true
and Expiration date (expires) is not empty or null:
az keyvault key list --vault-name <KEYVAULTNAME> --query '[*].{"kid":kid,"enabled":attributes.enabled,"expires":attributes.expires}'
From Azure Powershell
Retrieve a list of Azure Key Vaults
Get-AzKeyVault
For each Key Vault run the following command to determine which vaults are configured to use RBAC.
Get-AzKeyVault -VaultName <Vault Name>
For each Key Vault with the EnableRbacAuthorizatoin
setting set to True
, run the following command.
Get-AzKeyVaultKey -VaultName <Vault Name>
Make sure the Expires
setting is configured with a value as appropriate wherever the Enabled
setting is set to True
.
Remediation
From Azure Portal
- Go to
Key vaults
- For each Key vault, click on
Keys
. - Under the
Settings
section, Make sureEnabled?
is set to Yes - Set an appropriate
EXPIRATION DATE
on all keys.
From Azure CLI
Update the EXPIRATION DATE
for the key using below command.
az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'
note
In order to access expiration time on all keys in Azure Key Vault using Microsoft API requires "List" Key permission.
To provide required access follow below steps,
For Key Vaults using "Key Vault Access Policy"
- Go to
Key vaults
- For each Key vault, click on
Access Policy
. - Add access policy with
Key permission
asList
For Key Vaults using "Role Based Access Control"
Assign the role of "Key Vault Secrets Officer" to the appropriate user
From Azure Powershell
Set-AzKeyVaultKeyAttribute -VaultName <Vault Name> -Name <Key Name> -Expires <DateTime>
References
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis
https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process
https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0