Skip to main content

lacework-global-576

8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults. (Automated)

Profile Applicability

• Level 1

Description

Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set.

Rationale

Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration time) attribute identifies the expiration time on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.

Impact

Keys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.

Audit

From Azure Portal

  1. Go to Key vaults
  2. For each Key vault, click on Keys.
  3. Under the Settings section, Make sure Enabled? is set to Yes
  4. Then ensure that each key in the vault has EXPIRATION DATE set as appropriate

From Azure CLI

Get a list of all the keyvaults in your Azure environment by running the following command:

az keyvault list

For each vault ensure that the output of the below command contains Key ID (kid), enabled status as true and Expiration date (expires) is not empty or null:

az keyvault key list --vault-name <KEYVAULTNAME> --query '[*].{"kid":kid,"enabled":attributes.enabled,"expires":attributes.expires}' 

From Azure PowerShell

Retrieve a list of Azure Key Vaults

Get-AzKeyVault

For each Key Vault run the following command to determine which vaults are configured to use RBAC.

Get-AzKeyVault -VaultName <Vault Name>

For each Key Vault with the EnableRbacAuthorizatoin setting set to False or empty, run the following command.

Get-AzKeyVaultKey -VaultName <Vault Name>

Make sure the Expires setting is configured with a value as appropriate wherever the Enabled setting is set to True.

Remediation

From Azure Portal

  1. Go to Key vaults
  2. For each Key vault, click on Keys.
  3. Under the Settings section, Make sure Enabled? is set to Yes
  4. Set an appropriate EXPIRATION DATE on all keys.

From Azure CLI

Update the EXPIRATION DATE for the key using below command.

az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'
note

To access expiration time on all keys in Azure Key Vault using Microsoft API, "List" Key permission is required.

To provide required access follow below steps,

For Key Vaults using Key Vault Access Policy

  1. Go to Key vaults
  2. For each Key vault, click on Access Policy.
  3. Add access policy with Key permission as List

From Azure PowerShell

Set-AzKeyVaultKeyAttribute -VaultName <Vault Name> -Name <Key Name> -Expires <DateTime>

References

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis
https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process
https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyattribute?view=azps-0.10.0