Skip to main content

lacework-global-641

8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services (Manual)

Profile Applicability

• Level 2

Description

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

Rationale

Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.

Impact

There are an additional costs per operation in running the needed applications.

Audit

From Azure Portal

  1. From Azure Portal select the Portal Menu in the top left.

  2. Select Key Vaults.

  3. Select the Key Vault you wish to audit.

  4. Under the Settings heading select Keys.

  5. Select the key you wish to audit within this vault and repeat the next steps for each.

  6. In the top row select Rotation policy.

  7. If it is enabled, next to Set key rotation policy select the link will display as Enabled.

From Azure CLI

Run the following command:

az keyvault key rotation-policy show --vaultname <vaultName> --name <keyName>

From Azure Powershell

Run the following command:

Get-AzKeyVaultKeyRotationPolicy -VaultName <vaultName> -Name <keyName>

Remediation

note

Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).

From Azure Portal

  1. From Azure Portal select the Portal Menu in the top left.

  2. Select Key Vaults.

  3. Select the Key Vault you wish to audit.

  4. Under the Settings heading select Keys.

  5. Select the key you wish to audit within this vault and repeat the next steps for each.

  6. In the top row select Rotation policy.

  7. Next to Set key rotation policy select the link Not Configured.

  8. Select the Expiry Time in for your need.

  9. In this menu select Enable in the row Enable auto rotation

  10. Set the Rotation Option to Automatically renew.. To automatically rotate keys, set the rotation time to or near the Expiry Time.

  11. If desired set the Notification duration to a duration before the expiration.

From Azure CLI

Run the following command for each key to update its policy to be auto-rotated:

az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>

Note: It is easiest to supply the policy flags in a .json file. An example json file would be:

{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "<timespanInISO8601Format>",
"timeBeforeExpiry" : null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry" : "<timespanInISO8601Format>"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "<timespanInISO8601Format>"
}
}

From Azure Powershell

Run the following command for each key to update its policy:

Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json

Note: It is easiest to supply the policy flags in a .json file. An example json file would be:

<# 
rotation_policy.json
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P<timespanInISO8601Format>M",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry": "P<timespanInISO8601Format>D"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "P<timespanInISO8601Format>Y"
}
}
#>

References

https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell#set-up-an-azure-key-vault-and-diskencryptionset-optionally-with-automatic-key-rotation
https://azure.microsoft.com/en-us/updates/public-preview-automatic-key-rotation-of-customermanaged-keys-for-encrypting-azure-managed-disks/
https://docs.microsoft.com/en-us/cli/azure/keyvault/key/rotation-policy?view=azure-cli-latest#az-keyvault-key-rotation-policy-update
https://docs.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultkeyrotationpolicy?view=azps-8.1.0
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-6-use-a-secure-key-management-process

Additional Information

Automatic Key Rotation is in public preview, so any configuration will not change upon full release.

Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month, Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).