Ensure that the Expiration Date is set for all Keys in Key Vaults

Ensures that all keys in Azure Key Vault have an expiration time set.

Risk Level: Low
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.12
Covered by Spectral: Yes
Category: Security, Identity, & Compliance

GSL LOGIC

KeyVault where keys should not have keys contain [ enabled=true and expires isEmpty() ]

REMEDIATION

From Portal

  1. Go to 'Key vaults' and choose your Key Vault
  2. Select 'Keys' under 'Settings' in the navigation menu
  3. Select the relevant key and reselect its current version
  4. Check 'Set expiration date'
  5. Save

From TF
Set the 'expiration_date' to the relevant date:

resource "azurerm_key_vault_key" "my_key" {
	..
	expiration_date = "EXP DATE"
	..
}

From Command Line
Run

az keyvault key set-attributes --vault-name KEY VAULT NAME --name KEY NAME --expires EXP DATE

Note: Please note that Azure Key Vault's entities are not accessible using the policy that was setup on Azure account onboarding. This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys.
Please follow the steps listed in section 'Configure Policies for Azure Key Vault Entities' in the following documentation:
https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/Assets/OnboardAzure.htm?tocpath=Assets%7COnboarding%7C_____2

References

  1. https://docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az_keyvault_key_set_attributes
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure GDPR Readiness
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure ITSG-33
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset