Ensure that the Expiration Date is set for all Secrets in Key Vaults

The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

Risk Level: Low
Cloud Entity: Azure Key Vault
CloudGuard Rule ID: D9.AZU.CRY.13
Covered by Spectral: No
Category: Security, Identity, & Compliance


KeyVault where secrets should not have secrets contain [ enabled=true and expires isEmpty() ]


From Portal

  1. Go to 'Key vaults' and choose your Key Vault
  2. Select 'Secrets' under 'Settings' in the navigation menu
  3. Select the relevant Secret and reselect its current version
  4. Check the 'Set expiration date' box
  5. Provide the 'Expiration date'
  6. Click on Save.

From TF
Set the 'expiration_date' to the relevant date and time:

resource "azurerm_key_vault_secret" "example" {
	expiration_date = "EXPIRATIONDATE"

From Command Line

az keyvault secret set-attributes --vault-name KEYVAULTNAME --name SECRETNAME --expires EXPIRATIONDATE

Note: Please note that Azure Key Vault's entities are not accessible using the policy that was setup on Azure account onboarding. This is because by default Azure does not grant access rights to vaults, secrets, certificates, and keys.
Please follow the steps listed in section 'Configure Policies for Azure Key Vault Entities' in the following documentation:


  1. https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
  2. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret
  3. https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az_keyvault_secret_set_attributes

Azure Key Vault

Secure key management is essential to protect data in the cloud. Use Azure Key Vault to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, import or generate keys in HSMs, and Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn���t see or extract your keys. Monitor and audit your key use with Azure logging���pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threa

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.0.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CSA CCM v.3.0.1
  • Azure CSA CCM v.4.0.1
  • Azure CloudGuard Best Practices
  • Azure CloudGuard SOC2 based on AICPA TSC 2017
  • Azure GDPR Readiness
  • Azure HIPAA
  • Azure HITRUST v9.5.0
  • Azure ISO 27001:2013
  • Azure ITSG-33
  • Azure LGPD regulation
  • Azure NIST 800-171
  • Azure NIST 800-53 Rev 4
  • Azure NIST 800-53 Rev 5
  • Azure NIST CSF v1.1
  • Azure New Zealand Information Security Manual (NZISM) v.3.4
  • Azure PCI-DSS 3.2
  • CloudGuard Azure All Rules Ruleset