📝 Azure Key Vault Automatic Key Rotation is not enabled 🟢

• Contextual name: 📝 Automatic Key Rotation is not enabled 🟢
• ID: /ce/ca/azure/key-vault/automatic-key-rotation
• Located in: 📁 Azure Key Vault

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • RELIABILITY

Logic

• 🧠 prod.logic.yaml 🟢
  • 📗 Azure Key Vault
  • 🔌 Azure Key Vault Key - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. A key rotation policy can be defined for each individual key.

Rationale

Automatic key rotation reduces risk by ensuring that keys are rotated without manual intervention.

Azure and NIST recommend that keys be rotated every two years or less. Refer to 'Table 1: Suggested cryptoperiods for key types' on page 46 of the following document for more information: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf.

Impact

There is an additional cost for each scheduled key rotation.

Audit

This policy marks an Azure Key Vault as INCOMPLIANT if any of its Key Vault Keys:

• Missing Lifetime Actions,
• Lifetime Actions don’t include a Rotate action, or
• Include a Rotate action but haven’t been rotated in over two years (exceeding the industry‑standard maximum key lifetime).

Default Value

By default, Automatic Key Rotation is not enabled.

... see more

Remediation

Open File

Remediation

Note: Azure CLI and PowerShell use the ISO8601 duration format for time spans. The format is P<timespanInISO8601Format>(Y,M,D). The leading P is required and is referred to as period. The (Y,M,D) are for the duration of Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be P2Y2M2D. For Azure CLI and PowerShell, it is easiest to supply the policy flags in a .json file, for example:

{ 
    "lifetimeActions": [ 
        { 
            "trigger": { 
                "timeAfterCreate": "P<timespanInISO8601Format>(Y,M,D)",
                "timeBeforeExpiry" : null 
            }, 
            "action": { 
                "type": "Rotate" 
            } 
        }, 
        { 
            "trigger": { 
                "timeBeforeExpiry" : "P<timespanInISO8601Format>(Y,M,D)" 
            }, 
            "action": { 
                "type": "Notify" 
                } 
        } 
    ], 
    "attributes": { 
        "expiryTime": "P<timespanInISO8601Format>(Y,M,D)" 
    } 
}

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS Azure v2.1.0 → 💼 8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services - Level 2 (Manual)			1
💼 CIS Azure v3.0.0 → 💼 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services (Automated)			1
💼 CIS Azure v4.0.0 → 💼 9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault (Automated)			1
💼 Cloudaware Framework → 💼 Expiration Management			12