🛡️ Azure Key Vault Automatic Key Rotation is not enabled🟢

Contextual name: 🛡️ Automatic Key Rotation is not enabled🟢
ID: /ce/ca/azure/key-vault/automatic-key-rotation
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: RELIABILITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Key Vault
- 🔌 Azure Key Vault Key - object.extracts.yaml
- 🧪 test-data.json

Description

Description

Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. A key rotation policy can be defined for each individual key.

Rationale

Automatic key rotation reduces risk by ensuring that keys are rotated without manual intervention.

Azure and NIST recommend that keys be rotated every two years or less. Refer to 'Table 1: Suggested cryptoperiods for key types' on page 46 of the following document for more information: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf.

Impact

There is an additional cost for each scheduled key rotation.

Audit

This policy marks an Azure Key Vault as INCOMPLIANT if any of its Key Vault Keys:

Missing Lifetime Actions,

Lifetime Actions don’t include a Rotate action, or

Include a Rotate action but haven’t been rotated in over two years (exceeding the industry‑standard maximum key lifetime).

Default Value

By default, Automatic Key Rotation is not enabled.

... see more

Remediation

Open File

Remediation

Note: Azure CLI and PowerShell use the ISO8601 duration format for time spans. The format is P<timespanInISO8601Format>(Y,M,D). The leading P is required and is referred to as period. The (Y,M,D) are for the duration of Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be P2Y2M2D. For Azure CLI and PowerShell, it is easiest to supply the policy flags in a .json file, for example:

{ 
    "lifetimeActions": [ 
        { 
            "trigger": { 
                "timeAfterCreate": "P<timespanInISO8601Format>(Y,M,D)",
                "timeBeforeExpiry" : null 
            }, 
            "action": { 
                "type": "Rotate" 
            } 
        }, 
        { 
            "trigger": { 
                "timeBeforeExpiry" : "P<timespanInISO8601Format>(Y,M,D)" 
            }, 
            "action": { 
                "type": "Notify" 
                } 
        } 
    ], 
    "attributes": { 
        "expiryTime": "P<timespanInISO8601Format>(Y,M,D)" 
    } 
}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 8.3.9 Ensure automatic key rotation is enabled within Azure Key Vault (Automated)			1		no data
💼 Cloudaware Framework → 💼 Expiration Management			15		no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

Remediation​

Remediation​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Default Value

Remediation

Remediation

policy.yaml

Linked Framework Sections