Remediation
Note: Azure CLI and PowerShell use the ISO8601 duration format for time spans. The format is P<timespanInISO8601Format>(Y,M,D). The leading P is required and is referred to as period. The (Y,M,D) are for the duration of Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be P2Y2M2D. For Azure CLI and PowerShell, it is easiest to supply the policy flags in a .json file, for example:
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P<timespanInISO8601Format>(Y,M,D)",
"timeBeforeExpiry" : null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry" : "P<timespanInISO8601Format>(Y,M,D)"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "P<timespanInISO8601Format>(Y,M,D)"
}
}
From Azure Portalβ
- Go to
Key Vaults. - Select a Key Vault.
- Under
Objects, selectKeys. - Select a key.
- From the top row, select
Rotation policy. - Select an appropriate
Expiry time. - Set
Enable auto rotationtoEnabled. - Set an appropriate
Rotation optionandRotation time. - Optionally, set a
Notification time. - Click
Save. - Repeat steps 1-10 for each Key Vault and Key.
From Azure CLIβ
Run the following command for each key to enable automatic rotation:
az keyvault key rotation-policy update --vault-name <vault-name> --name <key-name> --value <path/to/policy.json>
From PowerShellβ
Run the following command for each key to enable automatic rotation:
Set-AzKeyVaultKeyRotationPolicy -VaultName <vault-name> -Name <key-name> -PolicyPath <path/to/policy.json>