Remediation
Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format Pperiod. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).
From Azure Portalβ
- From Azure Portal select the Portal Menu in the top left.
- Select
Key Vaults. - Select a Key Vault to audit.
- Under
ObjectsselectKeys. - Select a key to audit.
- In the top row select
Rotation policy. - Select an
Expiry time. - Set
Enable auto rotationtoEnabled. - Set an appropriate Rotation option and
Rotation time. - Optionally set the
Notification time. - Select
Save. - Repeat steps 3-11 for each Key Vault and Key.
From Azure CLIβ
Run the following command for each key to update its policy to be auto-rotated:
az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>
Note: It is easiest to supply the policy flags in a .json file. An example json file would be:
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "<timespanInISO8601Format>",
"timeBeforeExpiry" : null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry" : "<timespanInISO8601Format>"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "<timespanInISO8601Format>"
}
}
From PowerShellβ
Run the following command for each key to update its policy:
Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json
Note: It is easiest to supply the policy flags in a .json file. An example json file would be:
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P<timespanInISO8601Format>M",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry": "P<timespanInISO8601Format>D"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "P<timespanInISO8601Format>Y"
}
}