🛡️ Azure Non-RBAC Key Vault stores Secrets without expiration date🟢

Contextual name: 🛡️ Non-RBAC Key Vault stores Secrets without expiration date🟢
ID: /ce/ca/azure/key-vault/non-rbac-key-vault-secrets-expiration-date
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Key Vault
- 🔌 Azure Key Vault Secret - object.extracts.yaml
- 🔌 Azure Key Vault - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Check for Azure Key Vault Secrets Expiration Date
Internal: dec-x-82ca4127

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-82ca4127	2

Description

Open File

Description

Ensure that all secrets in non-role-based access control (RBAC) Azure Key Vaults have an expiration date set.

Rationale

The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is recommended to rotate secrets in the Key Vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

Impact

Secrets cannot be used beyond their assigned expiration dates. Secrets must be rotated periodically wherever they are used.

Audit

This policy flags an Azure Key Vault as INCOMPLIANT if any related Azure Key Vault Secret has an empty Expiration Date.

A Key Vault is marked as INAPPLICABLE if RBAC Authorization is set to Enabled.

Default Value

... see more

Remediation

Open File

Remediation

From Azure Portal

Go to Key Vaults.

For each Key Vault, select Secrets.

In the main pane, ensure that the status of the secret is Enabled.

Set an appropriate Expiration date on all secrets.

From Azure CLI

Update the Expiration date for the secret using the following command. Use a UTC timestamp in ISO 8601 format.
az keyvault secret set-attributes \
    --name {{secret-name}} \
    --vault-name {{vault-name}} \
    --expires {{expiration-date-time-utc}}
Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List permission for secrets is required.

To update the expiration date for the secrets:

Go to the Key Vault and select Access policies.

Click on Create and add an access policy with the Update permission (in the Secret Permissions - Secret Management Operations section).

From PowerShell

For each Key Vault with the EnableRbacAuthorization setting set to False or empty, run the following command:
Set-AzKeyVaultSecret `

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 APRA CPG 234 → 💼 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.		8	10	no data
💼 APRA CPG 234 → 💼 45 An understanding of plausible worst case scenarios can help regulated entities identify and implement additional controls to prevent or reduce the impact of such scenarios. One example is malware that infects computers and encrypts data, both on the infected computer and any connected storage, including (corporate) networks and cloud storage. Such attacks reinforce the importance of protecting the backup environment in the event that the production environment is compromised. Common techniques to achieve this include network segmentation, highly restricted and segregated access controls and network traffic flow restrictions.		35	37	no data
💼 APRA CPG 234 → 💼 d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk;		3	4	no data
💼 CIS Azure v5.0.0 → 💼 8.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults (Automated)			1	no data
💼 Cloudaware Framework → 💼 Expiration Management			15	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26	no data
💼 FedRAMP High Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	6	14	37	no data
💼 FedRAMP High Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)	1	9	12	no data
💼 FedRAMP Low Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	1		37	no data
💼 FedRAMP Low Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			12	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			26	no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5 Authenticator Management (L)(M)(H)	4		37	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-12 Cryptographic Key Establishment and Management (L)(M)(H)			12	no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.4 Management of secret authentication information of users		8	10	no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.2 Key management		9	12	no data
💼 ISO/IEC 27001:2022 → 💼 5.9 Inventory of information and		3	6	no data
💼 ISO/IEC 27001:2022 → 💼 5.10 Acceptable use of information and other associated assets		11	27	no data
💼 ISO/IEC 27001:2022 → 💼 5.16 Identity management		2	4	no data
💼 ISO/IEC 27001:2022 → 💼 5.18 Access rights		4	6	no data
💼 ISO/IEC 27001:2022 → 💼 6.5 Responsibilities after termination or change of employment		2	4	no data
💼 ISO/IEC 27001:2022 → 💼 8.1 User end point devices		8	13	no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34	no data
💼 NIST CSF v1.1 → 💼 PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)		19	23	no data
💼 NIST CSF v1.1 → 💼 PR.DS-1: Data-at-rest is protected		15	30	no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53	no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			43	no data
💼 NIST CSF v2.0 → 💼 PR.AA-03: Users, services, and hardware are authenticated			53	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			133	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	26	no data
💼 SOC 2 → 💼 CC6.1-11 Protects Encryption Keys		6	9	no data

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Impact

Audit

Default Value

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections