🛡️ Azure Key Vault Certificate Validity Period (in months) is more than 12🟢

Contextual name: 🛡️ Key Vault Certificate Validity Period (in months) is more than 12🟢
ID: /ce/ca/azure/key-vault/sertificate-validity-period
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure Key Vault Certificate
- 🔌 Azure Key Vault Certificate - object.extracts.yaml
- 🧪 test-data.json

Description

Description

This policy identifies Azure Key Vault Certificates that are valid for more that 12 months. Restrict the validity period of certificates stored in Azure Key Vault to 12 months or less.

Rationale

Limiting certificate validity reduces the risk of misuse if compromised and helps ensure timely renewal, improving security and reliability.

Impact

Minor administrative effort required to ensure certificate renewal and lifecycle management.

Audit

This policy flags an Azure Key Vault Certificate as INCOMPLIANT if Validity Period (in months) is set to more than 12.

Default Value

Validity Period (in months) is set to 12 by default.

References

https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates

https://learn.microsoft.com/en-us/cli/azure/keyvault

https://learn.microsoft.com/en-us/powershell/module/az.keyvault

Remediation

Open File

Remediation

From Azure Portal

Go to Key vaults.

Click the name of a key vault.

Under Objects, click Certificates.

Click the name of a certificate.

Click Issuance Policy.

Set Validity Period (in months) to an integer between 1 and 12, inclusive.

Click Save.

Repeat steps 1-7 for each key vault and certificate requiring remediation.

From PowerShell

For each certificate requiring remediation, run the following command to set ValidityInMonths to an integer between 1 and 12, inclusive:
Set-AzKeyVaultCertificatePolicy `
    -VaultName $vault.VaultName `
    -Name {{certificate-name}} `
    -ValidityInMonths {{validity-in-months}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v5.0.0 → 💼 8.3.11 Ensure certificate 'Validity Period (in months)' is less than or equal to '12' (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			67		no data

Logic​

Description​

Description​

Rationale​

Impact​

Audit​

Default Value​

References​

Remediation​

Remediation​

From Azure Portal​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Logic

Description

Description

Rationale

Impact

Audit

Default Value

References

Remediation

Remediation

From Azure Portal

From PowerShell

policy.yaml

Linked Framework Sections