iCompaas Support

Description:

Azure Key Vault supports automatic rotation of cryptographic keys by creating new key versions based on a defined rotation policy. When enabled for supported Azure services that reference keys without specifying a version, automatic rotation helps ensure keys are replaced regularly without manual intervention, reducing the risk associated with long-lived or compromised keys.

Rationale:

Automatic key rotation enforces good key hygiene by periodically replacing sensitive cryptographic keys. This limits the impact of potential key compromise, reduces reliance on manual processes, and supports compliance with security best practices and regulatory requirements.

Impact:

Enabling automatic key rotation improves security by ensuring that new key versions are generated on a regular schedule. Dependent services must be validated to ensure they automatically consume the latest key version. Inadequate monitoring or incompatible service configurations could result in service disruption if key rotation failures are not detected.

Default Value:

By default, automatic key rotation is disabled in Azure Key Vault and must be explicitly configured for each key.

Pre-requisites:

• An Azure Key Vault with keys enabled

• Azure RBAC or Key Vault access policies configured with sufficient permissions

• Azure Key Vault Standard tier (Premium required only for HSM-backed keys)

• Azure services that support customer-managed keys and reference Key Vault keys without a specific version

Test Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the applicable Key Vault.

3. Under Objects, select Keys and choose the encryption key.

4. Open the Rotation policy and verify that automatic key rotation is enabled.

5. Open Versions and confirm that new key versions exist.

6. If the configuration does not follow the documented implementation steps

Implementation Steps:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Under Objects, select Keys and choose the encryption key.

4. Open the Rotation policy.

5. Enable automatic key rotation.

6. Configure the rotation interval and expiration settings according to organizational requirements.

7. Save the rotation policy.

Backout Plan:

1. Sign in to the Azure Portal at https://portal.azure.com

2. Navigate to Key Vaults and select the affected Key Vault.

3. Under Objects, select Keys and choose the affected encryption key.

4. Open the Rotation policy.

5. Disable automatic key rotation.

6. Save the rotation policy.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/keys/rotation-overview

• https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

• https://learn.microsoft.com/en-us/azure/key-vault/general/integrate-with-key-vault

• https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide