iCompaas Support

Description:

This control ensures that every secret stored in Azure Key Vaults using Access Policy (Non-RBAC) authorization has a defined expiration date. Setting expiration dates enforces secret rotation, limits prolonged exposure of credentials, and reduces the risk of compromised secrets being exploited indefinitely.

Rationale:

Secrets without expiration remain valid indefinitely, increasing the impact of credential leaks and operational risk. Enforcing expiration ensures periodic rotation, improves auditability, and supports identity lifecycle policies. This aligns with security best practices and regulatory guidance for credential management.

Impact:

Applications that depend on expired secrets will fail authentication if rotation is not completed in advance. This control requires a rotation mechanism and monitoring of expiry schedules. Teams must plan for renewal workflows and proper alerting.

Default Value:

By default, secrets do not have expiration dates in Azure Key Vault unless explicitly configured.

Pre-requisites:

• Azure Key Vault must already exist.

• Key Vault must use the Access Policy model (Non-RBAC).

• Key Vault SKU must be Standard or Premium.

• Secrets must be created in the vault.

Test Plan:

1. Sign in to the Azure portal.

2. Navigate to Key Vaults and select a vault that uses Access Policies (not RBAC).

3. Open Secrets and review each secret.

4. Verify that an expiration date is defined for every secret.

5. If there is no expiration date, follow the implementation steps.

Implementation Steps:

1. Sign in to the Azure portal

2. Navigate to Key Vaults and select the target Key Vault.

3. Under the Objects section, select Secrets.

4. Choose the secret you want to update.

5. Click New version.

6. Ensure Enabled is set to Yes and configure an appropriate Expiration date.

7. Click Create to save the changes.

Backout Plan:

1. Go to the Azure portal and navigate to Key Vaults.

2. Select the targeted Key Vault.

3. Under Objects, select Secrets.

4. Choose the secret you want to roll back.

5. Temporarily extend the expiration by creating a New Version or removing the expiration date, if required.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates

• https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-port

• https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

• https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy