iCompaas Support

Description:

All secrets stored in Azure Key Vaults that use the Azure RBAC permission model must have an expiration date configured. This ensures secrets are not valid indefinitely and enforces lifecycle management for sensitive values such as passwords, tokens, and connection strings.

Rationale:

Setting expiration dates limits the lifetime of exposed secrets and forces rotation as part of security hygiene. This reduces the attack surface and ensures compromised secrets cannot be reused indefinitely.

Impact:

If a secret expires without being rotated, dependent applications may fail. Proper planning, alerting, and rotation procedures are required. The organization gains an improved security posture and regulatory compliance.

Default value:

Azure Key Vault secrets do not have an expiration date by default. Organizations must explicitly configure expiration to enforce secret lifecycle management.

Pre-requisites:

• Key Vault must use Azure RBAC (not Access Policies)

• User must have the Key Vault Secrets Officer or Key Vault Administrator role

• Application owners identified

• Rotation plan available
  
  

Test Plan:

1. Log in to the Azure Portal https://portal.azure.com 

2. Open the Key Vault.

3. Navigate to Secrets under Objects.

4. Open each secret and review its latest version.

5. Verify that an Expiration Date is configured for each secret.

6. Secrets without an expiration date should be identified for update.

7. All secrets should have an expiration date configured to meet security requirements.

8. If any secret does not have an expiration date, follow the implementation steps.

Implementation steps:

1. Log in to the Azure Portal https://portal.azure.com 

2. Open Key Vaults and select the Key Vault that is configured to use Azure RBAC.

3. Navigate to Secrets under the Objects section.

4. Select a secret that does not have an expiration date.

5. Open the latest active version of the secret and click Edit.

6. Set a value in the Expiration date field.

7. Click Save to apply the change.

8. Confirm the expiration date appears in secret properties.
   

Backout Plan:

1. Log in to the Azure portal and open Key Vaults.

2. Select the affected RBAC-enabled Key Vault.

3. Navigate to Secrets under the Objects section.

4. Open the relevant secret.

5. Select the version that contains the expiration date.

6. Click Edit to update the secret properties.

7. Remove the expiration date or extend it to a future date, as required.

8. Click Save to apply the changes.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

• https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-overview

• https://learn.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

• https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-portal

• https://learn.microsoft.com/en-us/azure/governance/policy/samples/key-vault