iCompaas Support

Description:

All cryptographic keys stored in Azure Key Vaults that use Access Policies (non-RBAC model) must have an expiration date configured. This guarantees that keys are rotated regularly and prevents the continued use of outdated or compromised cryptographic material.

Rationale:

Setting an expiration date enforces key lifecycle management and prevents perpetual use of security keys. It supports compliance, limits exposure from compromised credentials, and ensures periodic cryptographic hygiene across workloads.

Impact:

Keys will automatically expire and may stop functioning if applications are not updated with new versions. Key rotation procedures must exist to avoid outages. Organizations benefit from stronger security and improved governance of sensitive cryptographic assets.

Default Value:

Expiration Date: Not set (null) by default

Pre-requisites:

• Azure Key Vault uses Access Policies (not Azure RBAC)

• User has Key Vault Administrator or equivalent permission

• Applications support key rotation

• Backup of keys exists (optional but recommended)
  
  

Test Plan:

1. Log in to the Azure Portal: https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Under Objects, click Keys.

4. Open each key and review the latest version.

5. Verify that an Expiration date is configured for the key.

6. If any key does not have an expiration date, follow the implementation steps.

Implementation Steps:

1. Log in to the Azure Portal: https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Select the Key Vault that is configured to use Access Policies (non-RBAC).

4. Under Objects, select Keys.

5. Choose the key that does not have an expiration date configured.

6. Select the latest active version of the key and click Edit.

7. Set an appropriate value in the Expiration date field.

8. Click Save to apply the changes.

Backout Plan:

1. Sign in to the Azure portal and navigate to Key Vaults.

2. Select the Key Vault where the expiration date change was applied.

3. Under Objects, select Keys and open the affected key.

4. Choose the key version where the expiration date was previously configured.

5. Click Edit to modify the key settings.

6. Remove the expiration date or extend it to a future date, as required.

7. Click Save to apply the changes.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys

• https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy

• https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-set-key-attributes

• https://learn.microsoft.com/en-us/azure/governance/policy/samples/key-vault

• https://learn.microsoft.com/en-us/azure/security/fundamentals/keys-best-practices