iCompaas Support

Description:

This control ensures that every cryptographic key stored in Azure Key Vault configured with RBAC authorization has an expiration date defined. Expiry enforcement prevents long-lived keys from remaining active indefinitely and helps maintain secure cryptographic lifecycle management.

Rationale:

Keys without expiration dates pose security risks by enabling indefinite usage. Enforcing expiration supports regular rotation, reduces exposure to compromised keys, and helps organizations comply with cryptographic hygiene and regulatory standards.

Impact:

Implementing this control improves security posture but may impact applications relying on expired keys. Applications must be updated before expiration to avoid downtime. Key rotation and lifecycle planning become mandatory operational practices.

Default value:

No expiration date is configured by default for keys in Azure Key Vault.

Pre-requisites:

• Azure Key Vault uses the RBAC authorization model (not Access Policies).

• User has the Key Vault Administrator or Key Vault Crypto Officer role.

• Applications are capable of handling key rotation.

• Backup of existing keys is completed before modification.

• Change management approval (if in production environment).

Test Plan:

1. Log in to the Azure Portal: https://portal.azure.com

2. Open the required Key Vault, navigate to Settings, click on Access configuration, and confirm that Azure role-based access control (RBAC) is selected as the permission model.

3. Go to Objects and click on Keys, and open each key.

4. Review the key properties and verify that an Expiration date is configured for every key.

5. If it is not configured, follow the implementation steps.

Implementation Steps:

1. Log in to the Azure Portal: https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Under Objects, click Keys.

4. Select the key you want to update.

5. Click Edit and Configure an Expiration date for the key.

6. Click Save to apply the changes.

Backout Plan:

1. Log in to the Azure Portal: https://portal.azure.com

2. Navigate to Key Vaults and select the required Key Vault.

3. Select the affected key vault, under Objects, select Keys.

4. Identify the impacted key and select it.

5. Use the Edit option to extend the key’s expiration date, if required.

6. Regenerate the key or restore a previous version if necessary to maintain application functionality.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys

• https://learn.microsoft.com/en-us/azure/key-vault/general/manage-with-cli

•  https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide

• https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management