Description:
Automatic Key Rotation in Azure Key Vault enables the automatic rotation of cryptographic keys on a scheduled basis, helping organizations adhere to security policies that require regular key changes to minimize risks associated with key exposure or compromise. By enabling automatic key rotation, keys are rotated at predefined intervals without the need for manual intervention, ensuring continuous protection of sensitive data managed within Azure Key Vault.
Rationale:
Regular key rotation is a security best practice to reduce the risk of key compromise. Enabling automatic key rotation ensures that keys are updated on schedule, which can help organizations meet compliance requirements such as SOC 2, HIPAA, PCI-DSS, and GDPR, which often mandate key management practices, including periodic key rotation. It also improves operational efficiency by eliminating the manual effort of rotating keys and reduces the potential for human error.
Impact:
Enabling automatic key rotation reduces the risk of key compromise by ensuring that keys are periodically updated without manual intervention. However, some applications or services might need to be reconfigured to work with new keys after rotation. Therefore, ensure that any services using the keys in Azure Key Vault are configured to automatically handle new key versions.
Default Value:
By default, automatic key rotation is disabled in Azure Key Vault. This feature must be explicitly enabled and configured.
Pre-requisites:
Azure Key Vault: Ensure you have an existing Azure Key Vault instance with keys stored.
Permissions: You need appropriate permissions (e.g., Owner or Contributor) to configure the Key Vault and its key rotation settings.
Supported Key Types: Automatic key rotation is available for RSA and ECDSA keys in Azure Key Vault.
Remediation:
Audit:
To check if automatic key rotation is enabled in your Azure Key Vault:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to Azure Key Vault:
In the Azure portal, go to Key Vaults and select the relevant Key Vault.
Check Key Rotation Settings:
In the Settings section of the Key Vault, click on Keys.
Review the Key Rotation settings for any keys in use.
Verify if automatic key rotation is enabled for any of the keys and whether the key rotation policy (e.g., rotation interval) is configured.
Automated Implementation:
To ensure automatic key rotation is enabled for keys within Azure Key Vault, you can use Azure Policy.
Create a custom Azure Policy to enforce automatic key rotation:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Automatic Key Rotation is Enabled for Azure Key Vault",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that automatic key rotation is enabled for keys in Azure Key Vault.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Key Vault"
},
"policyRule": {
"if": {
"field": "Microsoft.KeyVault/vaults/properties.keyRotationPolicy.enabled",
"equals": "false"
},
"then": {
"effect": "deny"
}
}
}
}
Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that automatic key rotation is enabled for all keys within Azure Key Vaults.
Backout Plan:
To disable automatic key rotation if necessary:
Sign in to the Azure portal with appropriate permissions.
Navigate to Azure Key Vault:
In the Azure portal, go to Key Vaults and select the relevant Key Vault.
Go to Key Rotation Settings:
In the Settings section, click on Keys.
Disable Automatic Key Rotation:
Change the key rotation policy to Disabled or adjust the key rotation interval as required.
If the setting was enforced via Azure Policy, modify or remove the policy to allow the disabling of automatic key rotation.