iCompaas Support

Description: 

Setting an Expiration Date for secrets stored in Azure Key Vault ensures that the secrets are automatically marked as expired after the specified date, providing an additional layer of control over sensitive data. This practice helps manage secrets by enforcing lifetimes, thus ensuring they are periodically rotated and reduced the risk of using stale or compromised credentials.

This configuration applies to Non-RBAC Key Vaults (Key Vaults that do not use Role-Based Access Control (RBAC)), where access control is based on Access Policies. In these scenarios, it is important to ensure that secrets have defined expiration dates to automate the management of sensitive data.

Rationale: 

By setting expiration dates on secrets, you minimize the risk of using outdated or insecure credentials. The automatic expiration of secrets reduces human error in managing keys and ensures that access credentials are rotated as needed. This helps meet security and compliance standards like SOC 2, HIPAA, GDPR, and PCI-DSS, which often require the management and periodic renewal of sensitive secrets.

Impact: 

Automatically setting expiration dates for secrets ensures that no secrets are left indefinitely in the Key Vault without an expiration, improving the security and compliance of the vault. However, this requires that secret management policies (such as expiration intervals) are configured for each secret, which may introduce some administrative overhead to ensure that secrets are appropriately renewed or rotated.

Default Value:

 By default, secrets in Azure Key Vault do not have an expiration date unless explicitly configured. The expiration date needs to be set manually or through automated policies.

Pre-requisites:

• Azure Key Vault: Ensure that Key Vault instances exist, especially Non-RBAC Key Vaults.
  
  

• Permissions: You need appropriate permissions to configure secrets in Azure Key Vault (e.g., Owner or Contributor role).
  
  

• Expiration Date Configuration: Ensure that policies or automation are in place to set expiration dates for all secrets.
  
  

Remediation:

Audit:

To check if expiration dates are set for all secrets in a Non-RBAC Key Vault:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to the Azure Key Vault:
   
   

   • In the Azure portal, go to Key Vaults and select the relevant Key Vault.
     
     

3. Check Secrets:
   
   

   • In the Key Vault dashboard, go to Secrets under Settings.
     
     

   • Verify the Expiration Date for each secret. If expiration dates are missing, secrets should be updated to include them.
     
     

Automated Implementation:

To enforce that expiration dates are set for secrets in Non-RBAC Key Vaults, you can use Azure Policy and Key Vault automation tools to manage secret expiration. Azure Key Vault does not have a direct policy for setting expiration dates but can be automated via Azure Logic Apps or Azure Automation.

1. Automate Expiration Date Assignment using Azure Automation or Azure Logic Apps:
   
   

   • You can create an Azure Automation runbook or Logic App to periodically check the secrets in Key Vault and set or update their expiration dates.
     
     

   • Example of an Azure Logic App flow:
     
     

     1. Get secrets from Key Vault.
        
        

     2. For each secret, set expiration date (e.g., 90 days from creation or last update).
        
        

     3. Update the secret metadata in Azure Key Vault.
        
        

2. Alternatively, Azure SDKs or Azure CLI can be used in a script to iterate over secrets and update the expiration date.
   
   

Set Expiration Date via Azure CLI: You can use the Azure CLI to set expiration dates for secrets:

 az keyvault secret set --vault-name <YourKeyVaultName> --name <SecretName> --value <SecretValue> --expires <ExpirationDate>

 Example:

az keyvault secret set --vault-name "MyKeyVault" --name "MySecret" --value "MySecretValue" --expires "2023-12-31T00:00:00Z"

3. Create an Azure Automation Runbook:
   
   

   • Use Azure Automation to create a runbook that automatically sets expiration dates on all secrets within Non-RBAC Key Vaults.
     
     

   • The script can be written in PowerShell or Python and scheduled to run periodically.
     
     

Backout Plan:

To disable expiration dates for secrets (not recommended from a security perspective):

1. Sign in to the Azure portal with appropriate permissions.
   
   

2. Navigate to the Azure Key Vault:
   
   

   • Go to Key Vaults in the Azure portal and select the relevant Key Vault.
     
     

3. Go to Secrets:
   
   

   • In the Settings section, click on Secrets.
     
     

4. Update Secret:
   
   

   • For each secret, remove the expiration date or change it to a longer duration if needed.
     
     

If automation was applied through Azure Logic Apps or Azure Automation, you can disable the runbook or Logic App.

References:

• Azure Key Vault Secrets
  
  

• Azure Key Vault Automation
  
  

• Azure Policy for Key Vault