iCompaas Support

Description: 

Setting an Expiration Date for keys in Non-RBAC Azure Key Vaults ensures that cryptographic keys used for encryption and decryption operations have a defined lifetime. This practice is essential for preventing the use of stale or compromised keys and is important for compliance with security policies and regulations. When keys reach their expiration date, they will no longer be available for use, and access to the associated cryptographic operations will be blocked unless the key is renewed or replaced.

Rationale: 

Defining an expiration date for keys helps ensure that sensitive cryptographic materials are rotated regularly and prevents the risk of unauthorized use. Automatic key expiration improves security and operational efficiency, ensuring that old keys are not retained indefinitely. It is particularly important for ensuring compliance with security and regulatory frameworks such as SOC 2, HIPAA, GDPR, and NIST, which require periodic key rotation or expiration.

Impact: 

Setting expiration dates on keys ensures proper key management but also requires that applications and services using those keys are updated with new keys or key versions as they expire. This could require adjustments in key usage policies and may lead to operational overhead for managing keys.

Default Value: 

By default, keys in Azure Key Vault do not have an expiration date unless explicitly configured. The expiration date must be set manually or automated through policy or scripts.

Pre-requisites:

• Azure Key Vault (Non-RBAC): Ensure that the Key Vault is Non-RBAC-enabled and contains keys.
  
  

• Permissions: You need appropriate permissions, such as Owner or Contributor role, to configure keys and their expiration dates.
  
  

• Key Expiration Policy: Ensure that a policy or automation process is in place to periodically set expiration dates for all keys.
  
  

Remediation:

Audit:

To check if the Expiration Date is set for all keys in Non-RBAC Key Vaults:

1. Sign in to the Azure portal using an account with appropriate permissions.
   
   

2. Navigate to the Azure Key Vault:
   
   

   • Go to Key Vaults in the Azure portal and select the relevant Key Vault.
     
     

3. Check Keys:
   
   

   • In the Key Vault dashboard, go to Keys under Settings.
     
     

   • For each key, check if an Expiration Date is set. If the expiration date is missing, secrets should be updated to include them.
     
     

Automated Implementation:

To ensure Expiration Dates are set for all keys in Non-RBAC Key Vaults, you can use Azure Automation or Azure Logic Apps to automate this process. Unfortunately, Azure Policy does not directly support setting expiration dates for keys, but you can automate the task using Azure Automation runbooks or Azure CLI scripts.

1. Automate Expiration Date Assignment using Azure Automation or Azure Logic Apps:
   
   

   • You can create an Azure Automation runbook or Logic App to periodically check the keys in Key Vault and set or update their expiration dates.
     
     

   • Example of an Azure Logic App flow:
     
     

     1. Get keys from Key Vault.
        
        

     2. For each key, set expiration date (e.g., 90 days from creation or last update).
        
        

     3. Update the secret metadata in Azure Key Vault.
        
        

2.  Set Expiration Date via Azure CLI: You can use the Azure CLI to set expiration dates for keys:

az keyvault key set --vault-name <YourKeyVaultName> --name <KeyName> --expires <ExpirationDate>

 Example:

az keyvault key set --vault-name "MyKeyVault" --name "MyKey" --expires "2023-12-31T00:00:00Z"

2. Create an Azure Automation Runbook:
   
   

   • Use Azure Automation to create a runbook that periodically sets expiration dates for all keys within Non-RBAC Key Vaults.
     
     

   • The script can be written in PowerShell or Python and scheduled to run periodically.
     
     

Example PowerShell Script for key expiration:

 $keyVaultName = "MyKeyVault"
$keys = Get-AzKeyVaultKey -VaultName $keyVaultName
foreach ($key in $keys) {
    $expirationDate = (Get-Date).AddDays(90)  # Set expiration date to 90 days from today
    Set-AzKeyVaultKey -VaultName $keyVaultName -Name $key.Name -Expires $expirationDate
}

Backout Plan:

To disable expiration dates for keys (not recommended from a security perspective):

1. Sign in to the Azure portal with appropriate permissions.
   
   

2. Navigate to the Azure Key Vault:
   
   

   • Go to Key Vaults in the Azure portal and select the relevant Key Vault.
     
     

3. Go to Keys:
   
   

   • In the Settings section, click on Keys.
     
     

4. Update Key:
   
   

   • For each key, remove the expiration date or set it to a longer duration if needed.
     
     

If automation was applied through Azure Logic Apps or Azure Automation, you can disable the runbook or Logic App.

References:

• Azure Key Vault Key Management
  
  

• Azure Automation for Key Vault
  
  

• Azure Key Vault CLI