Check for Azure Key Vault Keys Expiration Date

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: KeyVault-016

Check for Microsoft Azure Key Vault keys that are about to expire soon and rotate them by creating a new version of these keys. Prior to running this rule by the Cloud Conformity engine, the number of days before key expiration, when the key needs to be renewed, must be configured within the rule settings, on the Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The expiration date attribute configured for an encryption key identifies the expiration time after which the Azure Key Vault key must not be used anymore for cryptographic operations. By following the cloud security best practices, all Microsoft Azure Key Vault keys must have an explicit expiration time, so that these keys can be renewed once these reach the end of their assigned lifetime. To meet security and compliance requirements within your organization, the Azure Key Vault keys must be renewed prior to their expiration date.

Note: This conformity rule assumes that your Azure Key Vault encryption keys have an expiration date already configured.


Audit

To determine if there are any Azure Key Vault keys that are about to expire soon within your Azure cloud account, perform the following operations:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Azure Key Vault Keys Expiration Date conformity rule settings and identify the number of days before key expiration, when the key needs to be renewed, configured for this rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

05 Click on the name of the Key Vault instance that you want to examine.

06 In the navigation panel, under Settings, select Keys to access the encryption keys stored within the selected Key Vault.

07 Click on the name of the active cryptographic key that you want to examine. An active key has its STATUS set to Enabled.

08 On the selected key overview page, check the expiration date available in the Expiration Date column for the current (latest) version of the key. Based on the key expiration date and the value identified at step no. 1, determine if the encryption key needs to be renewed. If the selected Azure Key Vault cryptographic key is about to expire soon, follow the steps outlined in the Remediation/Resolution section to renew your key.

09 Repeat step no. 7 and 8 for each active key created in the selected Azure Key Vault.

10 Repeat steps no. 5 – 9 for each Microsoft Azure Key Vault instance available in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Azure Key Vault Keys Expiration Date conformity rule settings and identify the number of days (default is 30) before secret expiration. Use this value to configure the rule.

02 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the identifiers (names) of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

03 The command output should return the requested Azure resource names:

[
  "cc-production-vault",
  "cc-main-key-vault",
  "cc-project5-vault"
]

04 Run keyvault key list command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the cryptographic keys available within the selected vault:

az keyvault key list
	--vault-name cc-production-vault
	--output table
	--query '[*].{"kid":kid,"enabled":attributes.enabled}'

05 The command output should return the ID and the status of each encryption key available in the vault:

Kid                                                                           Enabled
---------------------------------------------------------------------------   -------
https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key   True
https://cc-production-vault.vault.azure.net/keys/cc-project5-encryption-key   False

06 Run keyvault key show command (Windows/macOS/Linux) using the ID of the active encryption key that you want to examine as identifier parameter and custom query filters to get the expiration date/time for the specified Azure Key Vault cryptographic key. An active encryption key has its status set to Enabled (i.e. Enabled: True):

az keyvault key show
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--query '{"expires":attributes.expires}'

07 The command output should return the expiration date for the specified key as value for the "expires" attribute:

{
  "expires": "2020-01-31T11:00:39+00:00"
}

Based on the key expiration time returned as value for the "expires" attribute and the value identified at step no. 1, determine if the key needs to be renewed. If the selected Azure Key Vault key is about to expire soon, follow the steps presented in the Remediation/Resolution section to renew the key.

08 Repeat step no. 6 and 7 for each active encryption key available in the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Microsoft Azure Key Vault provisioned in the current Azure subscription.

10 Repeat steps no. 1 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure an expiration date for all your Microsoft Azure encryption keys in order to enforce periodic rotation, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Azure Key Vault instance that you want to access.

05 In the navigation panel, under Settings, select Keys to access the encryption keys stored in the selected Key Vault.

06 Click on the name of the active key that you want to reconfigure (see Audit section part I to identify the right key).

07 On the selected key overview page, in the CURRENT VERSION section, choose and open the current version of the encryption key.

08 On the selected key version page, within the Settings section, select Set expiration date? checkbox and use the date and time picker (DTP) controls to configure when the resource will become inactive. Click Save to apply the chosen expiration date and time to the specified cryptographic key.

09 Repeat steps no. 6 – 8 for each active encryption key that requires an expiration date, available in the selected Azure Key Vault.

10 Repeat steps no. 4 – 9 for each Microsoft Azure Key Vault instance within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault key set-attributes command (Windows/macOS/Linux) using the ID of the active encryption key that you want to reconfigure as identifier parameter (see Audit section part II to identify the right key) and the --expires parameter to configure the expiration date/time for the specified Azure Key Vault cryptographic key. For example, the following command request sets the expiration time for an encryption key identified by the ID "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key" to Friday, September 18, 2020 08:05:00 UTC:

az keyvault key set-attributes
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--expires "2020-09-18T08:05:00Z"

02 The command output should return the metadata for the reconfigured Azure Key Vault encryption key:

{
  "attributes": {
    "created": "2019-09-18T08:03:07+00:00",
    "enabled": true,
    "expires": "2020-09-18T08:05:00+00:00",
    "notBefore": "2019-09-18T08:02:59+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-09-18T10:16:47+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey",
      "encrypt",
      "decrypt"
    ],
    "kid": "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key/0abcdabcdabcdabcdabcdabcdbabcdab",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

03 Repeat step no. 1 and 2 for each active encryption key that requires an expiration date/time, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Azure Key Vault Keys Expiration Date

Risk level: High