Check for Azure Key Vault Secrets Expiration Date

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: KeyVault-015

Check for Microsoft Azure Key Vault secrets that are about to expire soon and rotate them by creating a new secret version. Prior to running this rule by the Cloud Conformity engine, the number of days before secret expiration, when the secret needs to be renewed, must be configured in the rule settings, on the Cloud Conformity account dashboard.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The expiration date attribute configured for an Azure Key Vault secret identifies the expiration time after which the secret must not be used anymore for storing sensitive and confidential data such as passwords and database connection strings. By following the Azure cloud security best practices, all Microsoft Azure Key Vault secrets must have an explicit expiration date so that these secrets can be renewed once they reach the end of their assigned lifetime. To meet security and compliance requirements within your organization, the Azure Key Vault secrets must be renewed prior to their expiration date.

Note: This conformity rule assumes that your Azure Key Vault encryption secrets have an expiration date already configured.


Audit

To determine if there are any Azure Key Vault secrets that are about to expire soon within your Azure account, perform the following actions:

Using Azure Portal

01 Sign in to your Cloud Conformity account, access Check for Azure Key Vault Secrets Expiration Date conformity rule settings and identify the number of days (default is 30) before secret expiration, when the secret must be renewed, configured for this rule.

02 Sign in to Azure Management Console.

03 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

04 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

05 Click on the name of the Key Vault that you want to examine.

06 In the navigation panel, under Settings, select Secrets to access the secrets stored within the selected Key Vault.

07 Click on the name of the active secret that you want to examine. An active secret has its STATUS set to Enabled.

08 On the selected secret overview page, check the expiration date available in the Expiration Date column for the current version of the secret. Based on the secret expiration date and the value identified at step no. 1, determine if the secret needs to be renewed. If the selected Azure Key Vault secret is about to expire soon, follow the steps presented in the Remediation/Resolution section to renew the secret.

09 Repeat step no. 7 and 8 for each active secret created in the selected Azure Key Vault.

10 Repeat steps no. 5 – 9 for each Microsoft Azure Key Vault instance available in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Sign in to your Cloud Conformity account, access Check for Azure Key Vault Secrets Expiration Date conformity rule settings and identify the number of days (default is 30) before secret expiration, when the secret needs to be renewed, configured for this rule.

02 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the names of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

03 The command output should return the requested Microsoft Azure resource names:

[
  "cc-prod-app-vault",
  "cc-main-app-vault"
]

04 Run keyvault secret list command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the secrets available in the selected vault:

az keyvault secret list
	--vault-name cc-prod-app-vault
	--output table
	--query '[*].{"Id":id,"Enabled":attributes.enabled}'

05 The command output should return the ID of each secret available in the selected vault and the value of the Enabled attribute. An active secret has the Enabled attribute value set to True:

Id                                                                     Enabled
--------------------------------------------------------------------   -------
https://cc-prod-app-vault.vault.azure.net/secrets/cc-sql-db-password   True
https://cc-prod-app-vault.vault.azure.net/secrets/cc-api-auth-string   True

06 Run keyvault secret show command (Windows/macOS/Linux) using the ID of the active secret that you want to examine as identifier parameter and custom query filters to get the expiration date for the specified Azure Key Vault secret:

az keyvault secret show
	--id https://cc-prod-app-vault.vault.azure.net/secrets/cc-sql-db-password
	--query '{"expires":attributes.expires}'

07 The command output should return the expiration date for the specified secret as value for the "expires" attribute:

{
  "expires": "2020-01-31T11:00:39+00:00"
}

Based on the secret expiration time returned as value for the "expires" attribute and the value identified at step no. 1, determine if the secret needs to be renewed. If the selected Azure Key Vault secret is about to expire soon, follow the steps presented in the Remediation/Resolution section to renew the secret.

08 Repeat step no. 6 and 7 for each active secret created within the current Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Microsoft Azure Key Vault provisioned in the current Azure subscription.

10 Repeat steps no. 1 – 9 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To renew the Microsoft Azure Key Vault secrets that are about to expire soon, available in your Azure cloud account, perform the following actions:

Using Azure Portal

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Azure Key Vault instance that you want to access.

05 In the navigation panel, under Settings, select Secrets to access the secrets stored within the selected Key Vault.

06 Click on the name of the active secret that you want to renew (see Audit section part I to identify the right secret).

07 On the selected secret overview page, click on the New version button from the dashboard top menu to initiate the setup process.

08 On the Create a secret page, perform the following operations:

  1. For Upload options, select Manual to manually create a new secret version.
  2. Enter the secret value in the Value box. The Azure Management Console (Portal) currently supports only single-line secret values.
  3. (Optional) Provide the type of the content for the secret value in the Content type (optional) box.
  4. Select Set activation date? checkbox and use the date and time picker (DTP) controls to set up the date and time when the secret will become active.
  5. Select Set expiration date? checkbox and use the date and time picker (DTP) controls to configure when the secret will become inactive.
  6. Select Yes for Enabled? to enable the new secret version upon creation.
  7. Click Create to create a new version for the selected Azure Key Vault secret. Once the new secret version is created, it will become the current (operational) version of the secret, the one that is used for storing sensitive and confidential data.

09 If required, repeat steps no. 6 – 8 to renew other Azure Key Vault secrets that are about to expire soon, available in the selected Azure Key Vault.

10 Repeat steps no. 4 – 9 for each Microsoft Azure Key Vault instance created in the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault secret show command (Windows/macOS/Linux) using the ID of the active secret that you want to renew as identifier parameter (see Audit section part II to identify the right secret) to describe the configuration metadata for the selected secret:

az keyvault secret show
	--id https://cc-prod-app-vault.vault.azure.net/secrets/cc-sql-db-password

02 The command output should return the requested configuration metadata. This information will be used later to create a new version of the selected secret:

{
  "attributes": {
    "created": "2019-01-31T12:03:40+00:00",
    "enabled": true,
    "expires": "2020-01-31T11:00:39+00:00",
    "notBefore": "2019-01-31T12:03:15+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2019-01-31T12:03:40+00:00"
  },
  "contentType": null,
  "id": "https://cc-prod-app-vault.vault.azure.net/secrets/cc-sql-db-password/abcdabcdabcdabcdabcdabcdabcdabcd",
  "kid": null,
  "managed": null,
  "tags": null,
  "value": "sqldbpasswd01"
}

03 Run keyvault secret set command (Windows/macOS/Linux) using the name of the secret that you want to renew as identifier parameter and the configuration information returned at the previous step to create a new version of the selected Azure Key Vault secret. If the name of the secret already exists, Azure Key Vault service creates a new version of that secret:

az keyvault secret set
	--name cc-sql-db-password
	--vault-name cc-prod-app-vault
	--value sqldbpasswd01
	--not-before "2020-01-31T11:00:39Z"
	--expires "2021-01-31T11:00:39Z"
	--disabled false

04 The command output should return the metadata for the new Azure Key Vault secret version:

{
  "attributes": {
    "created": "2020-01-31T12:15:58+00:00",
    "enabled": true,
    "expires": "2021-01-31T11:00:39+00:00",
    "notBefore": "2020-01-31T11:00:39+00:00",
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-01-31T12:15:58+00:00"
  },
  "contentType": null,
  "id": "https://cc-prod-app-vault.vault.azure.net/secrets/cc-sql-db-password1/1234abcd1234abcd1234abcd1234abcd",
  "kid": null,
  "managed": null,
  "tags": {
    "file-encoding": "utf-8"
  },
  "value": "sqldbpasswd01"
}

05 If required, repeat step no. 3 and 4 to renew other Azure Key Vault secrets that are about to expire soon, available in the selected Azure Key Vault.

06 Repeat steps no. 1 – 5 for each Microsoft Azure Key Vault instance deployed within the current subscription.

07 Repeat steps no. 1 – 6 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Check for Azure Key Vault Secrets Expiration Date

Risk level: High