|   Trend Micro Cloud One™
Open menu

Set Encryption Key Expiration

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Risk level: Medium (should be achieved)
Rule ID: KeyVault-002

Ensure that all the encryption keys available within your Microsoft Azure Key Vault have an expiration time set in order to follow security best practices and promote encryption key rotation. The expiration attribute configured for an encryption key identifies the expiration date and time after which the key must not be used anymore for a cryptographic operations.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

Microsoft Azure Key Vault enables you to store and use encryption keys within your Azure cloud environment. By default, the encryption keys stored within a vault never expire. Therefore, Cloud Conformity highly recommends that you configure all your keys with an explicit expiration time, so that these keys can't be used beyond their assigned lifetime. This should significantly reduce the chance that a compromised key could be used without your knowledge to access valuable Azure cloud resources.

Audit

To determine if your Azure Key Vault encryption keys have an expiration time set, perform the following:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name (link) of the Key Vault instance that you want to examine.

05 In the navigation panel, under Settings, select Keys to access the encryption keys stored within the selected Key Vault.

06 Click on the name of the active cryptographic key that you want to examine. An active encryption key has its STATUS set to Enabled.

07 On the selected key overview page, check the date available in the EXPIRATION DATE column for the current version of the key. If there is no date available in the EXPIRATION DATE column, the selected Azure Key Vault cryptographic key does not have an expiration time set.

08 Repeat step no. 6 and 7 for each active encryption key created in the selected Azure Key Vault.

09 Repeat steps no. 4 – 8 for each Microsoft Azure Key Vault instance available in the current subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault list command (Windows/macOS/Linux) using custom query filters to list the identifiers (names) of all Key Vault instances available in the current Azure subscription:

az keyvault list
	--query '[*].name'

02 The command output should return the requested Azure resource names:

[
  "cc-production-vault",
  "cc-main-key-vault",
  "cc-project5-vault"
]

03 Run keyvault key list command (Windows/macOS/Linux) using the name of the Azure Key Vault that you want to examine as identifier parameter and custom query filters to describe the cryptographic keys available within the selected vault:

az keyvault key list
	--vault-name cc-production-vault
	--output table
	--query '[*].{"kid":kid,"enabled":attributes.enabled}'

04 The command output should return the ID and the status of each encryption key available in the vault:

Kid                                                                           Enabled
---------------------------------------------------------------------------   -------
https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key   True
https://cc-production-vault.vault.azure.net/keys/cc-project5-encryption-key   False

05 Run keyvault key show command (Windows/macOS/Linux) using the ID of the active encryption key that you want to examine as identifier parameter and custom query filters to get the expiration date/time for the specified Azure Key Vault cryptographic key. An active encryption key has its status set to Enabled (i.e. Enabled: True):

az keyvault key show
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--query '{"expires":attributes.expires}'

06 The command output should return the expiration date for the specified key as value for the "expires" attribute:

{
  "expires": null
}

If the command output returns null as value for the "expires" attribute, as shown in the example above, the selected Azure Key Vault encryption key does not have an expiration date configured.

07 Repeat step no. 5 and 6 for each active encryption key available in the selected Azure Key Vault.

08 Repeat steps no. 3 – 7 for each Microsoft Azure Key Vault provisioned in the current Azure subscription.

09 Repeat steps no. 1 – 8 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure an expiration date for all your Microsoft Azure encryption keys in order to enforce periodic rotation, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Key vault to list all Key Vault instances available in your Azure account.

04 Click on the name of the Azure Key Vault instance that you want to access.

05 In the navigation panel, under Settings, select Keys to access the encryption keys stored in the selected Key Vault.

06 Click on the name of the active key that you want to reconfigure (see Audit section part I to identify the right key).

07 On the selected key overview page, in the CURRENT VERSION section, choose and open the current version of the encryption key.

08 On the selected key version page, within the Settings section, select Set expiration date? checkbox and use the date and time picker (DTP) controls to configure when the resource will become inactive. Click Save to apply the chosen expiration date and time to the specified cryptographic key.

09 Repeat steps no. 6 – 8 for each active encryption key that requires an expiration date, available in the selected Azure Key Vault.

10 Repeat steps no. 4 – 9 for each Microsoft Azure Key Vault instance within the current subscription.

11 Repeat steps no. 3 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run keyvault key set-attributes command (Windows/macOS/Linux) using the ID of the active encryption key that you want to reconfigure as identifier parameter (see Audit section part II to identify the right key) and the --expires parameter to configure the expiration date/time for the specified Azure Key Vault cryptographic key. For example, the following command request sets the expiration time for an encryption key identified by the ID "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key" to Friday, September 18, 2020 08:05:00 UTC:

az keyvault key set-attributes
	--id https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key
	--expires "2020-09-18T08:05:00Z"

02 The command output should return the metadata for the reconfigured Azure Key Vault encryption key:

{
  "attributes": {
    "created": "2019-09-18T08:03:07+00:00",
    "enabled": true,
    "expires": "2020-09-18T08:05:00+00:00",
    "notBefore": "2019-09-18T08:02:59+00:00",
    "recoveryLevel": "Purgeable",
    "updated": "2019-09-18T10:16:47+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey",
      "encrypt",
      "decrypt"
    ],
    "kid": "https://cc-production-vault.vault.azure.net/keys/cc-main-app-encryption-key/0abcdabcdabcdabcdabcdabcdbabcdab",
    "kty": "RSA",
    "n": "...",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

03 Repeat step no. 1 and 2 for each active encryption key that requires an expiration date/time, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 20, 2019

Unlock the Remediation Steps

Gain free unlimited access to our full Knowledge Base


Over 600 rules & best practices for and

Get started for FREE

A verification email will be sent to this address
We keep your information private. Learn more.

Thank you!

Please click the link in the confirmation email sent to

You are auditing:

Set Encryption Key Expiration

Risk level: Medium