Azure Key Vault secrets does not have expiration date
Description
The Azure Key Vault (AKV) enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the AKV are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret must not be used. By default, secrets do not expire. We recommend you rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.
Code Example
resource "azurerm_key_vault_secret" "example" {
...
+ expiration_date = "2020-12-30T20:00:00Z"
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * Key vaults*.
. For each Key vault: a) Click * Secrets*. + b) Navigate to * Settings*. + c) Set * Enabled?* to * Yes*. + d) Set an appropriate * EXPIRATION DATE* on all secrets.
- CLI Command*
To set an * EXPIRATION DATE* on all secrets, use the following command:
az keyvault secret set-attributes --name & lt;secretName> --vault-name & lt;vaultName> --expires Y-m-d'T'H:M:S'Z'
=== Fix - Buildtime Terraform
- Resource: azurerm_key_vault_secret
- Arguments: expiration_date
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0552 |
| Severity | HIGH |
| IaC Type | arm |
| Frameworks | ARM, |
| Checkov ID | CKV_AZURE_41 |