Azure Key Vault Keys does not have expiration date
Description
The Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration time) attribute identifies the expiration time on or after which the key must not be used for a cryptographic operation. Keys are not set to expire by default. We recommend you rotate keys in the key vault and set an explicit expiration time for all keys in the Azure Key Vault. This ensures that the keys cannot be used beyond their assigned lifetimes.
Code Example
resource "azurerm_key_vault_key" "generated" {
...
+ expiration_date = "2020-12-30T20:00:00Z"
}Remediation
- Azure Portal To change the policy using the Azure Portal, follow these steps:*
. Log in to the Azure Portal at https://portal.azure.com.
. Navigate to * Key vaults*.
. For each Key vault: a) Click * Keys*. + b) Navigate to the * Settings* section. + c) Set * Enabled?* to * Yes*. + d) Set an appropriate * EXPIRATION DATE* on all keys.
- CLI Command*
To update the * EXPIRATION DATE **for the key, use the following command:
az keyvault key set-attributes --name & lt;keyName> --vault-name & lt;vaultName> --expires Y-m-d'T'H:M:S'Z'
=== Fix - Buildtime
Terraform
- Resource: azurerm_key_vault_key
- Arguments: expiration_date
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0551 |
| Severity | HIGH |
| IaC Type | arm |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_40 |