Ensure all keys have an expiration date

Error: Not all keys have an expiration date

Bridgecrew Policy ID: BC_AZR_GENERAL_10
Checkov Check ID: CKV_AZURE_40
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

Not all keys have an expiration date

Description

The Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration time) attribute identifies the expiration time on or after which the key must not be used for a cryptographic operation. Keys are not set to expire by default.

We recommend you rotate keys in the key vault and set an explicit expiration time for all keys in the Azure Key Vault. This ensures that the keys cannot be used beyond their assigned lifetimes.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Key vaults.
  3. For each Key vault:
    a) Click Keys.
    b) Navigate to the Settings section.
    c) Set Enabled? to Yes.
    d) Set an appropriate EXPIRATION DATE on all keys.

CLI Command

To update the EXPIRATION DATE for the key, use the following command:

az keyvault key set-attributes 
--name <keyName> 
--vault-name <vaultName> 
--expires Y-m-d'T'H:M:S'Z'

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault_key
  • Argument: expiration_date
resource "azurerm_key_vault_key" "generated" {
    ...
+   expiration_date = "2020-12-30T20:00:00Z"
}