Ensure AKV secrets have an expiration date set

Error: AKV secrets do not have an expiration date set

Bridgecrew Policy ID: BC_AZR_SECRETS_1
Checkov Check ID: CKV_AZURE_41
Bridgecrew Severity: CRITICAL
Prisma Cloud Severity: HIGH

AKV secrets do not have an expiration date set

Description

The Azure Key Vault (AKV) enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the AKV are octet sequences with a maximum size of 25k bytes each.
The exp (expiration time) attribute identifies the expiration time on or after which the secret must not be used. By default, secrets do not expire.

We recommend you rotate secrets in the key vault and set an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Key vaults.
  3. For each Key vault:
    a) Click Secrets.
    b) Navigate to Settings.
    c) Set Enabled? to Yes.
    d) Set an appropriate EXPIRATION DATE on all secrets.

CLI Command

To set an EXPIRATION DATE on all secrets, use the following command:

az keyvault secret set-attributes 
--name <secretName> 
--vault-name <vaultName> 
--expires Y-m-d'T'H:M:S'Z'

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault_secret
  • Argument: expiration_date
resource "azurerm_key_vault_secret" "example" {
     ...
 +   expiration_date = "2020-12-30T20:00:00Z"
}