Skip to content

Latest commit

 

History

History
29 lines (24 loc) · 2.49 KB

secret-expiration-enabled.md

File metadata and controls

29 lines (24 loc) · 2.49 KB

CloudSploit

AZURE / Key Vaults / Secret Expiration Enabled

Quick Info

Plugin Title Secret Expiration Enabled
Cloud AZURE
Category Key Vaults
Description Ensures that all secrets in Azure Key Vault have an expiry time set.
More Info Setting an expiry time on all secrets forces secret rotation and removes unused and forgotten secrets from being used.
AZURE Link https://docs.microsoft.com/en-us/azure/secret-vault/about-secrets-secrets-and-certificates
Recommended Action Ensure each Key Vault has an expiry time set that provides for sufficient rotation.

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. In the search bar at the top search for Vaults and select "Key Vaults" from the search result.
  3. In the Key Vaults page, select a key vault by clicking on the “Name” link to access the configuration changes.
  4. Scroll down and click "Secrets" from the navigation pane on the left.
  5. Then, from the list of secrets, select a secret with no expiration date under "Expiration date" column.
  6. In the secret versions pane that opens, select the currently "Enabled" version by clicking on it.
  7. In the secret version pane, if the "Set expiration date" checkbox is not selected, then expiration is not set for this secret. This is a security vulnerability.
  8. Select the "Set expiration date" checkbox to enable expiration.
  9. Now click on the calendar for "Expiration date" and select a date after 27 days to set as expiration date.
  10. Finally, hit "Save" at the top of the pane to complete the changes.
  11. Repeat step number 3 - 10 for all other key vaults and keys without expiration date.