Plugin Title | Secret Expiration Enabled |
Cloud | AZURE |
Category | Key Vaults |
Description | Ensures that all secrets in Azure Key Vault have an expiry time set. |
More Info | Setting an expiry time on all secrets forces secret rotation and removes unused and forgotten secrets from being used. |
AZURE Link | https://docs.microsoft.com/en-us/azure/secret-vault/about-secrets-secrets-and-certificates |
Recommended Action | Ensure each Key Vault has an expiry time set that provides for sufficient rotation. |
- Log into the Microsoft Azure Management Console.
- In the search bar at the top search for Vaults and select "Key Vaults" from the search result.
- In the Key Vaults page, select a key vault by clicking on the “Name” link to access the configuration changes.
- Scroll down and click "Secrets" from the navigation pane on the left.
- Then, from the list of secrets, select a secret with no expiration date under "Expiration date" column.
- In the secret versions pane that opens, select the currently "Enabled" version by clicking on it.
- In the secret version pane, if the "Set expiration date" checkbox is not selected, then expiration is not set for this secret. This is a security vulnerability.
- Select the "Set expiration date" checkbox to enable expiration.
- Now click on the calendar for "Expiration date" and select a date after 27 days to set as expiration date.
- Finally, hit "Save" at the top of the pane to complete the changes.
- Repeat step number 3 - 10 for all other key vaults and keys without expiration date.