More Info:

In Microsoft Azure Key Vault, check for any keys that does not have any expiration time set.

Risk Level

Medium

Address

Security, Operational Maturity

Compliance Standards

GDPR, ISO27001, CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of keys not having an expiration time in Azure, you can follow the below steps:
  1. Log in to the Azure portal using your credentials.
  2. Navigate to the Azure Key Vault service.
  3. Select the Key Vault that contains the key that needs to be remediated.
  4. Click on the “Keys” option from the left-hand menu.
  5. Select the key that needs to be remediated.
  6. Click on the “Settings” option from the top menu.
  7. In the “Settings” menu, select the “Lifetime” option.
  8. Set an expiration time for the key by selecting a duration from the dropdown menu or by specifying a custom duration.
  9. Click on the “Save” button to apply the changes.
By following these steps, you can remediate the misconfiguration of keys not having an expiration time in Azure using the Azure console.

To remediate the misconfiguration of missing expiration time for keys in AZURE using AZURE CLI, you can follow these steps:
  1. Open the AZURE CLI terminal and login to your AZURE account using the command:
az login
  1. Once you are logged in, you can list all the available keys in your AZURE account using the command:
az keyvault key list --vault-name <your-key-vault-name>
  1. Identify the key for which you want to set the expiration time and note down its name.
  2. Next, set the expiration time for the identified key using the command: 
az keyvault key set-attributes --vault-name <your-key-vault-name> --name <your-key-name> --expires <your-expiration-time>
Replace <your-key-vault-name> with the name of your key vault, <your-key-name> with the name of the identified key and <your-expiration-time> with the desired expiration time for the key in the format YYYY-MM-DDTHH:MM:SSZ.
  1. Verify that the expiration time has been set for the key using the command:
az keyvault key show --vault-name <your-key-vault-name> --name <your-key-name>
This will display the details of the key, including the expiration time.By following these steps, you can remediate the misconfiguration of missing expiration time for keys in AZURE using AZURE CLI.
To remediate the misconfiguration of keys not having an expiration time in Azure using Python, you can follow these steps:
  1. Install the Azure SDK for Python using the following command:
pip install azure-mgmt-resource
  1. Authenticate to your Azure account using the Azure CLI or by setting the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
  2. Use the following Python code to set an expiration time for the keys: 
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import AccessPolicyEntry, Permissions, SecretAttributes, SecretProperties

# Set the credentials
credentials = ServicePrincipalCredentials(
    client_id='<client_id>',
    secret='<client_secret>',
    tenant='<tenant_id>'
)

# Set the subscription ID and resource group name
subscription_id = '<subscription_id>'
resource_group_name = '<resource_group_name>'

# Create the resource management client
resource_client = ResourceManagementClient(credentials, subscription_id)

# Get the key vaults in the resource group
vaults = resource_client.resources.list_by_resource_group(resource_group_name, filter="resourceType eq 'Microsoft.KeyVault/vaults'")

# Create the key vault management client
kv_client = KeyVaultManagementClient(credentials, subscription_id)

# Set the expiration time for the keys
for vault in vaults:
    vault_name = vault.name
    keys = kv_client.vaults.list_keys(resource_group_name, vault_name)
    for key in keys:
        key_name = key.name
        key_version = key.properties.version
        attributes = SecretAttributes(enabled=True, expires=datetime.datetime.now() + datetime.timedelta(days=365))
        properties = SecretProperties(value=None, attributes=attributes)
        kv_client.vaults.set_secret(resource_group_name, vault_name, key_name, key_version, properties=properties)
In this code, we first set the credentials using the ServicePrincipalCredentials class. Then, we set the subscription ID and resource group name. Next, we create the ResourceManagementClient and KeyVaultManagementClient objects. Finally, we get the key vaults in the resource group and set the expiration time for each key using the set_secret method of the KeyVaultManagementClient object.Note: This code sets the expiration time for the keys to one year from the current date. You can modify this value as per your requirement.

Additional Reading: