Keys should have an expiration time
More Info:
In Microsoft Azure Key Vault, check for any keys that does not have any expiration time set.Risk Level
MediumAddress
Security, Operational MaturityCompliance Standards
GDPR, ISO27001, CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of keys not having an expiration time in Azure, you can follow the below steps:
- Log in to the Azure portal using your credentials.
- Navigate to the Azure Key Vault service.
- Select the Key Vault that contains the key that needs to be remediated.
- Click on the “Keys” option from the left-hand menu.
- Select the key that needs to be remediated.
- Click on the “Settings” option from the top menu.
- In the “Settings” menu, select the “Lifetime” option.
- Set an expiration time for the key by selecting a duration from the dropdown menu or by specifying a custom duration.
- Click on the “Save” button to apply the changes.
Using CLI
Using CLI
To remediate the misconfiguration of missing expiration time for keys in AZURE using AZURE CLI, you can follow these steps:Replace This will display the details of the key, including the expiration time.By following these steps, you can remediate the misconfiguration of missing expiration time for keys in AZURE using AZURE CLI.
- Open the AZURE CLI terminal and login to your AZURE account using the command:
- Once you are logged in, you can list all the available keys in your AZURE account using the command:
- Identify the key for which you want to set the expiration time and note down its name.
- Next, set the expiration time for the identified key using the command:
<your-key-vault-name> with the name of your key vault, <your-key-name> with the name of the identified key and <your-expiration-time> with the desired expiration time for the key in the format YYYY-MM-DDTHH:MM:SSZ.- Verify that the expiration time has been set for the key using the command:
Using Python
Using Python
To remediate the misconfiguration of keys not having an expiration time in Azure using Python, you can follow these steps:In this code, we first set the credentials using the
- Install the Azure SDK for Python using the following command:
-
Authenticate to your Azure account using the Azure CLI or by setting the environment variables
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET, andAZURE_TENANT_ID. - Use the following Python code to set an expiration time for the keys:
ServicePrincipalCredentials class. Then, we set the subscription ID and resource group name. Next, we create the ResourceManagementClient and KeyVaultManagementClient objects. Finally, we get the key vaults in the resource group and set the expiration time for each key using the set_secret method of the KeyVaultManagementClient object.Note: This code sets the expiration time for the keys to one year from the current date. You can modify this value as per your requirement.