Secrets should have an expiration time

More Info:

In Microsoft Azure Key Vault, check for any secrets that does not have any expiration time set.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, ISO27001, CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of secrets not having an expiration time in Azure, you can follow the below steps using Azure CLI:

Open the Azure CLI on your local machine or on the Azure Cloud Shell.
Run the following command to set the expiration time for the secrets:
```
az keyvault secret set-attributes --name <secret-name> --vault-name <vault-name> --expires <expiration-time>
```
Replace <secret-name> with the name of the secret that you want to set the expiration time for, <vault-name> with the name of the Key Vault where the secret is stored, and <expiration-time> with the expiration time in UTC format.
Verify that the expiration time has been set for the secret by running the following command:
```
az keyvault secret show --name <secret-name> --vault-name <vault-name>
```
This command will display the details of the secret, including the expiration time.
Repeat the above steps for all the secrets that do not have an expiration time set.

By following the above steps, you can remediate the misconfiguration of secrets not having an expiration time in Azure using Azure CLI.

Using Python

To remediate the misconfiguration of secrets not having an expiration time in Azure using Python, you can use the following steps:

First, you need to authenticate to Azure using the Azure Python SDK. You can use the following code to authenticate:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://<your-key-vault-name>.vault.azure.net/", credential=credential)

Next, you need to retrieve the secrets from the key vault. You can use the following code to retrieve all the secrets:

secrets = client.list_properties_of_secrets()

Once you have retrieved the secrets, you can loop through each secret and set an expiration time for it. You can use the following code to set an expiration time for each secret:

from datetime import datetime, timedelta

for secret in secrets:
    secret_properties = client.get_secret_properties(secret.name)
    expires_on = datetime.utcnow() + timedelta(days=30)
    secret_properties.expires_on = expires_on
    client.update_secret_properties(secret.name, secret_properties)

In the above code, we are setting an expiration time of 30 days for each secret. You can modify this value as per your requirements.

Finally, you can verify that the secrets now have an expiration time by retrieving the secret properties again:

secrets = client.list_properties_of_secrets()

for secret in secrets:
    secret_properties = client.get_secret_properties(secret.name)
    print(f"{secret.name} expires on {secret_properties.expires_on}")

This will print the name of each secret and its expiration time.By following the above steps, you can remediate the misconfiguration of secrets not having an expiration time in Azure using Python.

Additional Reading:

https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

Secrets should have an expiration time

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

Azure Introduction

Azure Pricing

Azure Threats

Azure Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: