More Info:

In Microsoft Azure Key Vault, check for any secrets that does not have any expiration time set.

Risk Level

Medium

Address

Security

Compliance Standards

GDPR, ISO27001, CISAZURE, CBP, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of secrets not having an expiration time in AZURE, you can follow the below steps:
  1. Login to the AZURE portal using your credentials.
  2. Navigate to the “Key vaults” service from the dashboard.
  3. Select the key vault that contains the secrets that you want to remediate.
  4. Click on the “Secrets” option from the left-hand side menu.
  5. Select the secret that you want to remediate and click on it.
  6. In the secret details page, scroll down to the “Validity period” section.
  7. Click on the “Enable” button to enable the expiration time for the secret.
  8. Set the expiration time as per your requirement using the “Expires” field.
  9. Click on the “Save” button to save the changes.
By following the above steps, you can remediate the misconfiguration of secrets not having an expiration time in AZURE.

To remediate the misconfiguration of secrets not having an expiration time in Azure, you can follow the below steps using Azure CLI:
  1. Open the Azure CLI on your local machine or on the Azure Cloud Shell.
  2. Run the following command to set the expiration time for the secrets: 
    az keyvault secret set-attributes --name <secret-name> --vault-name <vault-name> --expires <expiration-time>
    Replace <secret-name> with the name of the secret that you want to set the expiration time for, <vault-name> with the name of the Key Vault where the secret is stored, and <expiration-time> with the expiration time in UTC format.
  3. Verify that the expiration time has been set for the secret by running the following command: 
    az keyvault secret show --name <secret-name> --vault-name <vault-name>
    This command will display the details of the secret, including the expiration time.
  4. Repeat the above steps for all the secrets that do not have an expiration time set.
By following the above steps, you can remediate the misconfiguration of secrets not having an expiration time in Azure using Azure CLI.
To remediate the misconfiguration of secrets not having an expiration time in Azure using Python, you can use the following steps:
  1. First, you need to authenticate to Azure using the Azure Python SDK. You can use the following code to authenticate:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://<your-key-vault-name>.vault.azure.net/", credential=credential)
  1. Next, you need to retrieve the secrets from the key vault. You can use the following code to retrieve all the secrets:
secrets = client.list_properties_of_secrets()
  1. Once you have retrieved the secrets, you can loop through each secret and set an expiration time for it. You can use the following code to set an expiration time for each secret:
from datetime import datetime, timedelta

for secret in secrets:
    secret_properties = client.get_secret_properties(secret.name)
    expires_on = datetime.utcnow() + timedelta(days=30)
    secret_properties.expires_on = expires_on
    client.update_secret_properties(secret.name, secret_properties)
In the above code, we are setting an expiration time of 30 days for each secret. You can modify this value as per your requirements.
  1. Finally, you can verify that the secrets now have an expiration time by retrieving the secret properties again:
secrets = client.list_properties_of_secrets()

for secret in secrets:
    secret_properties = client.get_secret_properties(secret.name)
    print(f"{secret.name} expires on {secret_properties.expires_on}")
This will print the name of each secret and its expiration time.By following the above steps, you can remediate the misconfiguration of secrets not having an expiration time in Azure using Python.

Additional Reading: