More Info:

In Microsoft Azure Key Vault, check for any secrets that are about to expire and rotate them by creating a new version of these secrets.

Risk Level

Medium

Address

Operational Maturity, Security

Compliance Standards

NIST, GDPR, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate secrets that are about to expire and need rotation in Azure using the Azure console, follow these steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the Azure Key Vault where the secrets are stored.
  3. Select the secret that needs to be rotated.
  4. Click on the “Current Version” tab.
  5. Click on the “Generate/Import” button.
  6. Enter the new secret value and click on “Create”.
  7. Click on the “Save” button to save the new secret value.
  8. Click on the “Versions” tab.
  9. Select the previous version of the secret and click on “Disable”.
  10. Click on the “Save” button to disable the previous version of the secret.
By following these steps, you have successfully rotated the secret and disabled the previous version of the secret in Azure.

To remediate the issue of expiring secrets in Azure using Azure CLI, you can follow these steps:
  1. Login to your Azure account using Azure CLI by running the following command:
az login
  1. Once you are logged in, you need to identify the secrets that are about to expire. You can do this by running the following command:
az keyvault secret list --vault-name <your-key-vault-name> --query "[?attributes.exp != null && attributes.exp < now()]"
This command will list all the secrets that are about to expire in your key vault.
  1. Now that you have identified the secrets that need rotation, you can rotate them by creating new versions of the secrets with updated values. You can do this by running the following command:
az keyvault secret set --vault-name <your-key-vault-name> --name <your-secret-name> --value <your-new-secret-value>
Replace <your-key-vault-name>, <your-secret-name> and <your-new-secret-value> with the appropriate values.
  1. Once you have created new versions of all the secrets that were about to expire, you can delete the old versions of the secrets by running the following command:
az keyvault secret delete --vault-name <your-key-vault-name> --name <your-secret-name> --version <your-old-secret-version>
Replace <your-key-vault-name>, <your-secret-name> and <your-old-secret-version> with the appropriate values.
  1. Repeat steps 3 and 4 for all the secrets that were about to expire.
  2. Finally, you can verify that all the secrets have been rotated successfully by running the following command:
az keyvault secret list --vault-name <your-key-vault-name> --query "[?attributes.exp != null && attributes.exp < now()]"
This command should return an empty list, indicating that all the secrets have been rotated successfully.By following these steps, you can remediate the issue of expiring secrets in Azure using Azure CLI.
To remediate the issue of expiring secrets in AZURE using Python, you can follow these steps:
  1. Install the azure-identity and azure-keyvault-secrets packages using pip.
    pip install azure-identity azure-keyvault-secrets
    
  2. Import the required libraries in your Python code.
    from azure.identity import DefaultAzureCredential
    from azure.keyvault.secrets import SecretClient
    from datetime import datetime, timedelta
    
  3. Set up the authentication credentials using the DefaultAzureCredential class.
    credential = DefaultAzureCredential()
    
  4. Create a SecretClient object using the Azure Key Vault URL and the authentication credentials.
    keyvault_url = "https://<your-key-vault-name>.vault.azure.net/"
    secret_client = SecretClient(vault_url=keyvault_url, credential=credential)
    
  5. Retrieve the list of secrets from the Key Vault using the list_properties_of_secrets method of the SecretClient object.
    secrets = secret_client.list_properties_of_secrets()
    
  6. Iterate over the list of secrets and check if any of them are about to expire (i.e., the expires_on property is less than the current time plus a buffer period). If a secret is about to expire, retrieve its current value using the get_secret method of the SecretClient object, update its value, and then set the updated value using the set_secret method of the SecretClient object.
    buffer_period = timedelta(days=7)  # Set a buffer period of 7 days
    for secret in secrets:
        if secret.expires_on <= datetime.utcnow() + buffer_period:
            secret_value = secret_client.get_secret(secret.name).value
            # Update the secret value here
            secret_client.set_secret(secret.name, secret_value)
    
  7. Run the Python script periodically (e.g., daily) using a task scheduler or a cron job to ensure that secrets are rotated before they expire.
These steps should help you remediate the issue of expiring secrets in AZURE using Python.

Additional Reading: