Azure-KeyVaults-Secret-Expiration-Enabled

Severity: High

Description: This control ensures that expiry date is set for a secret with status enabled. Secrets in Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration time) attribute identifies the expiration time on or after which the secret MUST NOT be used. By default, Secrets never expire. It is thus recommended that you rotate your secrets in the key vault and set an explicit expiry time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.

Remediation Steps:

Perform following to update expiry time for secrete :

1. Login to Azure Portal using https://portal.azure.com.

2. Go to Key vaults.

3. For each Key vault, Click on Secrets.

4. Under the Settings section, Make sure Enabled is set to Yes.

5. Ensure that each secret in the vault has expiration date set as appropriate.

Important:

Reference:

• Azure Foundations Benchmark v1.3.0 - 02-01-2021 : Recommendation #8.2

• https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis

• https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets