Key Vault secrets should have an expiration date

Description

By default, Key Vault secrets do not expire, which can be a security issue if secrets are compromised. As a best practice, an explicit expiration date should be set for secrets and secrets should be rotated.

Remediation Steps

Azure Portal

  • Navigate to Key Vault.

  • Select the Key.

  • In the left navigation under Settings, select Secrets.

  • Select the active secret and set enabled to Yes.

  • Set the expiration date.

Azure CLI

  • To set the Key Vault key to have an expiration date:

az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'

Azure Resource Manager

{
  "properties": {
    "attributes": {
      "exp": 1700000000
    }
  }
}

Example Configuration

{
  "type": "Microsoft.KeyVault/vaults/secrets",
  "apiVersion": "2021-06-01-preview",
  "properties": {
    "attributes": {
      "exp": 1700000000
    }
  }
  # other required fields here
}