Key Vault secrets should have an expiration date¶
Description¶
By default, Key Vault secrets do not expire, which can be a security issue if secrets are compromised. As a best practice, an explicit expiration date should be set for secrets and secrets should be rotated.
Remediation Steps¶
Azure Portal¶
Navigate to Key Vault.
Select the Key.
In the left navigation under Settings, select Secrets.
Select the active secret and set enabled to Yes.
Set the expiration date.
Azure CLI¶
To set the Key Vault key to have an expiration date:
az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'
Azure Resource Manager¶
Ensure that a Microsoft.KeyVault/vaults/secrets resource contains the following, where the expiration date
exp
is set to a Unix timestamp in the future:
{
"properties": {
"attributes": {
"exp": 1700000000
}
}
}
Example Configuration¶
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2021-06-01-preview",
"properties": {
"attributes": {
"exp": 1700000000
}
}
# other required fields here
}