MEDIUM
Source
CloudSploit
ID
key-expiration-enabled

Key Expiration Enabled

Ensure that all Keys in Azure Key Vault have an expiry time set.

Setting an expiry time on all keys forces key rotation and removes unused and forgotten keys from being used.

Follow the appropriate remediation steps below to resolve the issue.

  1. Log into the Microsoft Azure Management Console.

  2. In the search bar at the top search for Vaults and select “Key Vaults” from the search result. Step

  3. In the Key Vaults page select a key vault by clicking on the “Name” link to access the configuration changes.Step

  4. Scroll down and click “Keys” from the navigation pane on the left. Then, from the list of keys, select key with no expiration date under “Expiration date” column.Step

  5. In the key versions pane that opens, click “Rotation Policy” button at the top.Step

  6. In the Rotation policy pane, click on the Expiry time textbox and enter 28. From the units dropdown next to the textbox, select “days”.Step

  7. Under the Rotation section, “Enable auto rotation” by selecting the “Enabled” radio button.Step

  8. Select “Automatically renew at a given time after creation” for “Rotation option”.

  9. For “Rotation time” enter 18 and select “days” as the unit of time.

  10. Finally, hit “Save” at the top of the pane to complete the changes.Step

  11. Repeat step number 3 - 10 for all other key vaults and keys without expiration date.