Check for Microsoft Azure Key Vault keys that are about to expire soon and rotate them by creating a new version of these keys. Prior to running this rule by the Cloud Conformity engine, the number of days before key expiration, when the key needs to be renewed, must be configured within the rule settings, on the Cloud Conformity account dashboard.
This rule resolution is part of the Conformity Security & Compliance tool for Azure.
The expiration date attribute configured for an encryption key identifies the expiration time after which the Azure Key Vault key must not be used anymore for cryptographic operations. By following the cloud security best practices, all Microsoft Azure Key Vault keys must have an explicit expiration time, so that these keys can be renewed once these reach the end of their assigned lifetime. To meet security and compliance requirements within your organization, the Azure Key Vault keys must be renewed prior to their expiration date.
Note: This conformity rule assumes that your Azure Key Vault encryption keys have an expiration date already configured.
Audit
To determine if there are any Azure Key Vault keys that are about to expire soon within your Azure cloud account, perform the following operations:
Remediation / Resolution
To configure an expiration date for all your Microsoft Azure encryption keys in order to enforce periodic rotation, perform the following actions:
References
- Azure Official Documentation
- Azure Key Vault basic concepts
- CIS Microsoft Azure Foundations
- Azure Command Line Interface (CLI) Documentation
- az keyvault key
- az keyvault list
- az keyvault key list
- az keyvault key show
- az keyvault key set-attributes