standard
turbot/azure_cis

Pipeline: 3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Description

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.

Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.

Remediation

Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).

From Azure Portal

  1. From Azure Portal select the Portal Menu in the top left.
  2. Select Key Vaults.
  3. Select a Key Vault to audit.
  4. Under Objects select Keys.
  5. Select a key to audit.
  6. In the top row select Rotation policy.
  7. Select an Expiry time.
  8. Set Enable auto rotation to Enabled.
  9. Set an appropriate Rotation option and Rotation time.
  10. Optionally set the Notification time.
  11. Select Save.
  12. Repeat steps 3-11 for each Key Vault and Key.

From Azure CLI

Run the following command for each key to update its policy to be auto-rotated:

az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>

Note: It is easiest to supply the policy flags in a .json file. An example json file would be:

{
"lifetimeActions": [
{
"trigger":
{
"timeAfterCreate": "<timespanInISO8601Format>",
"timeBeforeExpiry" : null
},
"action":
{
"type": "Rotate"
}
},
{
"trigger":
{
"timeBeforeExpiry" : "<timespanInISO8601Format>"
},
"action":
{
"type": "Notify"
}
}
],
"attributes":
{
"expiryTime": "<timespanInISO8601Format>"
}
}

From PowerShell

Run the following command for each key to update its policy:

Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json

Note: It is easiest to supply the policy flags in a .json file. An example json file would be:

<#
rotation_policy.json
{
"lifetimeActions":
[
{
"trigger": {
"timeAfterCreate": "P<timespanInISO8601Format>M",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry": "P<timespanInISO8601Format>D"
},
"action": {
"type": "Notify"
}
}
],
"attributes":
{
"expiryTime": "P<timespanInISO8601Format>Y"
}
}
#>

Default Value

By default, Automatic Key Rotation is not enabled.

Run the pipeline

To run this pipeline from your terminal:

flowpipe pipeline run azure_cis.pipeline.cis_v300_3_3_8

Use this pipeline

To call this pipeline from your pipeline, use a step:

step "pipeline" "step_name" {
pipeline = azure_cis.pipeline.cis_v300_3_3_8
}

Params

NameTypeRequiredDescriptionDefault
database
connection.steampipe
YesDatabase connection string.connection.steampipe.default
notifier
notifier
YesThe name of the notifier to use for sending notification messages.notifier.default
notification_level
string
YesThe verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'.info
approvers
list(notifier)
YesList of notifiers to be used for obtaining action/approval decisions.notifier.default

Outputs

This pipeline has no outputs.

Tags

folder = CIS v3.0.0/3 Security/3.3 Key Vault