Detections
Analytics

9.3.9 Ensure automatic key rotation is enabled within Azure Key Vault

Information

Automated cryptographic key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. A key rotation policy can be defined for each individual key.

Automatic key rotation reduces risk by ensuring that keys are rotated without manual intervention.

Azure and NIST recommend that keys be rotated every two years or less. Refer to 'Table 1: Suggested cryptoperiods for key types' on page 46 of the following document for more information:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf

.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Note: Azure CLI and PowerShell use the ISO8601 duration format for time spans. The format is P<timespanInISO8601Format>(Y,M,D) The leading P is required and is referred to as period The (Y,M,D) are for the duration of Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be P2Y2M2D For Azure CLI and PowerShell, it is easiest to supply the policy flags in ajson file for example:

{
 "lifetimeActions": [
 {
 "trigger": {
 "timeAfterCreate": "P<timespanInISO8601Format>(Y,M,D)",
 "timeBeforeExpiry" : null
 },
 "action": {
 "type": "Rotate"
 }
 },
 {
 "trigger": {
 "timeBeforeExpiry" : "P<timespanInISO8601Format>(Y,M,D)"
 },
 "action": {
 "type": "Notify"
 }
 }
 ],
 "attributes": {
 "expiryTime": "P<timespanInISO8601Format>(Y,M,D)"
 }
}

Remediate from Azure Portal

 - Go to Key Vaults
 - Select a Key Vault.
 - Under Objects select Keys
 - Select a key.
 - From the top row, select Rotation policy
 - Select an appropriate Expiry time
 - Set Enable auto rotation to Enabled
 - Set an appropriate Rotation option and Rotation time
 - Optionally, set a Notification time
 - Click Save
 - Repeat steps 1-10 for each Key Vault and Key.

Remediate from Azure CLI

Run the following command for each key to enable automatic rotation:

az keyvault key rotation-policy update --vault-name <vault-name> --name <key-name> --value <path/to/policy.json>

Remediate from PowerShell

Run the following command for each key to enable automatic rotation:

Set-AzKeyVaultKeyRotationPolicy -VaultName <vault-name> -Name <key-name> -PolicyPath <path/to/policy.json>

Impact:

There is an additional cost for each scheduled key rotation.

See Also

https://workbench.cisecurity.org/benchmarks/19304

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), CSCv7|16.7

Plugin: microsoft_azure

Control ID: 3d98b2830955c679ac6da090c20300111ce2de8bac3dcf4469e7ffe84f9c5c37