Microsoft AzureOverview
Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts, which allow access to keys within Key Vault. The number of supported applications will incrementally increase.
Rationale
Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its key expiration policy.
Impact
There are additional costs per operation in running the needed applications.
Remediation guidance
Note:
Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the P<timespanInISO8601Format>(Y,M,D) format. The leading P is required with it denoting period. The (Y,M, and D) are for Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).
Remediate from Azure Portal
- Open the key using the
Open in Azurebutton. - Select a key to audit.
- In the top row, select
Rotation policy. - Select an
Expiry time. - Set
Enable auto rotationtoEnabled. - Set an appropriate
Rotation optionandRotation time. - Optionally set the
Notification time. - Select
Save. - Repeat steps 3-11 for each Key Vault and Key.
Remediate from Azure CLI
Run the following command for each key to update its policy to be auto-rotated:
az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>
Note: Supplying the policy flags in a .json file is easiest. An example JSON file would be:
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "<timespanInISO8601Format>",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry": "<timespanInISO8601Format>"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "<timespanInISO8601Format>"
}
}
Remediate from PowerShell
Run the following command for each key to update its policy:
Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json
Note: Supplying the policy flags in a .json file is easiest. An example JSON file would be:
{
"lifetimeActions": [
{
"trigger": {
"timeAfterCreate": "P<timespanInISO8601Format>M",
"timeBeforeExpiry": null
},
"action": {
"type": "Rotate"
}
},
{
"trigger": {
"timeBeforeExpiry": "P<timespanInISO8601Format>D"
},
"action": {
"type": "Notify"
}
}
],
"attributes": {
"expiryTime": "P<timespanInISO8601Format>Y"
}
}
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure Key Vault keys without automatic rotation
Connectors
Covered asset types
Expected check: eq []
{
kmsKeys(where: { automaticRotationEnabled: false }) {
...AssetFragment
}
}
