Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services

Overview

Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts, which allow access to keys within Key Vault. The number of supported applications will incrementally increase.

Rationale

Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its key expiration policy.

Impact

There are additional costs per operation in running the needed applications.

Remediation guidance

Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the P<timespanInISO8601Format>(Y,M,D) format. The leading P is required with it denoting period. The (Y,M, and D) are for Year, Month, and Day, respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D).

Remediate from Azure Portal

Open the key using the Open in Azure button.
Select a key to audit.
In the top row, select Rotation policy.
Select an Expiry time.
Set Enable auto rotation to Enabled.
Set an appropriate Rotation option and Rotation time.
Optionally set the Notification time.
Select Save.
Repeat steps 3-11 for each Key Vault and Key.

Remediate from Azure CLI

Run the following command for each key to update its policy to be auto-rotated:

az keyvault key rotation-policy update -n <keyName> --vault-name <vaultName> --value <path/to/policy.json>

Note: Supplying the policy flags in a .json file is easiest. An example JSON file would be:

{
  "lifetimeActions": [
    {
      "trigger": {
        "timeAfterCreate": "<timespanInISO8601Format>", 
        "timeBeforeExpiry": null
      },
      "action": {
        "type": "Rotate"
      }
    },
    {
      "trigger": {
        "timeBeforeExpiry": "<timespanInISO8601Format>"
      },
      "action": {
        "type": "Notify"
      }
    }
  ],
  "attributes": {
    "expiryTime": "<timespanInISO8601Format>"
  }
}

Remediate from PowerShell

Run the following command for each key to update its policy:

Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json

Note: Supplying the policy flags in a .json file is easiest. An example JSON file would be:

{
    "lifetimeActions": [
      {
        "trigger": {
          "timeAfterCreate": "P<timespanInISO8601Format>M",
          "timeBeforeExpiry": null
        },
        "action": {
          "type": "Rotate"
        }
      },
      {
        "trigger": {
          "timeBeforeExpiry": "P<timespanInISO8601Format>D"
        },
        "action": {
          "type": "Notify"
        }
      }
    ],
    "attributes": {
      "expiryTime": "P<timespanInISO8601Format>Y"
    }
  }

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure Key Vault keys without automatic rotation

Connectors

Microsoft Azure

Covered asset types

KMSKey

Expected check: eq []

{
  kmsKeys(where: { automaticRotationEnabled: false }) {
    ...AssetFragment
  }
}