Automatic key rotation in Azure Key Vault is not enabled Affecting Key Vault service in Azure


Severity

0.0
medium
0
10
Severity Framework
Snyk CCSS
Rule category
Keys and Secrets/ Lifecycle

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
Frameworks
  • Snyk IDSNYK-CC-00791
  • creditSnyk Research Team

Description

Failure to enable automatic key rotation in Azure Key Vault may result in the prolonged use of potentially compromised keys, increasing the risk of unauthorized data access. Automatic rotation helps maintain key freshness and reduces the window of opportunity for attackers to exploit static keys.

How to fix?

Set the rotation_policy.automatic attribute in azurerm_key_vault_keyresource.

Example Configuration


data "azurerm_resource_group" "snyk" {
  name = "Snyk-phase4"
}

data "azurerm_client_config" "current" {}

resource "azurerm_key_vault" "snyk-vault" {
  name                       = "snyk00791-policy"
  location                   = data.azurerm_resource_group.snyk.location
  resource_group_name        = data.azurerm_resource_group.snyk.name
  tenant_id                  = data.azurerm_client_config.current.tenant_id
  sku_name                   = "premium"
  soft_delete_retention_days = 7

 access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azurerm_client_config.current.object_id

    key_permissions = [
      "Create",
      "Delete",
      "Get",
      "Purge",
      "Recover",
      "Update",
      "GetRotationPolicy",
      "SetRotationPolicy"
    ]

    secret_permissions = [
      "Set",
    ]
  }
}
    
resource "azurerm_key_vault_key" "allowed" {
  name         = "keyvault-snyk00791"
  key_vault_id = azurerm_key_vault.snyk-vault.id
  key_type     = "RSA"
  key_size     = 2048

  key_opts = [
    "decrypt",
    "encrypt",
    "sign",
    "unwrapKey",
    "verify",
    "wrapKey",
  ]

  rotation_policy {
    automatic {
      time_before_expiry = "P30D"
    }

   expire_after         = "P90D"
   notify_before_expiry = "P29D"
  }
}