Enable Key Vault key auto-rotation

Security · Key Vault · Rule · 2022_09 · Important

Key Vault keys should have auto-rotation enabled.

Description

Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.

Key rotation is often a cause of many application outages. It's critical that the rotation of keys be scheduled and automated to ensure effectiveness.

Recommendation

Consider enabling auto-rotation on Key Vault keys.

Examples

Configure with Azure template

To set auto-rotation for a key:

• Set the properties.rotationPolicy.lifetimeActions[*].action.type property to Rotate.
• Set the properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate property to a time duration such as P30D.

For example:

Azure Template snippet

{
  "type": "Microsoft.KeyVault/vaults/keys",
  "apiVersion": "2021-06-01-preview",
  "name": "[concat(parameters('vaultName'), '/', 'key1')]",
  "properties": {
    "keyOps": [
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey",
      "encrypt",
      "decrypt"
    ],
    "keySize": 2048,
    "kty": "RSA",
    "rotationPolicy": {
      "lifetimeActions": [
        {
          "action": {
            "type": "Rotate"
          },
          "trigger": {
            "timeAfterCreate": "P18D"
          }
        },
        {
          "action": {
            "type": "Notify"
          },
          "trigger": {
            "timeAfterCreate": "P30D"
          }
        }
      ]
    }
  }
}

Configure with Bicep

To set auto-rotation for a key:

• Set the properties.rotationPolicy.lifetimeActions[*].action.type property to Rotate.
• Set the properties.rotationPolicy.lifetimeActions[*].trigger.timeAfterCreate property to a time duration such as P30D.

For example:

Azure Bicep snippet

resource vaultName_key1 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = {
  parent: vaultName_resource
  name: 'key1'
  properties: {
    keyOps: [
      'sign'
      'verify'
      'wrapKey'
      'unwrapKey'
      'encrypt'
      'decrypt'
    ]
    keySize: 2048
    kty: 'RSA'
    rotationPolicy: {
      lifetimeActions: [
        {
          action: {
            type: 'rotate'
          }
          trigger: {
            timeAfterCreate: 'P18D'
          }
        }
        {
          action: {
            type: 'notify'
          }
          trigger: {
            timeAfterCreate: 'P30D'
          }
        }
      ]
    }
  }
}

Links

• SE:09 Application secrets
• IM-3: Manage application identities securely and automatically
• Configure cryptographic key auto-rotation in Azure Key Vault
• Azure deployment reference

Comments