All secrets in Non-RBAC Azure Key Vault should have an expiration time set

Description

To improve security, it is essential to ensure that all secrets in non-role-based access control (RBAC) Azure Key Vaults have an expiration date set. Azure Key Vault provides a secure way to store and manage secrets in the Microsoft Azure environment. By default, secrets in the key vault do not have an expiration date.

To mitigate the risk of unauthorized use and maintain data integrity, it is recommended to regularly rotate the secrets and assign explicit expiration dates. This practice ensures that the secrets cannot be used beyond their designated lifetimes, enhancing overall security.

The impact of setting expiration dates for secrets is that they will become invalid and unusable once their assigned expiry dates are reached. It is important to periodically rotate the secrets wherever they are utilized to ensure continued security.

Remediation

From the console

  1. Go to Key vaults.
  2. For each key vault, click Secrets.
  3. In the main pane, ensure that an appropriate Expiration date is set for any secrets.