Insecure service configuration - AKV Secret Expiration - Azure

Need

Enforce expiration dates for secrets stored in Azure Key Vault

Context

Usage of Terraform for Infrastructure as Code (IaC)
Usage of AzureRM for managing Azure resources

Description

Non compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "examplevault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = var.tenant_id
  sku_name            = "standard"
}

resource "azurerm_key_vault_secret" "example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
}

The above Terraform code is used to create a resource group, key vault and a secret in Azure. The vulnerability lies in the azurerm_key_vault_secret block where a secret is created without an expiration date.

In this block:

                resource "azurerm_key_vault_secret" "example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
}

The secret secret-sauce is being stored in the key vault examplevault without an expiration date. This is a security risk because if the secret is compromised, it can be used indefinitely by an attacker.

The best practice is to always set an expiration date for secrets to limit the time window in which a compromised secret can be used.

Steps

1. Set the `expiration_date` property for the Azure Key Vault secret.
2. Determine an appropriate expiration date for the secret.
3. Update the `azurerm_key_vault_secret` resource block to include the `expiration_date` property.
4. Deploy the updated Terraform configuration to apply the changes.

Compliant code

        provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "examplevault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = var.tenant_id
  sku_name            = "standard"
}

resource "azurerm_key_vault_secret" "example" {
  name            = "secret-sauce"
  value           = "szechuan"
  key_vault_id    = azurerm_key_vault.example.id
  expiration_date = "2023-04-01T01:02:03Z" // Set the expiration date for the secret
}

The updated code includes an expiration_date property for the azurerm_key_vault_secret resource. This property is set to a specific date and time in the future, which represents when the secret will expire.

The expiration_date is set in the format "YYYY-MM-DDTHH:MM:SSZ", which is the ISO 8601 format. In this example, the secret will expire on April 1, 2023, at 01:02:03 UTC.

By setting an expiration date for the secret, we ensure that the secret cannot be used indefinitely, reducing the potential impact of a compromised secret. After the secret has expired, it will need to be renewed before it can be used again, providing an opportunity to review and potentially update the secret.

After updating the Terraform configuration with the expiration_date property, you will need to deploy the configuration to apply the changes. This can be done using the terraform apply command.

References

401. Insecure service configuration - AKV Secret Expiration