ensure-key-expiry
Default Severity: medium
Explanation
Expiration Date is an optional Key Vault Key behavior and is not set by default.
Set when the resource will be become inactive.
Possible Impact
Long life keys increase the attack surface when compromised
Suggested Resolution
Set an expiration date on the vault key
Insecure Example
The following example will fail the azure-keyvault-ensure-key-expiry check.
resource "azurerm_key_vault_key" "bad_example" {
name = "generated-certificate"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}
Secure Example
The following example will pass the azure-keyvault-ensure-key-expiry check.
resource "azurerm_key_vault_key" "good_example" {
name = "generated-certificate"
key_vault_id = azurerm_key_vault.example.id
key_type = "RSA"
key_size = 2048
expiration_date = "1982-12-31T00:00:00Z"
key_opts = [
"decrypt",
"encrypt",
"sign",
"unwrapKey",
"verify",
"wrapKey",
]
}