- CNS Policies
- Azure Knowledge Base
- Azure Key Vaults
-
AWS Knowledge Base
- Amazon EKS
- Amazon RDS
- Amazon Kinesis
- AWS Organizations
- Amazon SQS (Simple Queue Service)
- AWS Cloudtrail
- AWS Certificate Manager
- AWS IAM
- AWS Workspaces
- Amazon S3
- AWS Systems Manager (AWS SSM)
- Amazon EC2
- Amazon Redshift
- Amazon EMR
- Amazon CloudFront
- Amazon DynamoDB
- Amazon Managed Workflows for Apache Airflow (MWAA)
- Amazon Route 53
- AWS Key Management Service (KMS)
- Amazon CloudWatch
- Amazon ElasticSearch
- AWS Database Migration Service
- AWS Config
- AWS X-Ray
- Amazon API Gateway
- Amazon Athena
- Amazon SageMaker
- AWS Elastic Load Balancing (ELB)
- AWS Lambda
- AWS Auto Scaling
- Amazon GuardDuty
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic Container Registry (Amazon ECR)
- AWS Glue
- Amazon Simple Notification Service (SNS)
- AWS Elastic Beanstalk
- AWS CodeBuild
- AWS Secrets Manager
- AWS Transfer Family
- Amazon Access Analyzer
-
Azure Knowledge Base
- Container Registries
- Azure Virtual Machines
- Network Security Group
- PostgreSQL
- Azure Monitor
- Azure Security Center
- SQL Databases
- SQL Servers
- Storage Accounts
- Azure Key Vaults
- Load Balancers
- App Services
- Azure Active Directory
- Activity Log
- Azure Policy
- Kubernetes Services
- Azure Resources
- Azure Cosmos DB
- CDN Profiles
- MySQL Servers
- Azure Virtual Network
- Azure Network Watcher
- Azure Cache for Redis
-
GCP Knowledge Base
- Google Cloud VPC
- Google Cloud IAM
- Google Cloud Load Balancing
- Google Cloud Logging
- Google Cloud Kubernetes Engine
- Google Cloud Pub/Sub
- Google Compute Engine
- Google Cloud Key Management Service (KMS)
- Google Cloud DNS
- Google Cloud Storage
- Google Cloud Dataproc
- Google Cloud SQL
- Google Cloud Spanner
- Google Cloud Deployment Manager
- Google Cloud BigQuery
- Google Cloud Dataflow
-
DigitalOcean Knowledge Base
Key Expiration Disabled
Risk Level: Low
Description
The plugin checks whether or not the expiration time is set for keys in the Azure key vault to ensure that the keys are changing after a certain time period. This restricts unused and forgotten keys to be reused.
About the Service
Key Vaults: Azure provides a facility to store and manage sensitive data such as certificates, user ids and passwords through key vaults service. The keys are embedded in the URL which reduces the accidental or intentional exposure of the keys.
Impact
Setting up an expiration period for the keys ensures that the key gets changed from time to time which is considered to be in accordance with cyber hygiene. The timely update in the keys will avoid the reuse of forgotten or unused keys.
Steps to Reproduce
- Log in to the Azure portal.
- Click on Key vaults under Services or type “Key vaults” in the search box.
- Select a subscription to examine the issue.
- From the navigation bar, go to keys under Settings.
- On the overview board, for the provided keys, if the Expiration date column is set to blank for any of the keys, visit the Steps to Remediation section.
- Repeat for other keys as well.
Steps for Remediation
- Log in to the Azure portal.
- Click on Key vaults under Services or type “Key vaults” in the search box.
- Select a subscription to examine the issue.
- From the navigation bar, go to keys under Settings.
- Select the encrypted key to enable the expiration and set a date.
- Click on the check box given in front of Set Expiration date, mention the expiry date and time and set the time zone as required in front of the Expiration date. Click on Save.
- Repeat for other keys as well.
Please feel free to reach out to support@pingsafe.ai with any questions that you may have.
Thanks
PingSafe Support