Insecure service configuration - AKV Secret Expiration
Need
Enforce expiration dates for secrets stored in Azure Key Vault
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AzureRM for managing Azure resources
Description
Non compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "examplevault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = var.tenant_id
sku_name = "standard"
}
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
The above Terraform code is used to create a resource group, key vault and a secret in Azure. The vulnerability lies in the azurerm_key_vault_secret block where a secret is created without an expiration date.
In this block:
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
}
The secret secret-sauce is being stored in the key vault examplevault without an expiration date. This is a security risk because if the secret is compromised, it can be used indefinitely by an attacker.
The best practice is to always set an expiration date for secrets to limit the time window in which a compromised secret can be used.
Steps
-
- Set the
expiration_dateproperty for the Azure Key Vault secret.
- Set the
-
- Determine an appropriate expiration date for the secret.
-
- Update the
azurerm_key_vault_secretresource block to include theexpiration_dateproperty.
- Update the
-
- Deploy the updated Terraform configuration to apply the changes.
Compliant code
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_key_vault" "example" {
name = "examplevault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = var.tenant_id
sku_name = "standard"
}
resource "azurerm_key_vault_secret" "example" {
name = "secret-sauce"
value = "szechuan"
key_vault_id = azurerm_key_vault.example.id
expiration_date = "2023-04-01T01:02:03Z" // Set the expiration date for the secret
}
The updated code includes an expiration_date property for the azurerm_key_vault_secret resource. This property is set to a specific date and time in the future, which represents when the secret will expire.
The expiration_date is set in the format "YYYY-MM-DDTHH:MM:SSZ", which is the ISO 8601 format. In this example, the secret will expire on April 1, 2023, at 01:02:03 UTC.
By setting an expiration date for the secret, we ensure that the secret cannot be used indefinitely, reducing the potential impact of a compromised secret. After the secret has expired, it will need to be renewed before it can be used again, providing an opportunity to review and potentially update the secret.
After updating the Terraform configuration with the expiration_date property, you will need to deploy the configuration to apply the changes. This can be done using the terraform apply command.