Skip to main content

Insecure service configuration - AKV Secret Expiration

Description

The secrets stored in Azure Key Vault do not set an expiration date.

Impact

Increase the chances of compromising sensitive secrets of the system.

Recommendation

Define an expiration date for Azure secrets by setting the expiration_date property.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: H
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:R
  • Score:
    • Base: 4.4
    • Temporal: 3.8
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

There is a correctly set expiration date on the azure secrets

resource "azurerm_key_vault_secret" "not_vulnerable" {
name = "kvAzsqlRevApphist"
expiration_date = "2020-12-30T20:00:00Z"
value = var.value_azsqlrevapphist
key_vault_id = data.azurerm_key_vault.kv.id
}

Non compliant code

The azure secrets do not have an expiration date or limit set

resource "azurerm_key_vault_secret" "vulnerable" {
name = "example"
value = var.value_azsqlrevapp
key_vault_id = data.azurerm_key_vault.kv.id
}

Using the Azure CLI, the following command checks the secret keys have an expiration date

$ az keyvault secret show
--id {Active_secret_key_id}
--query '{"expires":attributes.expires}'

If the command output returns null as value for the "expires" attribute, he selected AKV secret key does not have an expiration date configured

Details

https://docs.bridgecrew.io/docs/set-an-expiration-date-on-all-secrets

Requirements