Insecure service configuration - AKV Secret Expiration - Azure

Need

Enforce expiration dates for secrets stored in Azure Key Vault

Context

Usage of Terraform for Infrastructure as Code (IaC)
Usage of AzureRM for managing Azure resources

Description

Insecure Code Example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "examplevault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = var.tenant_id
  sku_name            = "standard"
}

resource "azurerm_key_vault_secret" "example" {
  name         = "secret-sauce"
  value        = "szechuan"
  key_vault_id = azurerm_key_vault.example.id
}

The above Terraform code is used to create a resource group, key vault and a secret in Azure. The vulnerability lies in the `azurerm_key_vault_secret` block where a secret is created without an expiration date. In this block: ```hcl resource "azurerm_key_vault_secret" "example" { name = "secret-sauce" value = "szechuan" key_vault_id = azurerm_key_vault.example.id } ``` The secret `secret-sauce` is being stored in the key vault `examplevault` without an expiration date. This is a security risk because if the secret is compromised, it can be used indefinitely by an attacker. The best practice is to always set an expiration date for secrets to limit the time window in which a compromised secret can be used.

Steps

1. Set the `expiration_date` property for the Azure Key Vault secret.
2. Determine an appropriate expiration date for the secret.
3. Update the `azurerm_key_vault_secret` resource block to include the `expiration_date` property.
4. Deploy the updated Terraform configuration to apply the changes.

Secure Code Example

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_key_vault" "example" {
  name                = "examplevault"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  tenant_id           = var.tenant_id
  sku_name            = "standard"
}

resource "azurerm_key_vault_secret" "example" {
  name            = "secret-sauce"
  value           = "szechuan"
  key_vault_id    = azurerm_key_vault.example.id
  expiration_date = "2023-04-01T01:02:03Z" // Set the expiration date for the secret
}

The updated code includes an `expiration_date` property for the `azurerm_key_vault_secret` resource. This property is set to a specific date and time in the future, which represents when the secret will expire. The `expiration_date` is set in the format "YYYY-MM-DDTHH:MM:SSZ", which is the ISO 8601 format. In this example, the secret will expire on April 1, 2023, at 01:02:03 UTC. By setting an expiration date for the secret, we ensure that the secret cannot be used indefinitely, reducing the potential impact of a compromised secret. After the secret has expired, it will need to be renewed before it can be used again, providing an opportunity to review and potentially update the secret. After updating the Terraform configuration with the `expiration_date` property, you will need to deploy the configuration to apply the changes. This can be done using the `terraform apply` command.

References

401 - Insecure service configuration - AKV Secret Expiration

Last updated

2023/09/18