ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-03-22 03:08:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(azure): enhance metadata for keyvault service (#9621)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2026-02-17 11:57:27 +01:00
committed by GitHub
parent 8438a94203
commit f8d0be311c
11 changed files with 196 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
prowler/CHANGELOG.md
View File

@@ -38,6 +38,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update GCP IAM service metadata to new format [(#9646)](https://github.com/prowler-cloud/prowler/pull/9646)
- Update GCP KMS service metadata to new format [(#9647)](https://github.com/prowler-cloud/prowler/pull/9647)
- Update GCP Logging service metadata to new format [(#9648)](https://github.com/prowler-cloud/prowler/pull/9648)
- Update Azure Key Vault service metadata to new format [(#9621)](https://github.com/prowler-cloud/prowler/pull/9621)
### 🔐 Security

34
prowler/providers/azure/services/keyvault/keyvault_access_only_through_private_endpoints/keyvault_access_only_through_private_endpoints.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "azure",
"CheckID": "keyvault_access_only_through_private_endpoints",
"CheckTitle": "Ensure that public network access when using private endpoint is disabled.",
"CheckTitle": "Key Vault using private endpoints has public network access disabled",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.KeyVault/vaults/{vault_name}",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Checks if Key Vaults with private endpoints have public network access disabled.",
"Risk": "Allowing public network access to Key Vault when using private endpoint can expose sensitive data to unauthorized access.",
"RelatedUrl": "https://learn.microsoft.com/en-us/azure/key-vault/general/network-security",
"Description": "**Azure Key Vaults** configured with **private endpoints** have **public network access** set to `Disabled`, so connectivity occurs only over the private link.",
"Risk": "Internet exposure alongside a **private endpoint** breaks isolation and expands attack surface:\n- Brute-force or token replay on the data plane\n- Abuse of misconfigured allowlists or trusted bypass\n- DDoS on the public endpoint\nThis can enable secret exfiltration or unauthorized key use, impacting **confidentiality** and **integrity**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://support.icompaas.com/support/solutions/articles/62000234050-ensure-that-public-network-access-when-using-private-endpoint-is-disabled-automated-",
"https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview",
"https://learn.microsoft.com/en-us/azure/key-vault/general/network-security"
],
"Remediation": {
"Code": {
"CLI": "az keyvault update --resource-group <resource_group> --name <vault_name> --public-network-access disabled",
"NativeIaC": "{\n \"type\": \"Microsoft.KeyVault/vaults\",\n \"apiVersion\": \"2022-07-01\",\n \"properties\": {\n \"publicNetworkAccess\": \"disabled\"\n }\n}",
"Terraform": "resource \"azurerm_key_vault\" \"example\" {\n # ... other configuration ...\n\n public_network_access_enabled = false\n}",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/use-private-endpoints.html"
"CLI": "az keyvault update --resource-group <resource_group> --name <vault_name> --public-network-access Disabled",
"NativeIaC": "```bicep\n// Disable public network access for the Key Vault\nresource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {\n name: '<example_resource_name>'\n location: '<location>'\n properties: {\n tenantId: '<tenant_id>'\n sku: {\n name: 'standard'\n family: 'A'\n }\n publicNetworkAccess: 'Disabled' // Critical: disables public access so only private endpoints are used\n }\n}\n```",
"Other": "1. In the Azure portal, go to Key vaults and select your vault\n2. Open Networking\n3. Under Public access, set Public network access to Disabled\n4. Click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault\" \"kv\" {\n name = \"<example_resource_name>\"\n location = \"<location>\"\n resource_group_name = \"<example_resource_name>\"\n tenant_id = \"<tenant_id>\"\n sku_name = \"standard\"\n\n public_network_access_enabled = false # Critical: disables public access when using private endpoints\n}\n```"
},
"Recommendation": {
"Text": "Disable public network access for Key Vaults that use private endpoint to ensure network traffic only flows through the private endpoint.",
"Url": "https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview"
"Text": "Restrict access to **private endpoints** only:\n- Set `publicNetworkAccess` to `Disabled`\n- Avoid broad allowlists; limit `Trusted services`\n- Use private DNS with controlled egress\n- Enforce **least privilege** and monitor access logs\nThis sustains **defense in depth** and prevents Internet exposure.",
"Url": "https://hub.prowler.com/check/keyvault_access_only_through_private_endpoints"
}
},
"Categories": [],
"Categories": [
"internet-exposed",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": ""

31
prowler/providers/azure/services/keyvault/keyvault_key_expiration_set_in_non_rbac/keyvault_key_expiration_set_in_non_rbac.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "keyvault_key_expiration_set_in_non_rbac",
"CheckTitle": "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.",
"CheckTitle": "Key Vault without RBAC authorization has expiration date set for all enabled keys",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
"Risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for a cryptographic operation. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
"Description": "**Azure Key Vaults** using access **policies (non-RBAC)** are assessed to confirm all **enabled keys** have an `expiration` (`exp`) defined. The finding highlights keys in these vaults that lack a set lifetime.",
"Risk": "Non-expiring keys enable indefinite use, degrading **confidentiality** and **integrity**. Stale or compromised keys can decrypt data, forge signatures, and maintain persistence. Absent lifetimes weaken rotation discipline and impede timely revocation, increasing exposure to cryptographic and operational drift.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#key-vault-keys",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/azure/KeyVault/key-expiration-check.html#"
],
"Remediation": {
"Code": {
"CLI": "az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/key-expiration-check.html#",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/set-an-expiration-date-on-all-keys#terraform"
"CLI": "az keyvault key set-attributes --vault-name <example_resource_name> --name <example_resource_name> --expires 2030-01-01T00:00:00Z",
"NativeIaC": "```bicep\n// Set expiration on a Key Vault key\nresource kv 'Microsoft.KeyVault/vaults@2023-07-01' existing = {\n name: '<example_resource_name>'\n}\n\nresource key 'Microsoft.KeyVault/vaults/keys@2023-07-01' = {\n name: '<example_resource_name>'\n parent: kv\n properties: {\n kty: 'RSA'\n attributes: {\n exp: 1893456000 // CRITICAL: sets the key expiration (Unix epoch seconds) to pass the check\n }\n }\n}\n```",
"Other": "1. In the Azure portal, go to Key vaults and open the vault\n2. Select Keys and choose the enabled key that failed\n3. Open the current version and click Edit (or Update)\n4. Set Expiration date (UTC) to a future date\n5. Click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault_key\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n key_vault_id = \"<example_resource_id>\"\n key_type = \"RSA\"\n\n expires_on = \"2030-01-01T00:00:00Z\" # CRITICAL: sets key expiration to pass the check\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name <keyName> --vault-name <vaultName> -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. From PowerShell: Set-AzKeyVaultKeyAttribute -VaultName <VaultName> -Name <KeyName> -Expires <DateTime>",
"Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys"
"Text": "Set an `expiration` on all keys and enforce **automated rotation** with advance alerts. Retire or disable old versions promptly and rotate after any suspected exposure. Apply **least privilege** and **separation of duties** for key administration. Prefer standardized lifecycle policies (e.g., RBAC-based governance) to enforce consistent control.",
"Url": "https://hub.prowler.com/check/keyvault_key_expiration_set_in_non_rbac"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used."

31
prowler/providers/azure/services/keyvault/keyvault_key_rotation_enabled/keyvault_key_rotation_enabled.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "keyvault_key_rotation_enabled",
"CheckTitle": "Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services",
"CheckTitle": "Key Vault key has automatic rotation enabled",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased.",
"Risk": "Once set up, Automatic Private Key Rotation removes the need for manual administration when keys expire at intervals determined by your organization's policy. The recommended key lifetime is 2 years. Your organization should determine its own key expiration policy.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
"Description": "**Azure Key Vault** keys configured with a **rotation policy** that includes a `Rotate` lifetime action.\n\nThe evaluation looks for lifetime actions that schedule automatic key version creation; keys without this policy are not configured for auto-rotation.",
"Risk": "Without **auto-rotation**, keys may outlive policy, increasing exposure if material is leaked and weakening **confidentiality**.\n\nExpired keys without planned rollover can break decrypt/unwrap operations, impacting **availability**. Long-lived keys hinder incident response and enable prolonged misuse of stale versions.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version",
"https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation",
"https://www.techtarget.com/searchcloudcomputing/tutorial/How-to-perform-and-automate-key-rotation-in-Azure-Key-Vault"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "az keyvault key rotation-policy update --vault-name <VAULT_NAME> --name <KEY_NAME> --value '{\"lifetimeActions\":[{\"trigger\":{\"timeAfterCreate\":\"P18M\"},\"action\":{\"type\":\"Rotate\"}}]}'",
"NativeIaC": "```bicep\nresource key 'Microsoft.KeyVault/vaults/keys@2023-02-01' = {\n name: '<example_resource_name>/<example_resource_name>'\n location: resourceGroup().location\n properties: {\n kty: 'RSA'\n rotationPolicy: {\n lifetimeActions: [\n {\n trigger: { timeAfterCreate: 'P18M' }\n action: { type: 'Rotate' } // Critical: enables automatic rotation, satisfying the check\n }\n ]\n }\n }\n}\n```",
"Other": "1. In Azure Portal, go to Key Vaults > <your key vault> > Keys\n2. Select the key <KEY_NAME>\n3. Click Rotation policy\n4. Enable auto-rotation and set a rotation interval (e.g., After creation: P18M)\n5. Click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault_key\" \"key\" {\n name = \"<example_resource_name>\"\n key_vault_id = \"<example_resource_id>\"\n key_type = \"RSA\"\n\n rotation_policy {\n automatic {\n time_after_creation = \"P18M\" # Critical: creates a Rotate lifetime action to enable auto-rotation\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Note: Azure CLI and Powershell use ISO8601 flags to input timespans. Every timespan input will be in the format P<timespanInISO8601Format>(Y,M,D). The leading P is required with it denoting period. The (Y,M,D) are for the duration of Year, Month,and Day respectively. A time frame of 2 years, 2 months, 2 days would be (P2Y2M2D). From Azure Portal 1. From Azure Portal select the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Under Objects select Keys. 5. Select a key to audit. 6. In the top row select Rotation policy. 7. Select an Expiry time. 8. Set Enable auto rotation to Enabled. 9. Set an appropriate Rotation option and Rotation time. 10. Optionally set the Notification time. 11. Select Save. 12. Repeat steps 3-11 for each Key Vault and Key. From PowerShell Run the following command for each key to update its policy: Set-AzKeyVaultKeyRotationPolicy -VaultName test-kv -Name test-key -PolicyPath rotation_policy.json",
"Url": "https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview#update-the-key-version"
"Text": "Define a per-key **rotation policy** to automatically `Rotate` on a fixed cadence (e.g., `P2Y`) and set an **expiry** to enforce lifecycle.\n\nUse versionless key URIs in dependent services, apply **least privilege** to rotation roles, enable near-expiry notifications, and monitor events for **defense in depth**.",
"Url": "https://hub.prowler.com/check/keyvault_key_rotation_enabled"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "There are an additional costs per operation in running the needed applications."

34
prowler/providers/azure/services/keyvault/keyvault_logging_enabled/keyvault_logging_enabled.metadata.json
View File

@@ -1,30 +1,38 @@
{
"Provider": "azure",
"CheckID": "keyvault_logging_enabled",
"CheckTitle": "Ensure that logging for Azure Key Vault is 'Enabled'",
"CheckTitle": "Key Vault has a diagnostic setting capturing audit logs",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
"ResourceType": "KeyVault",
"Severity": "high",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available.",
"Risk": "Monitoring how and when key vaults are accessed, and by whom, enables an audit trail of interactions with confidential information, keys, and certificates managed by Azure Keyvault. Enabling logging for Key Vault saves information in an Azure storage account which the user provides. This creates a new container named insights-logs-auditevent automatically for the specified storage account. This same storage account can be used for collecting logs for multiple key vaults.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-logging",
"Description": "**Azure Key Vault** diagnostic settings capture **audit logs** (`AuditEvent`) when category groups `audit` and `allLogs` are enabled and routed to a supported destination. Logged events include management and data-plane operations on vaults, keys, secrets, and certificates.",
"Risk": "Without **Key Vault audit logging**, access and changes to keys, secrets, and certificates are untracked.\n\nAttackers can misuse keys to decrypt data, alter or delete crypto material, and evade detection-eroding **confidentiality** and **integrity** and delaying **incident response**.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/azure/KeyVault/enable-audit-event-logging-for-azure-key-vaults.html",
"https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository",
"https://learn.microsoft.com/en-us/azure/key-vault/general/howto-logging?tabs=azure-cli"
],
"Remediation": {
"Code": {
"CLI": "az monitor diagnostic-settings create --name <diagnostic settings name> --resource <key vault resource ID> --logs'[{category:AuditEvents,enabled:true,retention-policy:{enabled:true,days:180}}]' --metrics'[{category:AllMetrics,enabled:true,retention-policy:{enabled:true,days:180}}]' <[--event-hub <event hub ID> --event-hub-rule <event hub auth rule ID> | --storage-account <storage account ID> |--workspace <log analytics workspace ID> | --marketplace-partner-id <full resource ID of third-party solution>]>",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/KeyVault/enable-audit-event-logging-for-azure-key-vaults.html",
"Terraform": ""
"CLI": "az monitor diagnostic-settings create --name <example_resource_name> --resource <example_resource_id> --workspace <example_resource_id> --logs '[{\"categoryGroup\":\"audit\",\"enabled\":true},{\"categoryGroup\":\"allLogs\",\"enabled\":true}]'",
"NativeIaC": "```bicep\n// Enable Key Vault diagnostic settings with audit + allLogs\nparam keyVaultName string\nparam workspaceId string\n\nresource kv 'Microsoft.KeyVault/vaults@2023-07-01' existing = {\n name: keyVaultName\n}\n\nresource diag 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {\n name: '<example_resource_name>'\n scope: kv\n properties: {\n workspaceId: workspaceId\n logs: [\n {\n categoryGroup: 'audit' // critical: enables audit logs\n enabled: true // required to pass the check\n }\n {\n categoryGroup: 'allLogs' // critical: enables allLogs group\n enabled: true // required to pass the check\n }\n ]\n }\n}\n```",
"Other": "1. In Azure Portal, go to your Key Vault > Monitoring > Diagnostic settings\n2. Click Add diagnostic setting\n3. Under Category groups, select audit and allLogs\n4. Choose a destination (e.g., Send to Log Analytics workspace) and select the workspace\n5. Click Save",
"Terraform": "```hcl\n# Enable diagnostic settings on Key Vault with audit + allLogs\nresource \"azurerm_monitor_diagnostic_setting\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n target_resource_id = \"<example_resource_id>\" # Key Vault resource ID\n log_analytics_workspace_id = \"<example_resource_id>\" # Destination workspace ID\n\n enabled_log { # critical: audit category group\n category_group = \"audit\" # enables audit logs\n }\n enabled_log { # critical: allLogs category group\n category_group = \"allLogs\" # enables all logs\n }\n}\n```"
},
"Recommendation": {
"Text": "1. Go to Key vaults 2. For each Key vault 3. Go to Diagnostic settings 4. Click on Edit Settings 5. Ensure that Archive to a storage account is Enabled 6. Ensure that AuditEvent is checked, and the retention days is set to 180 days or as appropriate",
"Url": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository"
"Text": "Enable **diagnostic settings** to collect `AuditEvent` logs-covering category groups `audit` and `allLogs`-and send them to a central sink. Apply **least privilege** to log access, enforce secure **retention/immutability**, monitor with alerts for anomalous operations, and use **separation of duties** to prevent logging bypass.",
"Url": "https://hub.prowler.com/check/keyvault_logging_enabled"
}
},
"Categories": [],
"Categories": [
"logging"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "By default, Diagnostic AuditEvent logging is not enabled for Key Vault instances."

32
prowler/providers/azure/services/keyvault/keyvault_non_rbac_secret_expiration_set/keyvault_non_rbac_secret_expiration_set.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "keyvault_non_rbac_secret_expiration_set",
"CheckTitle": "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults",
"CheckTitle": "Non-RBAC Key Vault has expiration date set for all secrets",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"Severity": "medium",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
"Risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
"Description": "**Azure Key Vault (non-RBAC)** secrets are expected to have an **explicit expiration date**.\n\nThis examines each **enabled secret** to confirm the `expires` attribute is defined.",
"Risk": "Secrets without expiration persist indefinitely, widening the window for misuse.\n\nIf leaked or forgotten, they allow long-term, covert access to services and data, undermining **confidentiality** and **integrity**, and complicating incident response and revocation.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#key-vault-secrets"
],
"Remediation": {
"Code": {
"CLI": "az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
"NativeIaC": "",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/azure/azure-secrets-policies/set-an-expiration-date-on-all-secrets#terraform"
"CLI": "az keyvault secret set-attributes --vault-name <vaultName> --name <secretName> --expires <YYYY-MM-DDTHH:MM:SSZ>",
"NativeIaC": "```bicep\n// Set an expiration date on a Key Vault secret\nresource secret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = {\n name: '<example_vault_name>/<example_resource_name>'\n properties: {\n value: '<example_value>'\n attributes: {\n exp: 1767225599 // CRITICAL: sets the secret expiration (Unix time in seconds) so the check passes\n }\n }\n}\n```",
"Other": "1. In the Azure portal, go to Key vaults and open your vault\n2. Select Secrets, then click the secret that failed\n3. Click + New version\n4. Set Expiration date and click Create\n5. Repeat for any other secret without an expiration",
"Terraform": "```hcl\nresource \"azurerm_key_vault_secret\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n value = \"<example_value>\"\n key_vault_id = \"<example_resource_id>\"\n\n expiration_date = \"2025-12-31T23:59:59Z\" # CRITICAL: sets the secret expiration so the check passes\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. Set an appropriate Expiration date on all secrets. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to Key vault, click on Access policies. 2. Click on Create and add an access policy with the Update permission (in the Secret Permissions - Secret Management Operations section). From PowerShell: For each Key vault with the EnableRbacAuthorization setting set to False or empty, run the following command. Set-AzKeyVaultSecret -VaultName <Vault Name> -Name <Secret Name> -Expires <DateTime>",
"Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets"
"Text": "Set an **expiration** on every secret and enforce a **rotation policy** aligned with risk and compliance.\n\nAutomate rotation and alerts, disable or purge stale versions, and apply **least privilege**. *Where possible*, use **managed identities** to reduce secret sprawl.",
"Url": "https://hub.prowler.com/check/keyvault_non_rbac_secret_expiration_set"
}
},
"Categories": [],
"Categories": [
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used."

31
prowler/providers/azure/services/keyvault/keyvault_private_endpoints/keyvault_private_endpoints.metadata.json
View File

@@ -1,30 +1,37 @@
{
"Provider": "azure",
"CheckID": "keyvault_private_endpoints",
"CheckTitle": "Ensure that Private Endpoints are Used for Azure Key Vault",
"CheckTitle": "Key Vault uses private endpoints",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys.",
"Risk": "Private endpoints will keep network requests to Azure Key Vault limited to the endpoints attached to the resources that are whitelisted to communicate with each other. Assigning the Key Vault to a network without an endpoint will allow other resources on that network to view all traffic from the Key Vault to its destination. In spite of the complexity in configuration, this is recommended for high security secrets.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview",
"Description": "**Azure Key Vault** has **private endpoint connections** to serve secret and key operations over a private IP within your virtual network via Azure Private Link.",
"Risk": "Without **private endpoints**, the vault relies on a public endpoint, expanding exposure to scanning and misconfigured allowlists. Egress controls are harder to enforce, enabling unauthorized secret retrieval for **data exfiltration** and potential key misuse, impacting confidentiality and integrity.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-overview",
"https://learn.microsoft.com/en-us/azure/storage/common/storage-private-endpoints"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "az network private-endpoint create --name <example_resource_name> --resource-group <example_resource_name> --location <LOCATION> --vnet-name <example_resource_name> --subnet <example_resource_name> --private-connection-resource-id <example_resource_id> --group-ids vault --connection-name <example_resource_name>",
"NativeIaC": "```bicep\n// Create a Private Endpoint for an existing Key Vault\nresource pe 'Microsoft.Network/privateEndpoints@2021-08-01' = {\n name: '<example_resource_name>'\n location: '<LOCATION>'\n properties: {\n subnet: {\n id: '<example_resource_id>' // Critical: subnet resource ID where the private endpoint NIC will be placed\n }\n privateLinkServiceConnections: [\n {\n name: '<example_resource_name>'\n properties: {\n privateLinkServiceId: '<example_resource_id>' // Critical: Key Vault resource ID to connect to\n groupIds: [ 'vault' ] // Critical: targets the Key Vault subresource to create the private endpoint connection\n }\n }\n ]\n }\n}\n```",
"Other": "1. In Azure portal, open your Key Vault\n2. Go to Networking > Private endpoint connections > + Create\n3. Basics: select Subscription and Resource group, then Next\n4. Resource: Service = Microsoft.KeyVault/vaults (your vault is preselected), Subresource = vault, Next\n5. Configuration: choose Virtual network and Subnet, then Next and Create\n6. Wait for the connection state to show Approved (auto-approves if you have permission)",
"Terraform": "```hcl\n# Create a Private Endpoint for an existing Key Vault\nresource \"azurerm_private_endpoint\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<LOCATION>\"\n resource_group_name = \"<example_resource_name>\"\n subnet_id = \"<example_resource_id>\" # Critical: subnet resource ID for the private endpoint NIC\n\n private_service_connection {\n name = \"<example_resource_name>\"\n private_connection_resource_id = \"<example_resource_id>\" # Critical: Key Vault resource ID to connect\n subresource_names = [\"vault\"] # Critical: targets Key Vault subresource to create the connection\n }\n}\n```"
},
"Recommendation": {
"Text": "Please see the additional information about the requirements needed before starting this remediation procedure. From Azure Portal 1. From Azure Home open the Portal Menu in the top left. 2. Select Key Vaults. 3. Select a Key Vault to audit. 4. Select Networking in the left column. 5. Select Private endpoint connections from the top row. 6. Select + Create. 7. Select the subscription the Key Vault is within, and other desired configuration. 8. Select Next. 9. For resource type select Microsoft.KeyVault/vaults. 10. Select the Key Vault to associate the Private Endpoint with. 11. Select Next. 12. In the Virtual Networking field, select the network to assign the Endpoint. 13. Select other configuration options as desired, including an existing or new application security group. 14. Select Next. 15. Select the private DNS the Private Endpoints will use. 16. Select Next. 17. Optionally add Tags. 18. Select Next : Review + Create. 19. Review the information and select Create. Follow the Audit Procedure to determine if it has successfully applied. 20. Repeat steps 3-19 for each Key Vault. From Azure CLI 1. To create an endpoint, run the following command: az network private-endpoint create --resource-group <resourceGroup --vnet- name <vnetName> --subnet <subnetName> --name <PrivateEndpointName> -- private-connection-resource-id '/subscriptions/<AZURE SUBSCRIPTION ID>/resourceGroups/<resourceGroup>/providers/Microsoft.KeyVault/vaults/<keyVa ultName>' --group-ids vault --connection-name <privateLinkConnectionName> -- location <azureRegion> --manual-request 2. To manually approve the endpoint request, run the following command: az keyvault private-endpoint-connection approve --resource-group <resourceGroup> --vault-name <keyVaultName> name <privateLinkName> 4. Determine the Private Endpoint's IP address to connect the Key Vault to the Private DNS you have previously created: 5. Look for the property networkInterfaces then id, the value must be placed in the variable <privateEndpointNIC> within step 7. az network private-endpoint show -g <resourceGroupName> -n <privateEndpointName> 6. Look for the property networkInterfaces then id, the value must be placed on <privateEndpointNIC> in step 7. az network nic show --ids <privateEndpointName> 7. Create a Private DNS record within the DNS Zone you created for the Private Endpoint: az network private-dns record-set a add-record -g <resourcecGroupName> -z 'privatelink.vaultcore.azure.net' -n <keyVaultName> -a <privateEndpointNIC> 8. nslookup the private endpoint to determine if the DNS record is correct: nslookup <keyVaultName>.vault.azure.net nslookup <keyVaultName>.privatelink.vaultcore.azure.n",
"Url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-private-endpoints"
"Text": "Enable **Private Endpoints** for each Key Vault and disable public network access. Use private DNS so the vault FQDN resolves to the private IP. Apply **least privilege** with RBAC and managed identities, restrict traffic with NSGs and routing, and monitor access logs as part of **defense in depth**.",
"Url": "https://hub.prowler.com/check/keyvault_private_endpoints"
}
},
"Categories": [],
"Categories": [
"internet-exposed",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Incorrect or poorly-timed changing of network configuration could result in service interruption. There are also additional costs tiers for running a private endpoint perpetabyte or more of networking traffic."

30
prowler/providers/azure/services/keyvault/keyvault_rbac_enabled/keyvault_rbac_enabled.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "keyvault_rbac_enabled",
"CheckTitle": "Enable Role Based Access Control for Azure Key Vault",
"CheckTitle": "Key Vault uses Azure RBAC for access control",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "WARNING: Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services.",
"Risk": "The new RBAC permissions model for Key Vaults enables a much finer grained access control for key vault secrets, keys, certificates, etc., than the vault access policy. This in turn will permit the use of privileged identity management over these roles, thus securing the key vaults with JIT Access management.",
"RelatedUrl": "https://docs.microsoft.com/en-gb/azure/key-vault/general/rbac-migration#vault-access-policy-to-azure-rbac-migration-steps",
"Description": "**Azure Key Vault** uses the **Azure RBAC permission model** for data-plane access to keys, secrets, and certificates, rather than legacy access policies.\n\nEvaluates whether data access is managed through role assignments at the vault.",
"Risk": "Without **Azure RBAC**, data access relies on coarse access policies. **Control-plane Contributors** can grant themselves data-plane rights, enabling secret or key exfiltration and unauthorized crypto operations.\n\nLack of JIT and least-privilege weakens **confidentiality** and **integrity** and hinders auditing.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli",
"https://learn.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current"
],
"Remediation": {
"Code": {
"CLI": "",
"NativeIaC": "",
"Other": "",
"Terraform": ""
"CLI": "az keyvault update --name <KEY_VAULT_NAME> --resource-group <RESOURCE_GROUP_NAME> --enable-rbac-authorization true",
"NativeIaC": "```bicep\n// Enable Azure RBAC on a Key Vault\nresource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {\n name: '<example_resource_name>'\n location: '<location>'\n properties: {\n tenantId: '<tenant_id>'\n enableRbacAuthorization: true // Critical: switches permission model to Azure RBAC to pass the check\n sku: {\n family: 'A'\n name: 'standard'\n }\n }\n}\n```",
"Other": "1. In Azure Portal, go to Key Vaults and open <KEY_VAULT_NAME>\n2. Under Settings, select Properties\n3. Set Permission model to Azure role-based access control\n4. Click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<location>\"\n resource_group_name = \"<example_resource_name>\"\n tenant_id = \"<tenant_id>\"\n sku_name = \"standard\"\n enable_rbac_authorization = true // Critical: enables Azure RBAC to satisfy the control\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal Key Vaults can be configured to use Azure role-based access control on creation. For existing Key Vaults: 1. From Azure Home open the Portal Menu in the top left corner 2. Select Key Vaults 3. Select a Key Vault to audit 4. Select Access configuration 5. Set the Permission model radio button to Azure role-based access control, taking note of the warning message 6. Click Save 7. Select Access Control (IAM) 8. Select the Role Assignments tab 9. Reapply permissions as needed to groups or users",
"Url": "https://docs.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal?tabs=current"
"Text": "Adopt **Azure RBAC** for Key Vault data access and design roles with **least privilege** at appropriate scopes (prefer vault-level per app/env). Use **Privileged Identity Management** for JIT, restrict control-plane Contributor rights, and monitor role assignments. *Role assignments aren't preserved after soft-delete recovery*.",
"Url": "https://hub.prowler.com/check/keyvault_rbac_enabled"
}
},
"Categories": [],
"Categories": [
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Implementation needs to be properly designed from the ground up, as this is a fundamental change to the way key vaults are accessed/managed. Changing permissions to key vaults will result in loss of service as permissions are re-applied. For the least amount of downtime, map your current groups and users to their corresponding permission needs."

35
prowler/providers/azure/services/keyvault/keyvault_rbac_key_expiration_set/keyvault_rbac_key_expiration_set.metadata.json
View File

@@ -1,30 +1,39 @@
{
"Provider": "azure",
"CheckID": "keyvault_rbac_key_expiration_set",
"CheckTitle": "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults",
"CheckTitle": "RBAC-enabled Key Vault has expiration date set for all keys",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"Severity": "medium",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set",
"Risk": "Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
"Description": "**Azure Key Vaults** with **RBAC-enabled access control** are evaluated to confirm every **enabled key** defines an **expiration** (`exp`). Any key lacking this attribute is identified.",
"Risk": "**Keys without expiration** can remain active indefinitely.\nIf exposed, attackers can decrypt data, forge signatures (code/tokens), and maintain persistence, undermining **confidentiality** and **integrity**. Absent end-of-life also weakens rotation discipline and crypto agility.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#key-vault-keys",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/azure/KeyVault/key-expiration-check.html#",
"https://learn.microsoft.com/en-us/azure/key-vault/general/azure-policy",
"https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-keyvault"
],
"Remediation": {
"Code": {
"CLI": "az keyvault key set-attributes --name <keyName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/key-expiration-check.html#",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/set-an-expiration-date-on-all-keys#terraform"
"CLI": "az keyvault key set-attributes --vault-name <vaultName> --name <keyName> --expires <YYYY-MM-DDThh:mm:ssZ>",
"NativeIaC": "```bicep\n// Set an expiration date on a Key Vault key\nresource key 'Microsoft.KeyVault/vaults/keys@2023-07-01' = {\n name: '<example_resource_name>/<example_resource_name>'\n properties: {\n kty: 'RSA'\n attributes: {\n exp: 1767225599 // Critical: expiration timestamp (UTC epoch seconds). Ensures the key has an expiration date to pass the check.\n }\n }\n}\n```",
"Other": "1. In Azure Portal, go to Key vaults and open <vaultName>\n2. Select Keys and choose the key missing an expiration\n3. Open the current version and click Update/Edit\n4. Set Expiration date (UTC) and click Save",
"Terraform": "```hcl\n# Set an expiration date on a Key Vault key\nresource \"azurerm_key_vault_key\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n key_vault_id = \"<example_resource_id>\"\n key_type = \"RSA\"\n\n expiration_date = \"2025-12-31T23:59:59Z\" # Critical: ensures the key has an expiration date to pass the check\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Keys. 3. In the main pane, ensure that an appropriate Expiration date is set for any keys that are Enabled. From Azure CLI: Update the Expiration date for the key using the below command: az keyvault key set-attributes --name <keyName> --vault-name <vaultName> -- expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all keys in a Key Vault using Microsoft API, the 'List' Key permission is required. To update the expiration date for the keys: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Crypto Officer to the appropriate user. From PowerShell: Set-AzKeyVaultKeyAttribute -VaultName <VaultName> -Name <KeyName> -Expires <DateTime>",
"Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys"
"Text": "- Set `exp` on all enabled keys and enforce a **rotation policy** with short lifetimes and automated renewal.\n- Use **governance policies** to require expiration and alert before expiry.\n- Apply **least privilege** and **separation of duties** for key admins vs consumers.",
"Url": "https://hub.prowler.com/check/keyvault_rbac_key_expiration_set"
}
},
"Categories": [],
"Categories": [
"encryption"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Keys cannot be used beyond their assigned expiration dates respectively. Keys need to be rotated periodically wherever they are used."

32
prowler/providers/azure/services/keyvault/keyvault_rbac_secret_expiration_set/keyvault_rbac_secret_expiration_set.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "keyvault_rbac_secret_expiration_set",
"CheckTitle": "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults",
"CheckTitle": "RBAC-enabled Key Vault has expiration date set for all enabled secrets",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"Severity": "medium",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.",
"Risk": "The Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The exp (expiration date) attribute identifies the expiration date on or after which the secret MUST NOT be used. By default, secrets never expire. It is thus recommended to rotate secrets in the key vault and set an explicit expiration date for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis",
"Description": "**Azure Key Vault (RBAC)** secrets are assessed to confirm every **enabled secret** has an `exp` (expiration) date configured",
"Risk": "Without an **expiration**, secrets become perpetual credentials. Leaked or abandoned values can grant persistent access, undermining **confidentiality** and **integrity**. Attackers can reuse old secrets to maintain footholds, perform unauthorized API calls, and exfiltrate data.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts",
"https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#key-vault-secrets"
],
"Remediation": {
"Code": {
"CLI": "az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z'",
"NativeIaC": "",
"Other": "",
"Terraform": "https://docs.prowler.com/checks/azure/azure-secrets-policies/set-an-expiration-date-on-all-secrets#terraform"
"CLI": "az keyvault secret set-attributes --vault-name <vaultName> --name <secretName> --expires <YYYY-MM-DDTHH:MM:SSZ>",
"NativeIaC": "```bicep\n// Set expiration on a Key Vault secret\nresource secret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = {\n name: '<example_resource_name>/<example_resource_name>'\n properties: {\n // CRITICAL: sets the secret expiration timestamp (Unix epoch seconds)\n attributes: {\n exp: 1735689600 // 2025-01-01T00:00:00Z\n }\n value: '<secret_value>'\n }\n}\n```",
"Other": "1. In Azure Portal, go to Key vaults and open your vault\n2. Select Secrets, choose the secret, then open its Current version\n3. Set Expiration date (UTC) and click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault_secret\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n value = \"<secret_value>\"\n key_vault_id = \"<example_resource_id>\"\n\n # CRITICAL: sets the secret expiration timestamp\n expiration_date = \"2025-01-01T00:00:00Z\"\n}\n```"
},
"Recommendation": {
"Text": "From Azure Portal: 1. Go to Key vaults. 2. For each Key vault, click on Secrets. 3. In the main pane, ensure that the status of the secret is Enabled. 4. For each enabled secret, ensure that an appropriate Expiration date is set. From Azure CLI: Update the Expiration date for the secret using the below command: az keyvault secret set-attributes --name <secretName> --vault-name <vaultName> --expires Y-m-d'T'H:M:S'Z' Note: To view the expiration date on all secrets in a Key Vault using Microsoft API, the List Key permission is required. To update the expiration date for the secrets: 1. Go to the Key vault, click on Access Control (IAM). 2. Click on Add role assignment and assign the role of Key Vault Secrets Officer to the appropriate user. From PowerShell: Set-AzKeyVaultSecretAttribute -VaultName <Vault Name> -Name <Secret Name> - Expires <DateTime>",
"Url": "https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets"
"Text": "Set an **expiration** on all enabled secrets and enforce a **regular rotation policy**.\n\nPrefer **short-lived, identity-based access** to reduce secret usage. Apply **least privilege** for secret access, alert on upcoming expirations, and automate rotation and version cleanup to minimize exposure.",
"Url": "https://hub.prowler.com/check/keyvault_rbac_secret_expiration_set"
}
},
"Categories": [],
"Categories": [
"secrets"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Secrets cannot be used beyond their assigned expiry date respectively. Secrets need to be rotated periodically wherever they are used."

30
prowler/providers/azure/services/keyvault/keyvault_recoverable/keyvault_recoverable.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "azure",
"CheckID": "keyvault_recoverable",
"CheckTitle": "Ensure the Key Vault is Recoverable",
"CheckTitle": "Key Vault has soft delete and purge protection enabled",
"CheckType": [],
"ServiceName": "keyvault",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "KeyVault",
"ResourceType": "microsoft.keyvault/vaults",
"ResourceGroup": "security",
"Description": "The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the 'Do Not Purge' and 'Soft Delete' functions. This is in order to prevent loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates) etc. This may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user. WARNING: A current limitation of the soft-delete feature across all Azure services is role assignments disappearing when Key Vault is deleted. All role assignments will need to be recreated after recovery.",
"Risk": "There could be scenarios where users accidentally run delete/purge commands on Key Vault or an attacker/malicious user deliberately does so in order to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible. There are 2 Key Vault properties that play a role in permanent unavailability of a Key Vault: 1. enableSoftDelete: Setting this parameter to 'true' for a Key Vault ensures that even if Key Vault is deleted, Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can either be recovered or purged (permanent deletion) during those 90 days. If no action is taken, key vault and its objects will subsequently be purged. 2. enablePurgeProtection: enableSoftDelete only ensures that Key Vault is not deleted permanently and will be recoverable for 90 days from date of deletion. However, there are scenarios in which the Key Vault and/or its objects are accidentally purged and hence will not be recoverable. Setting enablePurgeProtection to 'true' ensures that the Key Vault and its objects cannot be purged. Enabling both the parameters on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.",
"RelatedUrl": "https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli",
"Description": "**Azure Key Vault** recoverability requires both `enable_soft_delete` and `enable_purge_protection`. With these enabled, vault objects remain recoverable after deletion and cannot be permanently purged during the retention period.",
"Risk": "Absent these protections, deleted vaults or objects can be permanently removed, cutting access to keys, secrets, and certificates. This can render data unreadable, break app authentication, and halt signing/verification, degrading **availability** and **integrity**. Malicious insiders can purge to block recovery.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-cli",
"https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/azure/KeyVault/enable-key-vault-recoverability.html#"
],
"Remediation": {
"Code": {
"CLI": "az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=trueproperties.enableSoftDelete=true",
"NativeIaC": "",
"Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/KeyVault/enable-key-vault-recoverability.html#",
"Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-the-key-vault-is-recoverable#terraform"
"CLI": "az keyvault update -g <resourceGroupName> -n <keyVaultName> --enable-soft-delete true --enable-purge-protection true",
"NativeIaC": "```bicep\n// Enable soft delete and purge protection on an existing/new Key Vault\nresource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {\n name: '<example_resource_name>'\n location: '<location>'\n properties: {\n tenantId: '<tenant_id>'\n sku: { name: 'standard' }\n enableSoftDelete: true // Critical: ensures soft delete is enabled\n enablePurgeProtection: true // Critical: prevents permanent purge during retention\n }\n}\n```",
"Other": "1. In Azure Portal, go to Key vaults and open <keyVaultName>\n2. Select Properties > Recovery\n3. Turn on Soft delete and Purge protection\n4. Click Save",
"Terraform": "```hcl\nresource \"azurerm_key_vault\" \"<example_resource_name>\" {\n name = \"<example_resource_name>\"\n location = \"<location>\"\n resource_group_name = \"<resource_group_name>\"\n tenant_id = \"<tenant_id>\"\n sku_name = \"standard\"\n\n soft_delete_enabled = true # Critical: enables soft delete\n purge_protection_enabled = true # Critical: enables purge protection\n}\n```"
},
"Recommendation": {
"Text": "To enable 'Do Not Purge' and 'Soft Delete' for a Key Vault: From Azure Portal 1. Go to Key Vaults 2. For each Key Vault 3. Click Properties 4. Ensure the status of soft-delete reads Soft delete has been enabled on this key vault. 5. At the bottom of the page, click 'Enable Purge Protection' Note, once enabled you cannot disable it. From Azure CLI az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault /vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true From PowerShell Update-AzKeyVault -VaultName <vaultName -ResourceGroupName <resourceGroupName -EnablePurgeProtection",
"Url": "https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/"
"Text": "Enable both `enable_soft_delete` and `enable_purge_protection` on all vaults. Enforce with policy, restrict purge/recover to **least privilege** and apply **separation of duties**. Keep backups and test recovery. Monitor delete/purge with alerts. *Adjust retention to business needs* to strengthen defense in depth.",
"Url": "https://hub.prowler.com/check/keyvault_recoverable"
}
},
"Categories": [],
"Categories": [
"resilience"
],
"DependsOn": [],
"RelatedTo": [],
"Notes": "Once purge-protection and soft-delete are enabled for a Key Vault, the action is irreversible."