Policy: Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault > 03.03.01 - Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults

Configures auditing against a CIS Benchmark item.

Level: 1

Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set.

Azure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The exp (expiration date) attribute identifies the expiration date on or after which the key MUST NOT be used for encryption of new data, wrapping of new keys, and signing. By default, keys never expire. It is thus recommended that keys be rotated in the key vault and set an explicit expiration date for all keys to help enforce the key rotation. This ensures that the keys cannot be used beyond their assigned lifetimes.

Targets

This policy targets the following resource types:

Azure > Key Vault > Vault

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v3.0 > 03 - Security > 03.03 - Key Vault

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v3.0 > 03 - Microsoft Defender`
Valid Values [YAML]	`Per Azure > CIS v3.0 > 03 - Microsoft Defender` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v071607

Policy Type URI

tmod:@turbot/azure-cisv3-0#/policy/types/r030301

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r030301") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030301'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030301'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r030301"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r030301"