Secret Without Expiration Date
- Query id: cff9c3f7-e8f0-455f-9fb4-5f72326da96e
- Query name: Secret Without Expiration Date
- Platform: AzureResourceManager
- Severity: High
- Category: Best Practices
- URL: Github
Description¶
All Secrets must have an expiration date defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
}
},
{
"name": "keyVault1/secretid1",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2019-09-01",
"tags": {},
"properties": {
"value": "string",
"contentType": "string"
}
}
],
"outputs": {}
}
Postitive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
},
"resources": [
{
"type": "secrets",
"name": "keyVaultSecret1",
"apiVersion": "2016-10-01",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]"
],
"properties": {
"value": "string",
"contentType": "string",
"attributes": {
"enabled": true,
"nbf": 1585206000
}
}
}
]
}
],
"outputs": {}
}
Postitive test num. 3 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
}
},
{
"name": "keyVault1/secretid1",
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2019-09-01",
"tags": {},
"properties": {
"value": "string",
"contentType": "string"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Postitive test num. 4 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
},
"resources": [
{
"type": "secrets",
"name": "keyVaultSecret1",
"apiVersion": "2016-10-01",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]"
],
"properties": {
"value": "string",
"contentType": "string",
"attributes": {
"enabled": true,
"nbf": 1585206000
}
}
}
]
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
},
"resources": [
{
"type": "secrets",
"name": "keyVaultSecret1",
"apiVersion": "2016-10-01",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]"
],
"properties": {
"value": "secretValue",
"attributes": {
"enabled": true,
"nbf": 1585206000,
"exp": 1679814000
}
}
}
]
}
],
"outputs": {}
}
Negative test num. 2 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "keyVault1",
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2016-10-01",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "keyVault1"
},
"properties": {
"enabledForDeployment": true,
"enabledForTemplateDeployment": true,
"enabledForDiskEncryption": true,
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"accessPolicies": [
{
"tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100",
"objectId": "objectId",
"permissions": {
"keys": [
"Get"
],
"secrets": [
"List",
"Get",
"Set"
]
}
}
],
"sku": {
"name": "standard",
"family": "A"
}
},
"resources": [
{
"type": "secrets",
"name": "keyVaultSecret1",
"apiVersion": "2016-10-01",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]"
],
"properties": {
"value": "secretValue",
"attributes": {
"enabled": true,
"nbf": 1585206000,
"exp": 1679814000
}
}
}
]
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}