Azure Key Vault Secrets Have No Expiration Date

This policy identifies Azure Key Vault secrets that do not have an expiry date. As a best practice, set an expiration date for each secret and rotate the secret regularly. Before you activate this policy, ensure that you have added the Prisma Cloud Service Principal to each Key Vault: Alternatively, run the following command on the Azure cloud shell: az keyvault list | jq '.[].name' | xargs -I {} az keyvault set-policy --name {} --certificate-permissions list listissuers --key-permissions list --secret-permissions list --spn <prismacloud_app_id>.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

Azure Key Vault secrets have no expiration date.
JSON Query:
$.resource.*.azurerm_key_vault_secret[*].*[*].expiration_date anyNull
Recommended solution for having expiration date for Azure Key Vault secrets.
It is recommended that Azure Key Vault secrets should have an expiration date. Please make sure if your template have "expiration_date" field present.
For example:
"azurerm_key_vault_secret": [ { "<key_vault_secret_name>": [ { "key_vault_id": "${}", "name": "secret-sauce-2", "expiration_date": "2020-01-01", "value": "szechuan-2" } ] } ]

Run Rule Recommendation

  1. Log in to the Azure portal.
  2. Select 'All services' > 'Key vaults'.
  3. Select the Key vault instance where the secrets are stored.
  4. Select 'Secrets', and select the secret that you need to modify.
  5. Select the current version.
  6. Set the expiration date.
  7. 'Save' your changes.


There are 4 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • CIS v1.1 (Azure)
  • CCPA 2018

Recommended For You