Objective
Add a new scanner rule to detect Key Vault certificates that are expiring within 30 days and have no auto-renewal configured, risking service outages and broken TLS connections.
Background
Expired certificates cause immediate service outages, broken HTTPS connections, and failed authentication flows. Many organisations only discover expired certificates after an outage has already occurred. A 30 day early warning gives teams enough time to renew or replace before impact.
Real-World Breach Scenario
In 2020, Microsoft Teams experienced a global outage caused by an expired authentication certificate. The incident affected millions of users for several hours and could have been prevented with automated certificate expiry monitoring.
Compliance Mapping
- CIS Azure Benchmark: 8.5
- NIST CSF: PR.MA-1
- ISO 27001: A.10.1.2
- SOC 2: CC9.1
Deliverables
Severity
MEDIUM
Category
Key Vault
Objective
Add a new scanner rule to detect Key Vault certificates that are expiring within 30 days and have no auto-renewal configured, risking service outages and broken TLS connections.
Background
Expired certificates cause immediate service outages, broken HTTPS connections, and failed authentication flows. Many organisations only discover expired certificates after an outage has already occurred. A 30 day early warning gives teams enough time to renew or replace before impact.
Real-World Breach Scenario
In 2020, Microsoft Teams experienced a global outage caused by an expired authentication certificate. The incident affected millions of users for several hours and could have been prevented with automated certificate expiry monitoring.
Compliance Mapping
Deliverables
scanner/rules/az_kv_004.py— scan() function using Azure SDKplaybooks/cli/fix_az_kv_004.sh— enable auto-renewal on expiring certificatescompliance/frameworks/cis_azure_benchmark.json— add AZ-KV-004 entrycompliance/frameworks/nist_csf.json— add AZ-KV-004 entrycompliance/frameworks/iso27001.json— add AZ-KV-004 entrycompliance/frameworks/soc2.json— add AZ-KV-004 entrySeverity
MEDIUM
Category
Key Vault