1# Key Vault Expiration Audit & Compliance
2 
3Automated auditing of Azure Key Vault resources to identify expired or expiring keys, secrets, and certificates before they cause service disruptions.
4 
5## Overview
6 
7This skill monitors Azure Key Vault resources (keys, secrets, certificates) for expiration issues. It helps prevent service disruptions by identifying:
8- **Expired resources** causing active problems
9- **Expiring soon** (within customizable days threshold)
10- **Missing expiration dates** (security risk)
11- **Disabled resources** needing cleanup
12 
13## Core Workflow
14 
151. **List Resources**: Enumerate keys, secrets, and certificates in target vault(s)
162. **Get Details**: Retrieve expiration metadata for each resource
173. **Analyze Status**: Compare expiration dates against current date and threshold
184. **Generate Report**: Organize findings by priority with actionable recommendations
19 
20## Audit Patterns
21 
22### Pattern 1: Single Vault Quick Scan
23Check one Key Vault for all expiration issues with configurable day threshold (default: 30 days).
24 
25**Tools**: `keyvault_key_list`, `keyvault_key_get`, `keyvault_secret_list`, `keyvault_secret_get`, `keyvault_certificate_list`, `keyvault_certificate_get`
26 
27### Pattern 2: Multi-Vault Compliance Report
28Scan multiple vaults across subscription for comprehensive security review.
29 
30**Use for**: Quarterly audits, organization-wide compliance checks
31 
32### Pattern 3: Resource Type Focus
33Audit only keys, secrets, OR certificates when specific resource type is mentioned.
34 
35**Use for**: Certificate renewal planning, secret rotation tracking
36 
37### Pattern 4: Emergency Expired Finder
38Quick scan for already-expired resources (negative days) to troubleshoot active incidents.
39 
40**Use for**: Production issues, authentication failures
41 
42## Key Data Fields
43 
44When retrieving resource details, analyze these fields:
45- **expiresOn**: Expiration timestamp (null = no expiration set - security risk!)
46- **enabled**: Resource is active (false = disabled/inactive)
47- **notBefore**: When resource becomes valid
48- **createdOn/updatedOn**: For tracking resource age and last rotation
49- **subject/issuer**: Certificate-specific metadata
50 
51## Report Format
52 
53Organize findings into:
54- **Summary Statistics**: Total count, expired count, expiring count, no-expiration count per resource type
55- **Critical Issues**: Expired resources requiring immediate action
56- **Warnings**: Expiring within threshold (e.g., 30 days)
57- **Risks**: Resources without expiration dates
58- **Recommendations**: Set expiration policies, rotate credentials, remove disabled items
59 
60## Remediation Priority
61 
62**🔴 Critical** - Expired (< 0 days): Rotate immediately  
63**🟠 High** - Expiring 0-7 days: Schedule rotation within 24 hours  
64**🟡 Medium** - Expiring 8-30 days: Plan rotation within 1 week  
65**🟡 Medium** - No expiration set: Apply expiration policy  
66**🟢 Low** - Active (> 30 days): Monitor on regular schedule
67 
68## Best Practices
69 
70- Run weekly audits to catch issues early
71- All resources should have expiration dates (Azure Policy recommendation)
72- Configure Azure Event Grid for 30-day advance notifications
73- Rotation schedule: Secrets every 60-90 days, Keys annually, Certificates per CA requirements (max 1 year)
74- Prioritize production Key Vaults over dev/test
75- Automate rotation with Azure Functions or Logic Apps
76 
77## MCP Tools Used
78 
79| Tool | Purpose |
80|------|---------|
81| `keyvault_key_list` | List all keys in a vault |
82| `keyvault_key_get` | Get key details including expiration |
83| `keyvault_secret_list` | List all secrets in a vault |
84| `keyvault_secret_get` | Get secret details including expiration |
85| `keyvault_certificate_list` | List all certificates in a vault |
86| `keyvault_certificate_get` | Get certificate details including expiration |
87 
88**Required**: `vault` (Key Vault name)  
89**Optional**: `subscription`, `tenant`
90 
91## Fallback Strategy: Azure CLI Commands
92 
93If Azure MCP Key Vault tools fail, timeout, or are unavailable, use Azure CLI commands as fallback.
94 
95### CLI Command Reference
96 
97| Operation | Azure CLI Command |
98|-----------|-------------------|
99| List secrets | `az keyvault secret list --vault-name <vault-name>` |
100| Get secret details | `az keyvault secret show --vault-name <vault-name> --name <secret-name>` |
101| List keys | `az keyvault key list --vault-name <vault-name>` |
102| Get key details | `az keyvault key show --vault-name <vault-name> --name <key-name>` |
103| List certificates | `az keyvault certificate list --vault-name <vault-name>` |
104| Get certificate details | `az keyvault certificate show --vault-name <vault-name> --name <cert-name>` |
105 
106### When to Fallback
107 
108Switch to Azure CLI when:
109- MCP tool returns timeout error
110- MCP tool returns "service unavailable" or connection errors
111- MCP tool takes longer than 30 seconds to respond
112- Empty response when vault is known to have resources
113 
114## Common Issues
115 
116- **Access Denied**: Verify RBAC permissions (Key Vault Reader + data plane access)
117- **Vault Not Found**: Check vault name and subscription context
118- **Null expiresOn**: Resource has no expiration (security risk - requires policy)
119- **Time zones**: All timestamps are UTC