Protect data with these Azure Key Vault best practices
Microsoft’s Azure Key Vault is a cloud service for storing and accessing secrets such as passwords, API keys, certificates or cryptographic keys. Without appropriate security controls, these values may be accessible to unauthorized users.
Azure Key Vault provides several benefits to the organization, including:
- centrally controlled distribution of secrets;
- secure access to stored secrets and keys;
- Azure service integration;
- highly available online service;
- scalable platform; and
- simple administration and management.
Organizations should properly secure their key vaults and monitor them for unusual behavior. With out-of-the-box Azure service tools, organizations can control access, ensure backups are running, segregate secrets, enable logging, and ensure recovery options are available. Follow these best practices for securing key safes.
Use separate key vaults
When you deploy Azure Key Vault, you must choose between one or more vaults. Microsoft recommends that users maintain one vault per application per environment. For example, use a key vault for development, pre-production, and production in specific regions. This approach will reduce risk and limit the sharing of keys and secrets across environments and regions.
The most common approach is to use separate key vaults for each specific application. However, you can group them by services for larger applications, as shown in Figure 1.
Control access to key safes
One security protection option is network security. This helps organizations limit vault access by IP address or range. Any user who tries to connect outside the assigned IP address or range receives an access denied message.
Restrictions go even further with firewall rules. Azure Key Vault firewall offers the following four options:
- trust services only;
- IP addresses and ranges;
- virtual networks using dynamic IP addresses; and
- private link.
You can control access using options in the key vault or directly on keys, secrets, or certificates. For data access at the key, secret, or certificate level, use Azure Key Vault access policies.
Then assign the principal for the access policy.
Next, select the Azure Active Directory role-based access option for the permission model.
Key Vault also supports Azure Active Directory Conditional Access policies. With Conditional Access policies, you apply access controls to a key vault to keep the organization secure, as shown in Figure 5.
Azure Key Vault supports privileged access control through Azure Role-Based Access Control (RBAC). Applications access the endpoint through one of several endpoint groups called planes. Depending on the plan required, the permitted operations differ.
Management plan. Management operations include creating, reading, updating, and deleting key vaults. It also includes the definition of access policies and tags.
Data plane. Data operations include managing keys, certificates, and secrets. Specifically, it provides basic encryption, decryption, signing, verification, recovery, creation, update, deletion, backup and recovery.
Organizations should manage access using Azure Active Directory (Azure AD). They can limit access with Azure roles. You must assign the roles to the specific scope, such as subscription, resource group, or a particular resource.
Back up key safes
Organizations can recover deleted vaults and vault items. The save operation downloads the object as an encrypted blob, such as a secret, key, or certificate. You cannot decrypt these uploaded blobs outside of Azure.
At press time, Azure Key Vault does not support backing up an entire vault simultaneously. Organizations should carefully consider backing up keys, secrets, or certificates based on expiration, permissions, and rotations. Users must manually back up a key, secret, or certificate to the selected object in the key vault.
PowerShell and Azure CLI also provide backup commands, as shown in the next two sections.
PowerShell backup commands
Set-AzContext -Subscription '9c4c4a01-b9f5-47f4-4b2b-dd034efcc7e7' Backup-AzKeyVaultKey ` -VaultName 'DemoKeyVaultApp' ` -Name 'DemoKey' Backup-AzKeyVaultSecret ` -VaultName 'DemoKeyVaultApp' ` -Name 'DemoSecret' Backup-AzKeyVaultCertificate ` -VaultName 'DemoKeyVaultApp' ` -Name 'DemoKey'
Azure CLI backup commands
az keyvault certificate backup --file 'DemoCert.certbackup' --name 'DemoCert' --vault-name 'DemoKeyVaultApp' --subscription '9c4c4a01-b9f5-47f4-4b2b-dd034efcc7e7' az keyvault key backup --file 'DemoKey.keybackup' --name 'DemoKey' --vault-name 'DemoKeyVaultApp' --subscription '9c4c4a01-b9f5-47f4-4b2b-dd034efcc7e7' az keyvault secret backup --file 'DemoSecret.secretbackup' --name 'DemoSecret' --vault-name 'DemoKeyVaultApp' --subscription '9c4c4a01-b9f5-47f4-4b2b-dd034efcc7e7'
Remember that you can only restore items in a vault within the same Azure subscription. However, when you download the objects, you can view them as plain text and import them into any key vault, not just the same Azure subscription.
Purge protection, through the Azure portal, CLI, or PowerShell, helps prevent a malicious insider from deleting key vaults, keys, secrets, and certificates. At any time, you can retrieve items during the configurable retention period. Organizational users cannot permanently delete or purge a key vault until the retention period has elapsed.
Use active logging
Once configured, log entries appear in the Azure Log Analytics workspace service, allowing you to perform further inspection. All log entries are stored as text and formatted in JSON. Azure Monitor provides the basic functionality to monitor and capture basic metrics for all key vaults.
Kusto Queries provide a more detailed option for querying log entries. The following query returns who is accessing the key vault:
AzureDiagnostics | where ResourceProvider =="MICROSOFT.KEYVAULT" | summarize count() by CallerIPAddress