Combined Cloud Managed Services

User Tools

Site Tools

wiki:ai:key-vault-best-practices
Approved 2025/05/20 13:40 by ddehamer (version: 1) | Approver: @ai-us-principals

Table of Contents

Azure Key Vault Best Practices

πŸ“˜ Overview

Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. To maximize security, it's critical to follow industry-standard and Microsoft-recommended practices.

1. πŸ”‘ Access Control

βœ… Use Azure RBAC (Role-Based Access Control)

  • Prefer Azure RBAC over Access Policies when possible for granular and scoped access control.
  • Assign least-privilege roles:
    • Key Vault Reader for read-only access
    • Key Vault Contributor for full management (no data plane)
    • Secret/Key/Certificate Operator roles for specific operations

βœ… Enable Role Assignments at the Right Scope

  • Assign roles at resource group or vault level, not subscription-wide.

βœ… Use Managed Identities

  • Use system-assigned or user-assigned managed identities for Azure resources needing access.
  • Avoid hardcoded credentials in code.

2. πŸ” Secrets, Keys, and Certificates Management

βœ… Enable Soft Delete

  • Protects against accidental or malicious deletion.
  • Retains deleted items for a default period (up to 90 days).

βœ… Enable Purge Protection

  • Prevents permanent deletion of Key Vault objects before retention period ends.

βœ… Set Expiration Dates

  • Apply expiry dates to secrets, keys, and certificates.
  • Monitor expiration and renew proactively.

βœ… Use Versioning

  • Secrets and keys are versioned automaticallyβ€”don’t overwrite in-place.
  • Use new versions for each update.

3. πŸ” Monitoring and Auditing

βœ… Enable Logging

  • Turn on Azure Monitor diagnostic logs:
    • AuditEvent (access requests)
    • AllMetrics (performance)
  • Send logs to:
    • Log Analytics
    • Event Hubs
    • Storage Accounts

βœ… Set Alerts

  • Configure alerts for:
    • Unauthorized access attempts
    • Secrets/keys expiring soon
    • High-frequency access patterns

4. πŸ”„ Networking and Access Restrictions

βœ… Use Private Endpoints

  • Enable Private Link to restrict Key Vault access over Azure backbone only.
  • Avoid exposing the vault publicly.

βœ… Use Firewall Rules

  • Restrict access to specific trusted IPs or VNet subnets.
  • Set β€œAllow trusted Microsoft services” only if required.

5. πŸ”’ Encryption and HSM

βœ… Use Customer-Managed Keys (CMK)

  • For compliance, encrypt vault data using your own Key Encryption Key (KEK).

βœ… Use Premium Tier for HSM-backed Keys

  • Required for high-assurance applications (e.g., FIPS 140-2 Level 3).
  • Supports Managed HSM for isolated key storage.

6. βš™οΈ Automation and Governance

βœ… Use Azure Policy

  • Enforce standards like:
    • Vaults must have soft delete enabled
    • Disallow public network access
    • Require private endpoints

βœ… Automate Secret Rotation

  • Use Key Vault Event Grid integration or Azure Functions to auto-rotate secrets and certificates.

βœ… Regularly Review Access

  • Audit who has access to Key Vault and prune unnecessary roles or policies.

7. πŸ‘₯ Multi-Factor Authentication (MFA)

  • Require MFA for all users with control-plane (management) access.
  • Use Conditional Access Policies to enforce strong authentication and device compliance.

πŸ“‹ Summary Checklist

Practice Status
πŸ”’ Soft Delete + Purge Protection enabled βœ…
🚫 Public access disabled (Private Link preferred) βœ…
πŸ”‘ RBAC roles scoped to least privilege βœ…
πŸ“… Secrets and keys have expiration dates βœ…
πŸ“œ Logging and alerting configured βœ…
πŸ” MFA + Conditional Access for admins βœ…

AI Knowledge

wiki/ai/key-vault-best-practices.txt Β· Last modified: by ddehamer

Page Tools

Trace: β€’ key-vault-best-practices
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com) IP:10.0.137.137