Managing Azure Key Vault Security Access

  1. Home
  2. Managing Azure Key Vault Security Access

Go back to AZ-500 Tutorials

In this tutorial, we will learn about managing and configuring access for Azure Key vault Security.

You know that there is a need to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud. This can be via using Azure Key Vault. If you are storing sensitive and business critical data, then you need to take steps to maximize the security of your vaults and the data stored in them. 

Identity and access management

When you create a key vault in an Azure subscription, then it’s automatically associated with the Azure AD tenant of the subscription. Anyone trying for managing or retrieving content from a vault must be authenticated by Azure AD.

  • Firstly, authentication establishes the identity of the caller.
  • Secondly, authorization determines which operations the caller can perform. However, authorization in Key Vault uses a combination of Role based access control (RBAC) and Azure Key Vault access policies.

Overview of Access model

There are two interfaces or planes from where access to vaults takes place. These planes are the management plane and the data plane.

  • Firstly, the management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults.
  • Secondly, the data plane allows you to work with the data stored in a key vault. In this, you can add, delete, and modify keys, secrets, and certificates.

For accessing a key vault in either plane, all callers (users or applications) must be authenticated and authorized. However, both planes use Azure Active Directory (Azure AD) for authentication. For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy.

Managing administrative access to Key Vault

When creating a key vault in a resource group, then you manage access by using Azure AD. However, you grant users or groups the ability to manage the key vaults in a resource group. And, you can grant access at a specific scope level by assigning the appropriate Azure roles. For granting access to a user for managing key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. The scopes levels below can be assigned to an Azure role:

  • Firstly, Subscription. An Azure role that assigns at the subscription level applies to all resource groups and resources within that subscription.
  • Secondly, the Resource group. This states that an Azure role assigns at the resource group level applies to all resources in that resource group.
  • Lastly, Specific resource. This states that an Azure role assigns for a specific resource applies to that resource. 
AZ-500 practice tests

Controlling access to Key Vault data

Key Vault access policies grant permissions separately to keys, secrets, or certificates. Moreover, you can grant a user access only to keys and not to secrets. 

However, for setting access policies for a key vault, use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

Further, you can restrict data plane access by using virtual network service endpoints for Azure Key Vault). Moreover, you can configure firewalls and virtual network rules for an additional layer of security.

Network access

You can decrease the exposure of your vaults by specifying IP addresses for having access. Moreover, the virtual network service endpoints for Azure Key Vault gives access to restrict access to a specified virtual network. And, the endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. No user from outside can connect to your key vault.

After firewall rules get effects, then users can only read data from Key Vault when their requests originate from allowed virtual networks or IPv4 address ranges. However, this also applies to accessing Key Vault from the Azure portal. They can browse but they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. Further, this also affects the Key Vault Picker by other Azure services. And , if firewall rules prevent their client machine then users might be able to see a list of key vaults, but not list keys.

Monitoring

Key Vault logging saves information about the activities happening on your vault. Key Vault logs:

  • Firstly, all authenticated REST API requests, including failed requests
  1. Operations on the key vault itself that include creation, deletion, setting access policies, and updating key vault attributes such as tags.
  2. Next, the operations on keys and secrets in the key vault, including creating, modifying, or deleting these keys or secrets. Moreover, it also includes signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets.
  • Secondly, unauthenticated requests that result in a 401 response. 

Next, the logging information can be accessed within 10 minutes after the key vault operation. So, it’s up to you to manage your logs in your storage account.

  • Firstly, use standard Azure access control methods to secure your logs by restricting who can access them.
  • Secondly, delete logs that you no longer want to keep in your storage account.
Az-500 online course Azure key vault secret concepts

Reference: Microsoft Documentation

Go back to AZ-500 Tutorials

Menu