iCompaas Support

Description:

This control ensures that sensitive data such as passwords, API keys, and connection strings are securely stored in Azure Key Vault rather than in code or configuration files. It provides centralized management, strong access control, encryption, and audit logging, reducing exposure risk and supporting security and compliance requirements.

Rationale:

Storing secrets in unmanaged locations risks unauthorized access. Using Azure Key Vault ensures secure storage with access controls, logging, and encryption, restricting access to authorized users and applications while supporting compliance with standards like PCI-DSS, HIPAA, and ISO 27001.

Impact:

Azure Key Vault centralises secret management, simplifies auditing, and integrates with Azure Active Directory for strong access control. It encrypts data at rest and in transit, reduces accidental exposure of sensitive information, and helps organisations meet industry and regulatory compliance requirements.

Default Value:

By default, Azure App Service does not use Azure Key Vault to store secrets unless explicitly configured.

Pre-requisites:

• Azure Key Vault is available

• Secrets identified

• Application has access to Key Vault

Test Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Open the Web App.

3. Under Settings, select Environment variables in App settings.

4. Check if secret values use Azure Key Vault reference, for example:
   @Microsoft.KeyVault(SecretUri=https://<keyvault-name>.vault.azure.net/secrets/<secret-name>)

5. Ensure no passwords, keys, or connection strings are stored in plain text.

6. Click Pull reference values to confirm the reference resolves.

7. If secrets are not stored in Azure Key Vault, follow the implementation steps.

Implementation steps:

1. Sign in to the Azure Portal https://portal.azure.com

2. Create or select an Azure Key Vault.

3. In the Key Vault, under objects, open Secrets, Generate/Import, and add the required secret (password, key, or connection string).

4. Go to the Web App, Identity, and enable System-assigned managed identity.

5. In Key Vault, Access control (IAM), assign the role Key Vault Secrets User to the Web App’s managed identity.

6. Under Settings, select Environment variables in App settings.

7. Add or update the app setting value using a Key Vault reference, for example:
   @Microsoft.KeyVault(SecretUri=https://<keyvault-name>.vault.azure.net/secrets/<secret-name>)

8. Save the configuration and restart the Web App.

Backout Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. Open the Web App.

3. Under Settings, select Environment variables in App settings.

4. Identify the application settings that reference Azure Key Vault.

5. Replace the Key Vault reference with the previous value if required, or remove the setting.

6. Save the configuration changes.

7. Restart the Web App to apply the rollback.

8. If no longer needed, remove the Web App managed identity role assignment from the Key Vault.

9. Optionally disable or delete the secret from Azure Key Vault if it is no longer required.

References:

• https://learn.microsoft.com/en-us/azure/key-vault/general/overview

• https://docs.microsoft.com/en-us/azure/keyvault/secrets/quick-create-portal

• https://docs.microsoft.com/en-us/azure/key-vault/general/overview-access-control