Profile Applicability:
- Level 2
Description:
This check ensures that Azure Key Vaults are used to securely store sensitive data such as passwords, API keys, and connection strings. Azure Key Vault provides a centralized and secure place to manage secrets, keys, and certificates, reducing the risk of unauthorized access to critical data.
Rationale:
Storing secrets in an unmanaged location, such as application settings or environment variables, can expose sensitive information to unauthorized users or processes. Azure Key Vault provides robust access controls, logging, and encryption at rest, ensuring that secrets are safely stored and accessed only by authorized applications and users. This practice helps meet security and compliance standards, such as PCI-DSS, HIPAA, and ISO 27001.
Impact:
Pros:
Centralizes secret management, making it easier to maintain and audit.
Provides strong access control with Azure Active Directory integration.
Ensures secrets are encrypted both at rest and in transit.
Reduces the risk of accidental exposure of sensitive information.
Helps meet industry-specific compliance requirements.
Cons:
Requires additional configuration and management of Azure Key Vault.
Introduces dependency on Azure Key Vault for storing and accessing secrets.
Potential cost increase associated with the use of Azure Key Vault.
Default Value:
By default, Azure App Service does not use Azure Key Vault to store secrets unless explicitly configured.
Pre-requisites:
Ensure that Azure Key Vault is set up within the Azure subscription.
Ensure that appropriate access policies are defined in Azure Key Vault to allow applications to retrieve secrets.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Key Vaults blade.
Select the Key Vault you want to review.
Under the Settings section, click on Secrets.
Ensure that sensitive data such as passwords, API keys, or connection strings are stored in Key Vault, and not directly in application settings or environment variables.
Using Azure CLI:
To list the secrets in an Azure Key Vault, run the following command:
az keyvault secret list --vault-name <KEY_VAULT_NAME>
Verify that critical secrets such as passwords, API keys, or connection strings are stored in Azure Key Vault.
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Key Vaults and create a new Key Vault if one is not already available.
Under the Secrets section, click Generate/Import to create a new secret.
Store sensitive information like passwords, API keys, or certificates in the Key Vault.
In the application settings, update the configuration to fetch the secrets from Azure Key Vault rather than storing them in application settings or environment variables.
Ensure that Azure Active Directory (AAD) access policies are set up to allow the application to access the secrets.
Using Azure CLI:
To create a new Key Vault, run the following command:
az keyvault create --name <KEY_VAULT_NAME> --resource-group <RESOURCE_GROUP_NAME> --location <LOCATION>
To store a secret in the Key Vault, run the following command:
az keyvault secret set --vault-name <KEY_VAULT_NAME> --name <SECRET_NAME> --value <SECRET_VALUE>
Update the application configuration to reference the secrets from the Azure Key Vault rather than from environment variables or app settings.
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to Key Vaults and select the Key Vault you want to revert from.
Under the Secrets section, delete or disable the secrets that were previously stored.
Update the application to store secrets locally in environment variables or application settings if necessary.
Using Azure CLI:
To delete a secret from the Azure Key Vault, run the following command:
az keyvault secret delete --vault-name <KEY_VAULT_NAME> --name <SECRET_NAME>
Revert the application settings to use local environment variables or configuration files if needed.