Azure KeyVault – Best Practices and Microsoft Recommendations
This article describes security best practices for Azure Key Vault. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP.
The best practices are based on Azure recommendations as well as my experience in Azure. Because technologies can change over time, there will be some additional recommendations and will try to update KB to reflect those changes. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
•Use separate Key Vaults per application with RBAC and access policy to allow only application team to access the application specific secrets.
•Common Key vault for all automation and infra services in infra shared subscription.
•Enable firewall setting on key vault to allow only KV access with private endpoint.
•Alert/notification on key vault to notify about secret expirations
•Rotation – Automation/process to rotate Key /secrets before expiration.
•Tags for each secret to identify appropriate owners.
•Appropriate Tags to identify owners, application, environment, BU, chargeback, requester, date created etc.
•Turn ON Diagnostic logging: – Enabling logging for Azure Key Vault to store all activity in to log analytics.
•Turn on Soft Delete for recovering any deleted key’s or deleted vaulted objects. – enable – default
•Regular backups of your vault secrets, keys and certificates. Backups should be performed when you update, delete, or create objects in your vault. (Link)
•Key vault secret replicates to paired region and it will be available in read-only mode from paired region in case of DR so make sure application DR is plan accordingly (link).
•Enable Microsoft Defender