Tutorial / Cram Notes
Firstly, access to an Azure Key Vault is controlled through Access Policies. Each access policy grants permissions to a user, group, principal, or application to perform specific operations like getting a secret or adding a key.
Here’s a brief overview of the operations you can control access to:
- Keys: Create, import, update, delete, back up, restore, list, and get keys including unwrapping and wrapping a key.
- Secrets: Set, delete, list, and get secrets.
- Certificates: Create, import, update, delete, list, get, and manage contacts and issuers.
To configure these, navigate to your Azure Key Vault in the Azure portal and select ‘Access policies’ under ‘Settings’. Here you can add a new policy or edit an existing one, and specify the permissions for keys, secrets, and certificates.
Using RBAC for Access Control
Role-based access control (RBAC) is another method for managing access to resources in Azure, including Key Vault. Unlike access policies that are set on individual Key Vaults, RBAC provides the ability to manage access at different levels, such as the management group, subscription, resource group, and specific resource.
Here are common roles that you might assign to control access to a Key Vault:
- Owner: Full access to manage Key Vault, including the ability to grant access to others.
- Contributor: Can manage Key Vault but cannot grant access to others.
- Reader: Read-only access to Key Vault resources.
- Key Vault Secrets Officer: Manage secrets only, but not access to them.
- Key Vault Secrets User: Only has the ability to read secrets.
To set up RBAC, go to your Azure Key Vault resource in the Azure portal and select ‘Access control (IAM)’ under ‘Settings’. Here you can add a role assignment, where you select the role to assign and the identity to assign it to.
Best Practices for Configuring Access
- Least Privilege: Only grant enough permissions for a user to perform their tasks. Do not provide more access than what is necessary.
- Auditing and Monitoring: Enable Azure Key Vault logging to monitor access and changes. This aids in security and compliance.
- Principal Segregation: Use service principals for automated tools and applications, keeping them separate from user identities.
Combining Access Policies and RBAC
You can use a combination of both Access Policies and RBAC for granular and leveled access control. For example, a typical setup might involve using RBAC for managing who has administrative versus read-only access at a broader level, while configuring Access Policies to control specific actions on keys, secrets, and certificates.
Example of Access Policy Setup
To add an access policy for a user to be able to list and get secrets, you would follow these steps:
- Navigate to your Key Vault in the Azure portal.
- Select ‘Access policies’ under ‘Settings’.
- Click on ‘Add Access Policy’.
- Choose ‘Secret Management’ from the template dropdown.
- In the ‘Select Principal’ field, choose the user or principal you want to grant access to.
- From the list of secret permissions, check ‘List’ and ‘Get’.
- Click ‘Add’ to save the new access policy and then ‘Save’ on the Access Policies page to apply the policy.
Conclusion
Securing access to Key Vault involves careful consideration of who needs access, and at what level. Whether using Access Policies for fine-grained permissions at the Key Vault level, RBAC for broader control, or a combination of both, the goal is to ensure that only authorized individuals can manage and access sensitive information based on their role and requirements. Regular reviews and audits of access policies and permissions are necessary to maintain a strong security posture and uphold the principles of least privilege and separation of duties.
Practice Test with Explanation
True or False: A Key Vault can only be accessed by users from the same Azure subscription where the Key Vault is deployed.
False
Access to a Key Vault is controlled through Azure role-based access control (RBAC) and Key Vault access policies, not limited to the same Azure subscription.
Multiple Select: Which of the following can be used to manage access to an Azure Key Vault? (Select all that apply)
- A) Azure Active Directory (Azure AD)
- B) Access keys
- C) Access policies
- D) Network Security Groups (NSG)
Answer: A, C
Access to an Azure Key Vault can be managed through Azure Active Directory for identity and access management and through Key Vault’s access policies that grant permissions to users and service principals.
True or False: You can restrict access to a Key Vault from specific IP addresses.
True
You can configure network rules for a Key Vault, which can include white listing certain IP addresses or CIDR ranges to restrict access.
Single Select: Which of the following is NOT a permission that can be granted in a Key Vault access policy?
- A) Key management
- B) Secret retrieval
- C) Virtual machine creation
- D) Certificate management
Answer: C
Access policies in Key Vault define permissions for key management, secret retrieval, and certificate management. Virtual machine creation is beyond the scope of Key Vault access policies.
True or False: When you enable soft-delete on a Key Vault, the deleted data is immediately and permanently removed.
False
When you enable soft-delete, the deleted data is retained for a specified retention period, allowing for recovery before it’s permanently removed.
Single Select: What feature must be enabled to ensure that data is not permanently deleted from a Key Vault?
- A) Geo-Replication
- B) Purge Protection
- C) Resource Locks
- D) Access Locks
Answer: B
Purge Protection must be enabled to ensure that deleted data cannot be permanently purged from the Key Vault before the retention period elapses, even with RBAC administration privileges.
True or False: You can recover a deleted Key Vault as long as the retention period has not lapsed, even if you have not enabled soft-delete.
False
The ability to recover a deleted Key Vault is contingent upon having soft-delete enabled prior to the deletion of the vault.
Single Select: Which Azure service can be deployed in conjunction with Azure Key Vault to control which applications have access to secrets, keys, and certificates?
- A) Azure Front Door
- B) Azure Logic Apps
- C) Azure Private Link
- D) Azure Firewall
Answer: C
Azure Private Link provides private connectivity to Azure services like Key Vault and can be used to control which applications within a virtual network can access the Key Vault.
Multiple Select: Which of the following tasks require Key Vault Contributor role permissions?
- A) Adding secrets to the Key Vault
- B) Updating Key Vault Certificates
- C) Deleting Key Vaults
- D) Updating Key Vault access policies
Answer: C, D
The Key Vault Contributor role allows a user to manage Key Vaults, keys, secrets, and certificates, which includes deleting Key Vaults and updating access policies, but does not allow for the adding or updating of data stored within the Key Vault.
True or False: Key Vault access policies support exception-based permission configurations.
False
Key Vault access policies do not support exceptions; instead, they offer granular permissions that must be explicitly granted.
Single Select: What must be configured in Azure to force users to use multi-factor authentication (MFA) when accessing the Azure Key Vault?
- A) Conditional Access policies
- B) Network Security Group (NSG) rules
- C) Key Vault access policies
- D) Azure Policy
Answer: A
Conditional Access policies in Azure AD can be used to enforce multi-factor authentication for users when accessing Azure services like Key Vault.
True or False: It’s possible to use managed identities for Azure resources to access Azure Key Vault without storing credentials in the code.
True
Managed identities for Azure resources provide an identity for applications to use when connecting to resources like Azure Key Vault, which allows for secure access without credentials being stored in code.
Interview Questions
What is Key Vault in Azure?
Azure Key Vault is a cloud service that provides a secure store for keys, secrets, and certificates.
How can you secure your Key Vault?
You can secure your Key Vault by following security best practices, such as limiting access, monitoring activity, and using managed identities.
What is a managed identity in Key Vault?
A managed identity is a service principal that is automatically created and managed by Azure. It can be used to authenticate applications and services without the need for a shared credential.
How can you grant access to a Key Vault?
You can grant access to a Key Vault using access policies, which allow you to specify the actions that a user or application can perform on the Key Vault.
What is a key vault policy?
A Key Vault policy is a JSON document that defines the permissions that a security principal has to a particular Key Vault.
What are the different types of access policies available in Key Vault?
There are four types of access policies available in Key Vault key permissions, secret permissions, certificate permissions, and management permissions.
How do you add an access policy to a Key Vault?
You can add an access policy to a Key Vault using the Azure portal, Azure CLI, Azure PowerShell, or the Key Vault REST API.
What is a Key Vault soft delete?
Key Vault soft delete is a feature that allows you to recover a deleted Key Vault, along with all its objects, within a configurable retention period.
How do you enable soft delete for a Key Vault?
You can enable soft delete for a Key Vault using the Azure portal, Azure CLI, Azure PowerShell, or the Key Vault REST API.
What is the purpose of Key Vault diagnostics?
Key Vault diagnostics provide detailed information about the activity and performance of a Key Vault, allowing you to troubleshoot issues and optimize performance.
What types of diagnostics data can you collect for a Key Vault?
You can collect various types of diagnostics data for a Key Vault, including Key Vault events, Key Vault audit logs, and Key Vault metrics.
How can you configure diagnostic settings for a Key Vault?
You can configure diagnostic settings for a Key Vault using the Azure portal, Azure CLI, Azure PowerShell, or the Key Vault REST API.
What is Defender for Key Vault?
Defender for Key Vault is a security feature that provides threat detection and alerts for Key Vault using Azure Security Center.
How can you configure Defender for Key Vault?
You can configure Defender for Key Vault using the Azure Security Center portal or Azure PowerShell.
What types of threats can Defender for Key Vault detect?
Defender for Key Vault can detect various types of threats, including unauthorized access, privilege escalation, and data exfiltration.
Great post on configuring access to Key Vault for AZ-500! Really helped clarify the RBAC roles.
I have a question. Can you explain more about accessing Key Vault using managed identities?
What are the key differences between access policies and RBAC when it comes to Key Vault?
I appreciate the step-by-step guide. It made the process much simpler!
Is there any way to automate Key Vault access configurations using Azure DevOps?
How does one handle Key Vault access in a multi-tenant scenario?
Thanks for this comprehensive guide!
Can someone explain how to use Key Vault with AKS?