Azure Key Vault Flashcards
2 Tiers
- Standard (SW Abstraction)
- Premium (Multi-tenant HSM )
Standard Tier of Azure Key Vault
L1
Software Abstraction
Thales N-Shield Hardware
FIPS-140-2 Level 1
Premium Tier of Azure Key Vault
L2
Multi-tenant HSM / Shared HSM
Secrets/keys/certificates > HSM
FIPS 140-2 Level 2
Isolated by RBAC
Dedicated HSM
Level 3
FIPS-104 Level 3 or CC EAL 4+ Direct control of HSM Safenet Luna HSM 7 Low Latency MS Connects HSM to VNET and power it up Client controls and manages entire life cycle
Azure Key Vault contains
- Keys
- Secrets
- Certificates & Meta Data
How is Azure Key Vault accessed ?
Azure Key Vault API
Steps for App to access AKV resources ?
- App. is registered to AAD
- App. gets Client ID and Authn. Key from AAD
- App. submits CID & AK to AAD
- App. gets back the TOKEN from AAD
To Access AKV from App.
- App. sends Token to AKV
- AKV uses OpenID to AAD to authenticate the App.
- AKV provides access to Application
AKV > KEYS
Stays within Azure Key Vault
Generated by Key Vault
Crypto material imported to AKV
Authorized Cloud Services - requests - AKV to perform operations using KEY
Operations
- Create
- Import
- Get
- List
- Backup
- Restore
- Delete
- Update
- Sign
- Verify
- Encrypt
- Decrypt
Azure > Secret
Used for
Operations
- Small Data Blobs - 10 KB
- Leaves AKV Boundaries
Used for
- Connection Strings
- Account Keys
- Password for PFX
Operations
- Create
- Update
- Get
- List
- Delete
AKV Auditor - What does they do ?
Monitor Key Vault Logs
Review usage logs to confirm proper key usage
Compliance adherence for data security standards
AKV Configuration
Name: Location: Vault URI : name-kv.vault.azure.net SKU : Standard/Premium Directory ID: Directory Name Soft Delete Purge Protection
AKV -Certificates
Operations
- Create
- Update
- Policing
- Import
- Renewal
- Update
AKV Lifetime - Owner operations
Create Key Import/create Master Key Authorize - Authorize applications and users for specific operations Setup ACL Registers with AD Create Service Principal Enable Usage Log
AKV Lifetime - Key Secret/owner operations
Adds Secrets/Keys to Key Vault
AKV Lifetime - App Owner/Service Principal
Uses secrets and Keys in KEY VAULT
Authenticate with AD and obtain Token