Azure Key Vault Flashcards

1
Q

2 Tiers

A
  • Standard (SW Abstraction)

- Premium (Multi-tenant HSM )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Standard Tier of Azure Key Vault

L1

A

Software Abstraction
Thales N-Shield Hardware
FIPS-140-2 Level 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Premium Tier of Azure Key Vault

L2

A

Multi-tenant HSM / Shared HSM
Secrets/keys/certificates > HSM
FIPS 140-2 Level 2
Isolated by RBAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dedicated HSM

Level 3

A
FIPS-104 Level 3 or CC EAL 4+
Direct control of HSM
Safenet Luna HSM 7
Low Latency
MS Connects HSM to VNET and power it up
Client controls and manages entire life cycle
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Azure Key Vault contains

A
  • Keys
  • Secrets
  • Certificates & Meta Data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How is Azure Key Vault accessed ?

A

Azure Key Vault API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Steps for App to access AKV resources ?

A
  1. App. is registered to AAD
  2. App. gets Client ID and Authn. Key from AAD
  3. App. submits CID & AK to AAD
  4. App. gets back the TOKEN from AAD

To Access AKV from App.

  1. App. sends Token to AKV
  2. AKV uses OpenID to AAD to authenticate the App.
  3. AKV provides access to Application
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AKV > KEYS

A

Stays within Azure Key Vault
Generated by Key Vault
Crypto material imported to AKV

Authorized Cloud Services - requests - AKV to perform operations using KEY

Operations

  • Create
  • Import
  • Get
  • List
  • Backup
  • Restore
  • Delete
  • Update
  • Sign
  • Verify
  • Encrypt
  • Decrypt
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Azure > Secret

Used for

Operations

A
  • Small Data Blobs - 10 KB
  • Leaves AKV Boundaries

Used for

  • Connection Strings
  • Account Keys
  • Password for PFX

Operations

  • Create
  • Update
  • Get
  • List
  • Delete
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AKV Auditor - What does they do ?

A

Monitor Key Vault Logs
Review usage logs to confirm proper key usage
Compliance adherence for data security standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AKV Configuration

A
Name: 
Location:
Vault URI :  name-kv.vault.azure.net
SKU : Standard/Premium
Directory ID: 
Directory Name
Soft Delete
Purge Protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AKV -Certificates

A

Operations

  • Create
  • Update
  • Policing
  • Import
  • Renewal
  • Update
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AKV Lifetime - Owner operations

A
Create Key
Import/create Master Key
Authorize - Authorize applications and users for specific operations
Setup ACL
Registers with AD 
Create Service Principal
Enable Usage Log
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AKV Lifetime - Key Secret/owner operations

A

Adds Secrets/Keys to Key Vault

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AKV Lifetime - App Owner/Service Principal

A

Uses secrets and Keys in KEY VAULT

Authenticate with AD and obtain Token

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Use case for AKV

A

VM Deployment
ARM Template deployment
Disk Volume Encryption

17
Q

AKV URL

A

https://{VAULT NAME}.vault.azure.net
/{object-type}/{object-name}/object-version

Keys
- Key Version

Secrets
- Secret versions

18
Q

Managed HSM URL

A

https://{hsm-name}/managedhsm.azure.net

19
Q

What and how it uses HSM

A

Sharepoint Online- Cust Key
CA - Certificates
Storage Accounts (S3) - API keys / SA Access keys
SQL - Password/TDE Encryption
VM - Bitlocker Encryption Key / Admin Password
IAP - AP Encryption Key
Exchange - Customer Keys

20
Q

AKV Best Practices

A

User managed identities
Designate KV for different environments - Prod/Staging/UAT
Turn on “Soft Delete”

21
Q

ARM template and AKV

A

ARM Template (JSON Parameter File) references “Secret” in AKV

AKV Configuration
“ enableForTemplateDe[ployment” : Enabled