Azure Key Vault Flashcards
What is Azure Key Vault?
A cloud service for securely storing and accessing secrets such as API keys, passwords, and certificates.
What are the key features of Azure Key Vault?
Secret management, key management, certificate management, and hardware security modules (HSM).
What types of secrets can Azure Key Vault store?
API keys, passwords, connection strings, and other secrets.
What are the pricing tiers for Azure Key Vault?
Standard and Premium.
What is the difference between Standard and Premium tiers?
Premium supports HSM-backed keys, while Standard does not.
What is a secret in Azure Key Vault?
A value such as a password, API key, or connection string.
What is a key in Azure Key Vault?
A cryptographic key used for encryption, decryption, and signing.
How does Azure Key Vault integrate with Azure Active Directory (Azure AD)?
It uses Azure AD for authentication and access control.
What is the maximum size of a secret in Azure Key Vault?
25KB.
How are secrets versioned in Azure Key Vault?
Secrets are versioned automatically when updated.
What is soft delete in Azure Key Vault?
A feature that allows deleted keys and secrets to be recovered within a retention period.
What is the default retention period for soft deleted items in Key Vault?
90 days.
How can you access Azure Key Vault programmatically?
Using REST API, SDKs, or Azure CLI.
What is a vault access policy?
A set of permissions that determine what operations a user or service can perform in a vault.
How can you monitor activities in Azure Key Vault?
Using Azure Monitor, Log Analytics, and diagnostic logs.
What is the purpose of Azure Key Vault Managed HSM?
To provide dedicated HSMs for high-security key management.
What is a key rotation policy in Azure Key Vault?
A policy that defines how often a key should be automatically rotated.
What is the maximum number of keys you can store in a Key Vault?
Depends on the vault’s pricing tier and resource limits.
Can Azure Key Vault be used for encryption at rest?
Yes, it integrates with services like Azure Storage for encryption at rest.
How does Azure Key Vault handle encryption keys?
It supports both software- and hardware-based key management.
What is Key Vault’s role in TLS/SSL certificate management?
It helps create, manage, and renew certificates securely.
What are access control methods for Azure Key Vault?
Role-based access control (RBAC) and access policies.
What is BYOK in Azure Key Vault?
Bring Your Own Key, allowing customers to import and manage their own keys.
How do you recover a deleted vault?
Using the Azure portal, PowerShell, or CLI if soft delete is enabled.
What is RBAC in Azure Key Vault?
Role-Based Access Control to manage access to Key Vault resources.
How does Azure Key Vault secure access to secrets?
Using encryption both in transit and at rest, and authentication via Azure AD.
What is the purpose of key wrapping in Azure Key Vault?
To encrypt or decrypt keys using a Key Vault managed key.
What are managed identities in Azure Key Vault?
Identity services to securely access Key Vault without hardcoding credentials.
How can you audit Key Vault access?
By enabling diagnostic logging and sending logs to Azure Monitor or Log Analytics.
What is secret purging in Azure Key Vault?
Permanently deleting soft deleted secrets after the retention period.
What is a Key Vault certificate?
A certificate that Key Vault can store and manage, including its private key.
What is a Key Vault administrator?
A role with full access to all Key Vault operations.
How are certificates renewed in Azure Key Vault?
Manually or automatically using auto-renewal features.
Can Key Vault secrets be used in DevOps pipelines?
Yes, through integration with Azure DevOps and GitHub Actions.
What is Managed Identity for Azure resources?
A feature that allows Azure services to authenticate to Key Vault without credentials.
What is Azure Disk Encryption and how does it relate to Key Vault?
It uses Key Vault to manage the encryption keys for virtual machine disks.
What are secret attributes in Azure Key Vault?
Metadata such as expiration date, enabled status, and tags.
What are tags in Azure Key Vault?
Custom key-value pairs that help organize resources.
What is certificate auto-rotation?
Automatic renewal of certificates before they expire.
How can Key Vault be integrated with AKS (Azure Kubernetes Service)?
By using Key Vault secrets with Kubernetes-managed identities.
What are the available key types in Azure Key Vault?
RSA and EC (Elliptic Curve) keys.
What is key backup in Azure Key Vault?
The ability to export a key and restore it later.
What is a key operation in Azure Key Vault?
Operations such as sign, verify, wrap, and unwrap keys.
What are the limits of Azure Key Vault?
Limits on keys, secrets, and certificates per vault, depending on the pricing tier.
Can Azure Key Vault store certificates issued by third parties?
Yes, it supports the import of certificates from external sources.
What is Key Vault’s redundancy model?
Key Vault uses geo-redundant storage for high availability.
What is an application secret?
A secret used by applications to access resources securely.
How does Azure Key Vault ensure compliance?
It is compliant with industry standards such as FIPS 140-2 and GDPR.
What is the recommended way to manage access to Key Vault?
Using RBAC with least-privilege access policies.
What is the purpose of the filtering feature in Azure Key Vault?
To restrict access to specific secrets, keys, and certificates in the Key Vault.
How can the filtering feature help in managing Azure Key Vault access?
It allows administrators to apply policies that filter which secrets, keys, or certificates can be accessed.
Can filtering be applied to all types of Key Vault objects?
Yes, filtering can be applied to secrets, keys, and certificates.
How is filtering in Azure Key Vault controlled?
It is controlled through role-based access control (RBAC) and access policies.
Does Azure Key Vault filtering improve security?
Yes, it limits access to sensitive data by allowing only authorized users to access specific objects.
What role does RBAC play in Azure Key Vault filtering?
RBAC defines the access permissions for filtering, ensuring specific roles can access only certain vault contents.
How do access policies contribute to Azure Key Vault filtering?
Access policies specify which users or applications can access specific secrets, keys, or certificates.
Can Azure Key Vault filtering be used with managed identities?
Yes, managed identities can be used to filter access to specific Key Vault objects.
What is the benefit of combining filtering with audit logs in Azure Key Vault?
It provides a detailed record of access and actions taken on filtered objects for enhanced security.
How does filtering in Azure Key Vault enhance governance?
It enables fine-grained control over who can access specific Key Vault objects, supporting better governance and compliance.
What is the purpose of the Azure Key Vault Network Filtering feature?
To restrict access to the Azure Key Vault based on specific network rules or virtual networks.
What types of network restrictions can be applied using Azure Key Vault Network Filtering?
You can restrict access using virtual network rules and IP address ranges.
How does Azure Key Vault handle requests from outside allowed network rules?
Requests are denied if they come from an IP address or network not on the allowed list.
What service must be configured to enforce network rules on Azure Key Vault?
Network rules are enforced using Azure Virtual Networks or specific IP ranges.
Can public internet access be blocked using Azure Key Vault Network Filtering?
Yes, you can block access from the public internet entirely.
What happens to existing Key Vault connections when network filtering is enabled?
Existing connections will be allowed if they are from an allowed IP or virtual network.
How does Azure Key Vault Network Filtering enhance security?
It limits access to specific trusted networks, reducing exposure to threats.
Can Azure services bypass Azure Key Vault Network Filtering restrictions?
Yes, Azure services can be allowed to bypass network restrictions.
What feature allows for granular control over which IP addresses can access Azure Key Vault?
IP address range rules allow specific IP addresses or ranges to access the vault.
Is Azure Key Vault Network Filtering available for both public and private endpoints?
Yes, it supports both public and private endpoints for network filtering.
When using Software-Backed keys stored in a multi-tenant or isolated single-tenant environment?
Multi-tenant environment.
Is Azure KeyVault Software-Backed key store FIPS 140-2 Level 3 compliant?
Yes, Azure KeyVault Software-Backed key store is FIPS 140-2 Level 3 compliant.
Is Azure KeyVault HSM Backed key store FIPS 140-2 Level 3 compliant?
Yes, Azure KeyVault HSM key store is FIPS 140-2 Level 3 compliant.
Can you back up Azure Key Vault certs, keys, and secrets?
Yes, you can backup in the portal, but it’s not recommended as it’s a point in time, and keys and certs may change or be rotated later.
Having backed up Azure Key Vault and downloaded the backup, can you inspect it outside Azure?
No, it’s encrypted.
After backing up Azure Key Vault and downloading the backup, can you restore it to a key value in another geographical region?
No, it must be restored to an Azure Key Vault in the same geographical region.
