Day 11 - Azure Key Vault

/azure/key-vault/cover-image.png

Azure Key Vault is a centralized cloud service for storing and managing secrets like keys, certificates, and passwords. It enhances security by controlling access to these sensitive data, providing secure storage, and logging access and usage.

Key Vault also supports various encryption keys, including hardware security modules (HSMs), offering flexible and robust security solutions for sensitive data. Azure Key Vault is instrumental in implementing best practices for key management and ensuring compliance with various industry standards.

  • Secure Storage: Keys and secrets are safeguarded using industry-standard algorithms and hardware security modules (HSMs).
  • Access Control: Fine-grained access policies control who can access what data.
  • Audit Trails: Complete logging of key usage offers transparency for security audits.
  • Automated Rotation of Secrets: Simplifies managing the lifecycle of secrets.
  • Integration with Other Azure Services: Enhances security across your Azure environment.

You create Azure Key Vaults within a resource group. The vault names must be globally unique (just Azure storage account name). No two vaults can have the same name.

Once an Azure vault is created, a vault URL is generated: https://{vault-name}.vault.azure.net/.

Keys, secrets, and certificates within the vault are also accessed by the URL and object identifiers: https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}. (Source)

Key vaults are region-restricted. A key vault can’t be used by VMs on a different region (Source). Similarly, a key vault can’t be accessed from different resource group. Azure RBAC can be used to allow accessing key vaults from different resource groups (in same region).

If you think it’s an alternative to AWS KMS, you’re partly correct.

Azure’s Key Vault is a service that combines AWS KMS + Secrets Manager and Certificates Manager (ACM).


Subscribe here to get a weekly gist of Azure Security posts directly to your email.

Follow me on LinkedIn and X to be get my posts on Cloud Security and DevSecOps.