Detections
Analytics

Ensure Azure Keyvaults are used to store secrets

LOW

Description

Description:

Encryption keys ,Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault.

Rationale:

App secrets control access to the application and thus need to be secured externally to the app configuration, storing the secrets externally and referencing them in the configuration also enables key rotation without having to redeploy the app service.

Impact is primarily during the initial setup of the application or redeploying an old app to include this functionality. This will require configuration effort to setup the keyvault and then to configure the app service to use the keyvault.

Remediation

In Azure Console -

  1. Open the Azure Portal and go to Key Vaults.
  2. If none exist, use the Create button create a new Key Vault.
  3. Use this to store certificates, keys, and secrets.

In Terraform -

  1. Create the azurerm_key_vault resource.
  2. Create the azurerm_key_vault_certificate, azurerm_key_vault_key, and azurerm_key_vault_secret resources as needed.
  3. Set the key_vault_id accordingly.

References:
https://learn.microsoft.com/en-us/azure/key-vault/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_certificate
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret

Policy Details

Rule Reference ID: AC_AZURE_0214
CSP: Azure
Remediation Available: No
Domain: Data Protection
Resource: azurerm_key_vault
Resource Category: Management
Resource Type: Key Vault

Frameworks