Links

Microsoft KeyVault

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Asset Inventory

Design Guidance:

Microsoft.KeyVault/vaults

Microsoft.KeyVault/vaults/secrets

Microsoft.KeyVault/vaults/keys


Protect Cryptographic Keys

Microsoft.KeyVault/vaults


Access Control Policy

Microsoft.KeyVault/vaults

Access Policies
Terraform
Access Policies-Tenant Id
Terraform
Access Policies-Object Id
Terraform
Access Policies-Application Id
Terraform
Access Policies-Permissions
Terraform
Enabled For Deployment
Terraform
Enabled For Disk Encryption
Terraform
Enabled For Template Deployment
Terraform

Microsoft.KeyVault/vaults/accessPolicies

Access Policies
Access Policies-Tenant Id
Access Policies-Object Id
Access Policies-Application Id

Ensure Key Availability

Design Guidance:

Microsoft.KeyVault/vaults

Enable Soft Delete
Terraform
Create Mode
Terraform
Soft Delete Retention In Days
Terraform

Authenticator Lifetime and Reuse Limiting

Microsoft.KeyVault/vaults/secrets

Content Type
Terraform
Attributes
Terraform
Attributes-Enabled
Terraform
Attributes-Nbf
Terraform
Attributes-Exp
Terraform

Utilize Role-based Access Control

Design Guidance:

Microsoft.KeyVault/vaults

Enable Rbac Authorization
Terraform

Firewalls

Microsoft.KeyVault/vaults

Network Acls-Bypass
Terraform
Ip Rules-Value
Terraform
Network Acls-Virtual Network Rules
Terraform

Deny-all Communications and Only Allow-by-Exception

Design Guidance:

Microsoft.KeyVault/vaults

Network Acls-Default Action
Terraform

Establish a Key Management Plan

Design Guidance:

Microsoft.KeyVault/vaults/keys


Limit Key Lifetime and Rotate Keys

Microsoft.KeyVault/vaults/keys

Attributes-Exp
Attributes-Nbf