Azure Key Vault - Best Practices
Azure Key Vault is essential for secure management of secrets, keys, and certificates. Below are key security-focused best practices to design a robust, compliant, and resilient implementation.
1. Use Separate Vaults per Environment
- Create dedicated vaults for Development, Testing, and Production.
- Apply environment-specific access controls.
- Reduce the blast radius and avoid accidental sharing or overwriting across environments.
2. Set Expiration & Automate Rotation
- Configure expiration dates for all secrets, keys, and certificates.
- Automate rotation with Azure Logic Apps or Azure Functions.
- Use Key Vault references in Azure App Services to consume updated secrets without redeploying code.
3. Enable Logging & Monitoring
- Send activity logs to Azure Monitor, Log Analytics, or Storage Accounts.
- Track who accessed what, when, and from where.
- Integrate with Azure Sentinel to enable threat detection and automated alerting.
4. Restrict Network Access
- Use Private Endpoints to limit access to resources within your Virtual Network.
- Configure IP firewall rules to allow only trusted sources.
- Enable only necessary Microsoft trusted services access.
5. Use Azure RBAC Instead of Access Policies
- Prefer Azure RBAC for fine-grained, manageable access control.
- Assign roles like Key Vault Secrets User with least privilege.
- Avoid using the built-in Contributor role, as it grants excessive permissions. Create a custom role that excludes sensitive actions (e.g., vault deletion).
6. Enable Soft Delete & Purge Protection
- Protect secrets, keys, and certificates from accidental or malicious deletion.
- Enable Soft Delete and Purge Protection to ensure recovery is always possible.
7. Lock the Key Vault Resource
- Apply resource locks (e.g., “CanNotDelete”) to prevent accidental or unauthorized deletion of the vault itself.
- Especially important in Production environments.