Implement Azure Security Cheatsheet
Implement Azure Security Cheatsheet
By Saeed Salehi
3 min read
- Authors
- Name
- Saeed Salehi
- linkedinSaeed Salehi
- twitter@1saeedsalehi
- Github
- github1saeedsalehi
- Website
- websiteBlog
Part of series
Developing Solutions for Microsoft Azure (AZ-204) certification exam Cheatsheets
- Part 1:
Introduction to (AZ-204) certification exam Cheatsheets
- Part 2:
Implement IaaS in Azure Cheatsheets
- Part 3:
Azure Functions Cheatsheets
- Part 4:
Azure App Service Cheatsheets
- Part 5:
Develop solutions that use Blob storage Cheatsheets
- Part 6:
Develop solutions that use Azure Cosmos DB Cheatsheets
- Part 7:
Implement Azure Security Cheatsheet
- Part 8:
Microsoft Identity platform Cheatsheet
- Part 9:
Monitoring And logging in Azure Cheatsheets
- Part 10:
Azure Cache for Redis Cheatsheets
- Part 11:
Develop message-based solutions Cheatsheets
- Part 12:
Develop event-based solutions Cheatsheets
- Part 13:
API Management in Azure Cheatsheets
Azure Key Vault
Supports vaults and managed hardware security module(HSM) pools
service tiers:
- Standard: encrypts with a software key
- Premium: hardware security module(HSM)-protected keys
Authentication
To do any operations with Key Vault, you first need to authenticate to it
- Managed identities for Azure resources
- Service principal and certificate
- Service principal and secret
Create a key vault
az keyvault create --name $myKeyVault --resource-group az204-vault-rg --location $myLocation
Create a secret
az keyvault secret set --vault-name $myKeyVault --name "ExamplePassword" --value "hVFkk965BuUv"
retrieve the secret
az keyvault secret show --name "ExamplePassword" --vault-name $myKeyVault
Managed identities
Types of managed identities:
- system-assigned managed identity
- user-assigned managed identity (independent lifecycle than a Azure resource)
Create System-assigned managed identity
during creation of an resources by specifying these parameters:
--assign-identity \
--role contributor \
--scope mySubscription \
system-assigned identity to an existing virtual machine:
az vm identity assign -g myResourceGroup -n myVm
Create User-assigned managed identity
create identity az identity create -g myResourceGroup -n myUserAssignedIdentity
assign to a resource by specifying these parameters:
--assign-identity <USER ASSIGNED IDENTITY NAME> \
--role <ROLE> \
--scope <SUBSCRIPTION>
or to an existing resource:
az vm identity assign \
-g <RESOURCE GROUP> \
-n <VM NAME> \
--identities <USER ASSIGNED IDENTITY>
Azure App Configuration
Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft.
*
, ,
, and \.
These characters are reserved
Key values in App Configuration can optionally have a label attribute
Version key values
App Configuration doesn't version key values automatically as they're modified. Use labels as a way to create multiple versions of a key value.
Query key values
Each key value is uniquely identified by its key plus a label that can be null
Values
Values assigned to keys are also unicode strings.
Manage application features
- Feature flag: A feature flag is a variable with a binary state of on or off
- Feature manager: A feature manager is an application package that handles the lifecycle of all the feature flags in an application
- Filter: A filter is a rule for evaluating the state of a feature flag.
Secure app configuration data
Encrypt configuration data by using customer-managed keys
Requirements:
- Standard tier Azure App Configuration instance
- Azure Key Vault with soft-delete and purge-protection features enabled
- An
RSA
orRSA-HSM
key within the Key Vault: The key must not be expired, it must be enabled, and it must have both wrap and unwrap capabilities enabled
Allow Azure App Configuration to use the Key Vault key:
- Assign a managed identity to the Azure App Configuration instance
- Grant the identity
GET
,WRAP
, andUNWRAP
permissions in the target Key Vault's access policy.
Use private endpoints for Azure App Configuration
Allow clients on a virtual network (VNet) to securely access data over a private link.
Managed identities
A managed identity from Azure Active Directory (AAD) allows Azure App Configuration to easily access other AAD-protected resources, such as Azure Key Vault.
The identity is managed by the Azure platform. It does not require you to provision or rotate any secrets.
Add a system-assigned identity
az appconfig identity assign
Assign the new user-assigned identity to the myTestAppConfigStore configuration store:
az appconfig identity assign --name myTestAppConfigStore \
--resource-group myResourceGroup \
--identities /subscriptions/[subscription id]/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity