使用密钥保管库的最佳做法Best practices to use Key Vault

控制对保管库的访问权限Control Access to your vault

Azure 密钥保管库是一种云服务,用于保护加密密钥和机密(例如证书、连接字符串和密码)。Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. 因为此数据是敏感数据和业务关键数据,所以需要保护对密钥保管库的访问,只允许得到授权的应用程序和用户进行访问。Because this data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users. 本文提供密钥保管库访问模型的概述。This article provides an overview of the Key Vault access model. 其中介绍了身份验证和授权,以及如何保护对密钥保管库的访问。It explains authentication and authorization, and describes how to secure access to your key vaults.

控制对保管库的访问权限的建议如下:Suggestions while controlling access to your vault are as follows:

  1. 锁定对订阅、资源组和密钥保管库 (RBAC) 的访问权限Lock down access to your subscription, resource group and Key Vaults (RBAC)
  2. 为每个保管库创建访问策略Create Access policies for every vault
  3. 使用最低特权访问主体授予访问权限Use least privilege access principal to grant access
  4. 打开防火墙和 VNET 服务终结点Turn on Firewall and VNET Service Endpoints

使用单独的密钥保管库Use separate Key Vault

我们的建议是对每个环境(开发环境、预生产环境和生产环境)的每个应用程序使用一个保管库。Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production). 这可以帮助你避免在不同环境之间共享机密,并可在出现安全漏洞时降低威胁。This helps you not share secrets across environments and also reduces the threat in case of a breach.

BackupBackup

在保管库中更新/删除/创建对象时确保定期执行保管库的备份。Make sure you take regular back ups of your vault on update/delete/create of objects within a Vault.

Azure PowerShell 备份命令Azure PowerShell Backup Commands

Azure CLI 备份命令Azure CLI Backup Commands

启用日志记录Turn on Logging

为保管库启用日志记录Turn on logging for your Vault. 同时设置警报。Also set up alerts.

启用恢复选项Turn on recovery options

  1. 启用软删除Turn on Soft Delete.
  2. 如果要防止强制删除机密/保管库,即使启用软删除后,也要启用清除保护。Turn on purge protection if you want to guard against force deletion of the secret / vault even after soft-delete is turned on.