Azure Key Vault 安全性Azure Key Vault security

使用 Azure Key Vault 可以保护云中的加密密钥和机密,例如证书、连接字符串和密码。You need to protect encryption keys and secrets like certificates, connection strings, and passwords in the cloud so you are using Azure Key Vault. 由于你要存储敏感数据和关键业务数据,因此需要采取措施来最大限度地提高保管库及其存储的数据的安全性。Since you are storing sensitive and business critical data, you need to take steps to maximize the security of your vaults and the data stored in them. 本文介绍在设计 Azure Key Vault 安全性时应该了解的概念。This article will cover some of the concepts that you should consider when designing your Azure Key Vault security.

标识和访问管理Identity and access management

在 Azure 订阅中创建密钥保管库时,该密钥保管库自动与订阅的 Azure AD 租户关联。When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. 尝试管理或检索保管库中的内容的任何人必须已由 Azure AD 进行身份验证。Anyone trying to manage or retrieve content from a vault must be authenticated by Azure AD.

  • 身份验证可确定调用方的身份。Authentication establishes the identity of the caller.
  • 授权可确定调用方能够执行的操作。Authorization determines which operations the caller can perform. Key Vault 中的授权使用基于角色的访问控制 (RBAC) 和 Azure Key Vault 访问策略的组合。Authorization in Key Vault uses a combination of Role based access control (RBAC) and Azure Key Vault access policies.

访问模型概述Access model overview

对保管库的访问是通过两个界面或平面发生的。Access to vaults takes place through two interfaces or planes. 这些平面为管理平面和数据平面。These planes are the management plane and the data plane.

  • 管理平面是管理 Key Vault 本身的位置,它是用来创建和删除保管库的界面。 The management plane is where you manage Key Vault itself and it is the interface used to create and delete vaults. 你还可以读取 Key Vault 属性及管理访问策略。You can also read key vault properties and manage access policies.
  • 数据平面用于处理 Key Vault 中存储的数据。 The data plane allows you to work with the data stored in a key vault. 可以添加、删除和修改密钥、机密及证书。You can add, delete, and modify keys, secrets, and certificates.

若要在任一平面中访问 Key Vault,所有调用方(用户或应用程序)必须已经过身份验证且已获得授权。To access a key vault in either plane, all callers (users or applications) must be authenticated and authorized. 对于身份验证,这两个平面都使用 Azure Active Directory (Azure AD)。Both planes use Azure Active Directory (Azure AD) for authentication. 对于授权,管理平面使用基于角色的访问控制 (RBAC),而数据平面使用密钥保管库访问策略。For authorization, the management plane uses role-based access control (RBAC) and the data plane uses a Key Vault access policy.

对这两种平面使用单一身份验证机制模型具有多个优点:The model of a single mechanism for authentication to both planes has several benefits:

  • 组织可以集中控制对其组织中的所有密钥保管库的访问。Organizations can control access centrally to all key vaults in their organization.
  • 离职的用户会立即失去对组织中所有密钥保管库的访问权限。If a user leaves, they instantly lose access to all key vaults in the organization.
  • 组织可以通过 Azure AD 中的选项自定义身份验证(例如,启用多重身份验证以提高安全性)Organizations can customize authentication by using the options in Azure AD, such as to enable multi-factor authentication for added security

管理对 Key Vault 的管理访问权限Managing administrative access to Key Vault

在资源组中创建 Key Vault 时,可以使用 Azure AD 管理访问权限。When you create a key vault in a resource group, you manage access by using Azure AD. 授予用户或组管理资源组中的密钥保管库的权限。You grant users or groups the ability to manage the key vaults in a resource group. 可以通过分配适当的 RBAC 角色在特定范围级别授予访问权限。You can grant access at a specific scope level by assigning the appropriate RBAC roles. 若要授予用户管理密钥保管库的访问权限,请为特定范围的用户分配预定义的 key vault Contributor 角色。To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. 可以将以下范围级别分配给 RBAC 角色:The following scopes levels can be assigned to an RBAC role:

  • 订阅:在订阅级别分配的 RBAC 角色适用于该订阅中的所有资源组和资源。Subscription: An RBAC role assigned at the subscription level applies to all resource groups and resources within that subscription.
  • 资源组:在资源组级别分配的 RBAC 角色适用于该资源组中的所有资源。Resource group: An RBAC role assigned at the resource group level applies to all resources in that resource group.
  • 特定资源:为特定资源分配的 RBAC 角色适用于该资源。Specific resource: An RBAC role assigned for a specific resource applies to that resource. 在这种情况下,资源是特定的密钥保管库。In this case, the resource is a specific key vault.

有多种预定义角色。There are several predefined roles. 如果预定义角色不符合需求,可以定义自己的角色。If a predefined role doesn't fit your needs, you can define your own role. 有关详细信息,请参阅 RBAC:内置角色For more information, see RBAC: Built-in roles.

Important

如果用户具有密钥保管库管理平面的 Contributor 权限,则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对密钥保管库具有 Contributor 角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 请确保仅授权的人员才能访问和管理 Key Vault、密钥、机密和证书。Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

控制对 Key Vault 数据的访问Controlling access to Key Vault data

Key Vault 访问策略单独授予对密钥、机密或证书的权限。Key Vault access policies grant permissions separately to keys, secrets, or certificate. 可以仅授予用户对密钥的访问权限,而不授予对机密的访问权限。You can grant a user access only to keys and not to secrets. 密钥、机密或证书的访问权限在保管库级别进行管理。Access permissions for keys, secrets, and certificates are managed at the vault level.

Important

密钥保管库访问策略不支持粒度、对象级别权限,例如特定的密钥、机密或证书。Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. 如果授予某个用户创建和删除密钥的权限,该用户可以针对该密钥保管库中的所有密钥执行这些操作。When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.

若要为密钥保管库设置访问策略,可以使用 Azure 门户Azure CLI 工具PowerShell密钥保管库管理 REST APITo set access policies for a key vault, use the Azure portal, the Azure CLI, Azure PowerShell, or the Key Vault Management REST APIs.

可以通过使用适用于 Azure 密钥保管库的虚拟网络服务终结点来限制数据平面访问权限。You can restrict data plane access by using virtual network service endpoints for Azure Key Vault. 可以配置防火墙和虚拟网络规则以提供额外的安全层。You can configure firewalls and virtual network rules for an additional layer of security.

网络访问Network access

可以通过指定哪些 IP 地址有权访问保管库,来降低保管库的风险。You can reduce the exposure of your vaults by specifying which IP addresses have access to them. 通过 Azure Key Vault 的虚拟网络服务终结点可将访问限制为指定虚拟网络。The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. 此外,还可通过这些终结点将访问限制为一系列 IPv4(Internet 协议版本 4)地址范围。The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. 任何从外部连接到 Key Vault 的用户都无法访问这些资源。Any user connecting to your key vault from outside those sources is denied access.

防火墙规则生效后,仅当用户的请求来自允许的虚拟网络或 IPv4 地址范围时,他们才能从 Key Vault 读取数据。After firewall rules are in effect, users can only read data from Key Vault when their requests originate from allowed virtual networks or IPv4 address ranges. 从 Azure 门户访问 Key Vault 时,这同样适用。This also applies to accessing Key Vault from the Azure portal. 虽然用户可从 Azure 门户浏览到 Key Vault,但如果其客户端计算机不在允许列表中,则可能无法列出密钥、机密或证书。Although users can browse to a key vault from the Azure portal, they might not be able to list keys, secrets, or certificates if their client machine is not in the allowed list. 这也会影响其他 Azure 服务的 Key Vault 选取器。This also affects the Key Vault Picker by other Azure services. 如果防火墙规则阻止了用户的客户端计算机,则用户可以查看 Key Vault 列表,但不能查看列表密钥。Users might be able to see list of key vaults, but not list keys, if firewall rules prevent their client machine.

有关 Azure Key Vault 网络地址的详细信息,请查看 Azure Key Vault 的虚拟网络服务终结点For more information on Azure Key Vault network address review Virtual network service endpoints for Azure Key Vault

监视Monitoring

Key Vault 日志记录保存有关针对保管库执行的活动的信息。Key Vault logging saves information about the activities performed on your vault. Key Vault 将会记录:Key Vault logs:

  • 所有经过身份验证的 REST API 请求,包括失败的请求All authenticated REST API requests, including failed requests
    • 针对 Key Vault 本身执行的操作。Operations on the key vault itself. 这些操作包括创建、删除、设置访问策略,以及更新 Key Vault 属性(例如标记)。These operations include creation, deletion, setting access policies, and updating key vault attributes such as tags.
    • 针对 Key Vault 中的密钥和机密执行的操作,包括:Operations on keys and secrets in the key vault, including:
      • 创建、修改或删除这些密钥或机密。Creating, modifying, or deleting these keys or secrets.
      • 签名、验证、加密、解密、包装和解包密钥、获取机密,以及列出密钥和机密(及其版本)。Signing, verifying, encrypting, decrypting, wrapping and unwrapping keys, getting secrets, and listing keys and secrets (and their versions).
  • 导致出现 401 响应的未经身份验证的请求。Unauthenticated requests that result in a 401 response. 示例包括不包含持有者令牌、格式不正确或已过期,或者包含无效令牌的请求。Examples are requests that don't have a bearer token, that are malformed or expired, or that have an invalid token.

在执行 Key Vault 操作 10 分钟后,即可访问日志记录信息。Logging information can be accessed within 10 minutes after the key vault operation. 存储帐户中的日志完全由你管理。It's up to you to manage your logs in your storage account.

  • 请使用标准的 Azure 访问控制方法限制可访问日志的人员,以此保护日志。Use standard Azure access control methods to secure your logs by restricting who can access them.
  • 删除不想继续保留在存储帐户中的日志。Delete logs that you no longer want to keep in your storage account.

有关如何安全管理存储帐户的建议,请查看 Azure 存储安全指南For recommendation on securely managing storage accounts review the Azure Storage security guide

后续步骤Next Steps